Edit tour

Linux Analysis Report
zerarm.elf

Overview

General Information

Sample name:	zerarm.elf
Analysis ID:	1643344
MD5:	53a7730024a372b059073ec98bb46943
SHA1:	51e0210b8fb30e65438948d1465494dbc556d071
SHA256:	b87d8b0e184721c6e4363d128947448dd62f5e552318fe37390139c64f52e6e9
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1643344
Start date and time:	2025-03-19 19:27:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerarm.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@35/0

Runtime Messages

Command:	/tmp/zerarm.elf
PID:	6238
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerarm.elf (PID: 6238, Parent: 6156, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zerarm.elf

zerarm.elf New Fork (PID: 6240, Parent: 6238)

zerarm.elf New Fork (PID: 6242, Parent: 6240)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerarm.elf	Virustotal: Detection: 39%			Perma Link
Source: zerarm.elf	ReversingLabs: Detection: 38%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.23:45240 -> 104.248.47.182:1440
Source: global traffic	TCP traffic: 192.168.2.23:54356 -> 45.147.251.145:1440

Source: /tmp/zerarm.elf (PID: 6238)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72

Source: global traffic	DNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global traffic	DNS traffic detected: DNS query: watchmepull.dyn. [malformed]

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne >> > .d

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@35/0

Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1582/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/3088/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/230/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/231/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/232/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1579/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/233/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1699/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1335/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1698/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1334/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1576/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/2302/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/236/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/237/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/910/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/912/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/10/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/2307/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/11/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/918/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/12/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/13/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/14/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/15/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/16/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/17/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/18/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1594/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/120/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/121/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1349/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/122/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/243/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/123/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/2/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/124/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/3/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/4/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/125/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/126/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1344/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1465/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1586/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/127/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/6/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/248/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/128/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/249/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1463/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/800/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/6238/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/9/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/801/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/20/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/21/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1900/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/22/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/23/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/24/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/25/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/26/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/27/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/28/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/29/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/491/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/250/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/130/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/251/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/252/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/132/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/253/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/254/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/255/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/256/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1599/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/257/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1477/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/379/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/258/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1476/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/259/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1475/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/936/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/30/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/2208/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/35/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1809/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/1494/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/260/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/261/comm	Jump to behavior
Source: /tmp/zerarm.elf (PID: 6238)	File opened: /proc/141/comm	Jump to behavior

Source: /tmp/zerarm.elf (PID: 6238)

Queries kernel information via 'uname':

Jump to behavior

Source: zerarm.elf, 6238.1.00007ffd3bfd7000.00007ffd3bff8000.rw-.sdmp	Binary or memory string: rIx86_64/usr/bin/qemu-arm/tmp/zerarm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm.elf
Source: zerarm.elf, 6238.1.0000562531576000.00005625316c4000.rw-.sdmp	Binary or memory string: X1%V!/etc/qemu-binfmt/arm
Source: zerarm.elf, 6238.1.0000562531576000.00005625316c4000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zerarm.elf, 6238.1.00007ffd3bfd7000.00007ffd3bff8000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerarm.elf	39%	Virustotal		Browse
zerarm.elf	39%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ohlookthereismyboats.geek	185.220.204.227	true	false		high
watchmepull.dyn. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.248.47.182	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
45.147.251.145	unknown	Germany	197518	RACKMARKTES	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	resgod.arc.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
91.189.91.42	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	resgod.arc.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
45.147.251.145	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ohlookthereismyboats.geek	splmips.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	jklmpsl.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	jklmips.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	arm.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	jklarm7.elf	Get hash	malicious	Unknown	Browse	193.143.1.116
	jklsh4.elf	Get hash	malicious	Unknown	Browse	159.89.101.70
	arm5.elf	Get hash	malicious	Unknown	Browse	64.227.79.152
	nabspc.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	splspc.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	nklx86.elf	Get hash	malicious	Unknown	Browse	159.89.101.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	resgod.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
DIGITALOCEAN-ASNUS	resgod.ppc.elf	Get hash	malicious	Mirai	Browse	206.189.186.139
	http://jcbajqjo.abdomed-ua.online/redirect/#ZDJsc2JtRkFjSEpsZEhkcGJDNWpieTU2WVE9PQ==&_blank	Get hash	malicious	Unknown	Browse	134.209.177.172
	https://trezzerwalletse.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	167.99.228.137
	https://surl.li/Pd-clientes	Get hash	malicious	Unknown	Browse	198.199.109.95
	https://billing-app-pago-group00.codeanyapp.com/21P.MN/auth/	Get hash	malicious	Unknown	Browse	198.199.109.95
	http://communaute-protestante-berlin.de/din	Get hash	malicious	Unknown	Browse	104.131.67.145
	http://marketplace-items-8236237852.hstn.me/	Get hash	malicious	Unknown	Browse	146.185.171.8
	https://w-si.link/LLddh9rL23sraRLUz	Get hash	malicious	HTMLPhisher	Browse	67.207.79.245
	https://surl.li/Pd-clientes	Get hash	malicious	Unknown	Browse	198.199.109.95
	https://billing-app-pago-group00.codeanyapp.com/21P.MN/auth/	Get hash	malicious	Unknown	Browse	198.199.109.95
CANONICAL-ASGB	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	resgod.arc.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
INIT7CH	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	resgod.arc.elf	Get hash	malicious	Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	5.986234634988445
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerarm.elf
File size:	47'496 bytes
MD5:	53a7730024a372b059073ec98bb46943
SHA1:	51e0210b8fb30e65438948d1465494dbc556d071
SHA256:	b87d8b0e184721c6e4363d128947448dd62f5e552318fe37390139c64f52e6e9
SHA512:	dedad2ac79feecb68576251a04edffd61a25a3a75fd15321252733084973ed36f7bed2c902bb105a2a31b51be8d0f6647fb2fb9969cc655037cc8672e3afe259
SSDEEP:	768:suCUY/EzsUu8RhUdMatyUXqAM76nuoshFNsRpklBgaXP:EUPzBatN6AXPyhXP
TLSH:	27230791B8818A13C5D4137FFA2F419D372563A8D2DF7213DD222F55778A82F0EAB641
File Content Preview:	.ELF...a..........(.........4...........4. ...(.........................................................$...........Q.td..................................-...L."....*..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	47056
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xac30	0x0	0x6	AX	16
.fini	PROGBITS	0x12ce0	0xace0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x12cf4	0xacf4	0x8d4	0x0	0x2	A	4
.ctors	PROGBITS	0x1b5cc	0xb5cc	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1b5d4	0xb5d4	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x1b5dc	0xb5dc	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x1b5e0	0xb5e0	0x1ac	0x0	0x3	WA	4
.bss	NOBITS	0x1b78c	0xb78c	0x264	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xb78c	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xb5c8	0xb5c8	6.0193	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xb5cc	0x1b5cc	0x1b5cc	0x1c0	0x424	2.3054	0x6	RW	0x8000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 98
• 1440 undefined
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 19:28:01.497498035 CET	43928	443	192.168.2.23	91.189.91.42
Mar 19, 2025 19:28:02.975697041 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:02.980479956 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:02.980535030 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:02.981820107 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:02.986515045 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:02.986563921 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:02.991271973 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:06.872766972 CET	42836	443	192.168.2.23	91.189.91.43
Mar 19, 2025 19:28:08.152654886 CET	42516	80	192.168.2.23	109.202.202.202
Mar 19, 2025 19:28:12.990725994 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:12.995985985 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:13.194849014 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:13.195162058 CET	45240	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:13.199939966 CET	1440	45240	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:14.661955118 CET	45242	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:14.666800022 CET	1440	45242	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:14.666873932 CET	45242	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:14.668112993 CET	45242	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:14.672858000 CET	1440	45242	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:14.672911882 CET	45242	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:14.677634001 CET	1440	45242	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:21.462858915 CET	43928	443	192.168.2.23	91.189.91.42
Mar 19, 2025 19:28:25.288137913 CET	1440	45242	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:25.288350105 CET	45242	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:28:25.293039083 CET	1440	45242	104.248.47.182	192.168.2.23
Mar 19, 2025 19:28:26.308554888 CET	54356	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:26.313251019 CET	1440	54356	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:26.313339949 CET	54356	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:26.314677954 CET	54356	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:26.319335938 CET	1440	54356	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:26.319413900 CET	54356	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:26.324085951 CET	1440	54356	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:33.749083996 CET	42836	443	192.168.2.23	91.189.91.43
Mar 19, 2025 19:28:36.928766012 CET	1440	54356	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:36.929069042 CET	54356	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:36.935740948 CET	1440	54356	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:37.844561100 CET	42516	80	192.168.2.23	109.202.202.202
Mar 19, 2025 19:28:37.970227003 CET	54358	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:37.977319002 CET	1440	54358	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:37.977401972 CET	54358	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:37.978415966 CET	54358	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:37.985461950 CET	1440	54358	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:37.985496998 CET	54358	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:37.991554022 CET	1440	54358	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:48.594579935 CET	1440	54358	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:48.594826937 CET	54358	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:48.599534035 CET	1440	54358	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:49.692038059 CET	54360	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:49.696693897 CET	1440	54360	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:49.696765900 CET	54360	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:49.697782040 CET	54360	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:49.702430964 CET	1440	54360	45.147.251.145	192.168.2.23
Mar 19, 2025 19:28:49.702500105 CET	54360	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:28:49.707120895 CET	1440	54360	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:00.317420006 CET	1440	54360	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:00.317857981 CET	54360	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:00.322546959 CET	1440	54360	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:01.414155960 CET	45250	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:01.418947935 CET	1440	45250	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:01.419023991 CET	45250	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:01.419801950 CET	45250	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:01.424570084 CET	1440	45250	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:01.424649954 CET	45250	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:01.429467916 CET	1440	45250	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:02.417100906 CET	43928	443	192.168.2.23	91.189.91.42
Mar 19, 2025 19:29:12.019030094 CET	1440	45250	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:12.019359112 CET	45250	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:12.024065971 CET	1440	45250	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:13.113435984 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:13.118230104 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:13.118302107 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:13.119335890 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:13.125226021 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:13.125288010 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:13.130973101 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:23.126224995 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:23.131040096 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:23.326589108 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:23.326948881 CET	45252	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:23.331713915 CET	1440	45252	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:24.430335999 CET	45254	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:24.435113907 CET	1440	45254	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:24.435198069 CET	45254	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:24.436425924 CET	45254	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:24.441153049 CET	1440	45254	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:24.441221952 CET	45254	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:24.446886063 CET	1440	45254	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:35.002727032 CET	1440	45254	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:35.003169060 CET	45254	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:35.008037090 CET	1440	45254	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:36.129827023 CET	45256	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:36.134602070 CET	1440	45256	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:36.134711027 CET	45256	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:36.136178017 CET	45256	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:36.140935898 CET	1440	45256	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:36.141014099 CET	45256	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:36.146358013 CET	1440	45256	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:46.722345114 CET	1440	45256	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:46.722714901 CET	45256	1440	192.168.2.23	104.248.47.182
Mar 19, 2025 19:29:46.728349924 CET	1440	45256	104.248.47.182	192.168.2.23
Mar 19, 2025 19:29:47.740912914 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:47.745624065 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:47.745707989 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:47.746402979 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:47.751027107 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:47.751076937 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:47.755666018 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:58.365775108 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:58.366046906 CET	54370	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:58.370826006 CET	1440	54370	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:59.829375029 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:59.834122896 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:59.834220886 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:59.835342884 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:59.839955091 CET	1440	54372	45.147.251.145	192.168.2.23
Mar 19, 2025 19:29:59.840024948 CET	54372	1440	192.168.2.23	45.147.251.145
Mar 19, 2025 19:29:59.844692945 CET	1440	54372	45.147.251.145	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 19:28:02.955651999 CET	59641	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:28:02.972443104 CET	53	59641	194.36.144.87	192.168.2.23
Mar 19, 2025 19:28:14.197251081 CET	56040	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:28:14.289311886 CET	53	56040	168.235.111.72	192.168.2.23
Mar 19, 2025 19:28:14.290872097 CET	59598	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:28:14.383790970 CET	53	59598	168.235.111.72	192.168.2.23
Mar 19, 2025 19:28:14.386940956 CET	46667	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:28:14.478199959 CET	53	46667	168.235.111.72	192.168.2.23
Mar 19, 2025 19:28:14.479515076 CET	56665	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:28:14.566313028 CET	53	56665	168.235.111.72	192.168.2.23
Mar 19, 2025 19:28:14.567816973 CET	60098	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:28:14.660711050 CET	53	60098	168.235.111.72	192.168.2.23
Mar 19, 2025 19:28:26.291650057 CET	38909	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:28:26.307404995 CET	53	38909	51.158.108.203	192.168.2.23
Mar 19, 2025 19:28:37.931705952 CET	52544	53	192.168.2.23	185.181.61.24
Mar 19, 2025 19:28:37.969584942 CET	53	52544	185.181.61.24	192.168.2.23
Mar 19, 2025 19:28:49.597780943 CET	44375	53	192.168.2.23	202.61.197.122
Mar 19, 2025 19:28:49.615978003 CET	53	44375	202.61.197.122	192.168.2.23
Mar 19, 2025 19:28:49.617036104 CET	33729	53	192.168.2.23	202.61.197.122
Mar 19, 2025 19:28:49.634401083 CET	53	33729	202.61.197.122	192.168.2.23
Mar 19, 2025 19:28:49.635422945 CET	41238	53	192.168.2.23	202.61.197.122
Mar 19, 2025 19:28:49.652548075 CET	53	41238	202.61.197.122	192.168.2.23
Mar 19, 2025 19:28:49.653753996 CET	57399	53	192.168.2.23	202.61.197.122
Mar 19, 2025 19:28:49.672527075 CET	53	57399	202.61.197.122	192.168.2.23
Mar 19, 2025 19:28:49.673769951 CET	54049	53	192.168.2.23	202.61.197.122
Mar 19, 2025 19:28:49.691514015 CET	53	54049	202.61.197.122	192.168.2.23
Mar 19, 2025 19:29:01.320274115 CET	54195	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:01.413372993 CET	53	54195	168.235.111.72	192.168.2.23
Mar 19, 2025 19:29:13.021852016 CET	34091	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:13.041723967 CET	53	34091	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:13.043431044 CET	37747	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:13.061542988 CET	53	37747	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:13.062556982 CET	36760	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:13.078835964 CET	53	36760	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:13.079791069 CET	37047	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:13.095026970 CET	53	37047	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:13.096157074 CET	34906	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:13.111550093 CET	53	34906	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:24.329859018 CET	57339	53	192.168.2.23	152.53.15.127
Mar 19, 2025 19:29:24.346957922 CET	53	57339	152.53.15.127	192.168.2.23
Mar 19, 2025 19:29:24.348311901 CET	51890	53	192.168.2.23	152.53.15.127
Mar 19, 2025 19:29:24.366311073 CET	53	51890	152.53.15.127	192.168.2.23
Mar 19, 2025 19:29:24.367644072 CET	33492	53	192.168.2.23	152.53.15.127
Mar 19, 2025 19:29:24.391412020 CET	53	33492	152.53.15.127	192.168.2.23
Mar 19, 2025 19:29:24.392774105 CET	43011	53	192.168.2.23	152.53.15.127
Mar 19, 2025 19:29:24.411000013 CET	53	43011	152.53.15.127	192.168.2.23
Mar 19, 2025 19:29:24.412214994 CET	46707	53	192.168.2.23	152.53.15.127
Mar 19, 2025 19:29:24.429207087 CET	53	46707	152.53.15.127	192.168.2.23
Mar 19, 2025 19:29:36.007117987 CET	37257	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:29:36.029783010 CET	53	37257	194.36.144.87	192.168.2.23
Mar 19, 2025 19:29:36.031671047 CET	37681	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:29:36.055332899 CET	53	37681	194.36.144.87	192.168.2.23
Mar 19, 2025 19:29:36.057568073 CET	38292	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:29:36.081583023 CET	53	38292	194.36.144.87	192.168.2.23
Mar 19, 2025 19:29:36.082834959 CET	50366	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:29:36.105211020 CET	53	50366	194.36.144.87	192.168.2.23
Mar 19, 2025 19:29:36.106446028 CET	58794	53	192.168.2.23	194.36.144.87
Mar 19, 2025 19:29:36.129096985 CET	53	58794	194.36.144.87	192.168.2.23
Mar 19, 2025 19:29:47.724829912 CET	60435	53	192.168.2.23	51.158.108.203
Mar 19, 2025 19:29:47.740293026 CET	53	60435	51.158.108.203	192.168.2.23
Mar 19, 2025 19:29:59.369502068 CET	59571	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:59.458540916 CET	53	59571	168.235.111.72	192.168.2.23
Mar 19, 2025 19:29:59.460669994 CET	49977	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:59.550158024 CET	53	49977	168.235.111.72	192.168.2.23
Mar 19, 2025 19:29:59.551913977 CET	51397	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:59.643565893 CET	53	51397	168.235.111.72	192.168.2.23
Mar 19, 2025 19:29:59.645450115 CET	54420	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:59.733650923 CET	53	54420	168.235.111.72	192.168.2.23
Mar 19, 2025 19:29:59.735328913 CET	54320	53	192.168.2.23	168.235.111.72
Mar 19, 2025 19:29:59.828411102 CET	53	54320	168.235.111.72	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 19, 2025 19:28:02.955651999 CET	192.168.2.23	194.36.144.87	0x5c97	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:14.197251081 CET	192.168.2.23	168.235.111.72	0x8c71	Standard query (0)	watchmepull.dyn. [malformed]	256	446	false
Mar 19, 2025 19:28:14.290872097 CET	192.168.2.23	168.235.111.72	0x8c71	Standard query (0)	watchmepull.dyn. [malformed]	256	446	false
Mar 19, 2025 19:28:14.386940956 CET	192.168.2.23	168.235.111.72	0x8c71	Standard query (0)	watchmepull.dyn. [malformed]	256	446	false
Mar 19, 2025 19:28:14.479515076 CET	192.168.2.23	168.235.111.72	0x8c71	Standard query (0)	watchmepull.dyn. [malformed]	256	446	false
Mar 19, 2025 19:28:14.567816973 CET	192.168.2.23	168.235.111.72	0x8c71	Standard query (0)	watchmepull.dyn. [malformed]	256	446	false
Mar 19, 2025 19:28:26.291650057 CET	192.168.2.23	51.158.108.203	0xf1a4	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:37.931705952 CET	192.168.2.23	185.181.61.24	0x363b	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:49.597780943 CET	192.168.2.23	202.61.197.122	0xc852	Standard query (0)	watchmepull.dyn. [malformed]	256	481	false
Mar 19, 2025 19:28:49.617036104 CET	192.168.2.23	202.61.197.122	0xc852	Standard query (0)	watchmepull.dyn. [malformed]	256	481	false
Mar 19, 2025 19:28:49.635422945 CET	192.168.2.23	202.61.197.122	0xc852	Standard query (0)	watchmepull.dyn. [malformed]	256	481	false
Mar 19, 2025 19:28:49.653753996 CET	192.168.2.23	202.61.197.122	0xc852	Standard query (0)	watchmepull.dyn. [malformed]	256	481	false
Mar 19, 2025 19:28:49.673769951 CET	192.168.2.23	202.61.197.122	0xc852	Standard query (0)	watchmepull.dyn. [malformed]	256	481	false
Mar 19, 2025 19:29:01.320274115 CET	192.168.2.23	168.235.111.72	0x1237	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:13.021852016 CET	192.168.2.23	51.158.108.203	0x6392	Standard query (0)	watchmepull.dyn. [malformed]	256	505	false
Mar 19, 2025 19:29:13.043431044 CET	192.168.2.23	51.158.108.203	0x6392	Standard query (0)	watchmepull.dyn. [malformed]	256	505	false
Mar 19, 2025 19:29:13.062556982 CET	192.168.2.23	51.158.108.203	0x6392	Standard query (0)	watchmepull.dyn. [malformed]	256	505	false
Mar 19, 2025 19:29:13.079791069 CET	192.168.2.23	51.158.108.203	0x6392	Standard query (0)	watchmepull.dyn. [malformed]	256	505	false
Mar 19, 2025 19:29:13.096157074 CET	192.168.2.23	51.158.108.203	0x6392	Standard query (0)	watchmepull.dyn. [malformed]	256	505	false
Mar 19, 2025 19:29:24.329859018 CET	192.168.2.23	152.53.15.127	0x48a2	Standard query (0)	watchmepull.dyn. [malformed]	256	260	false
Mar 19, 2025 19:29:24.348311901 CET	192.168.2.23	152.53.15.127	0x48a2	Standard query (0)	watchmepull.dyn. [malformed]	256	260	false
Mar 19, 2025 19:29:24.367644072 CET	192.168.2.23	152.53.15.127	0x48a2	Standard query (0)	watchmepull.dyn. [malformed]	256	260	false
Mar 19, 2025 19:29:24.392774105 CET	192.168.2.23	152.53.15.127	0x48a2	Standard query (0)	watchmepull.dyn. [malformed]	256	260	false
Mar 19, 2025 19:29:24.412214994 CET	192.168.2.23	152.53.15.127	0x48a2	Standard query (0)	watchmepull.dyn. [malformed]	256	260	false
Mar 19, 2025 19:29:36.007117987 CET	192.168.2.23	194.36.144.87	0x2b2e	Standard query (0)	watchmepull.dyn. [malformed]	256	272	false
Mar 19, 2025 19:29:36.031671047 CET	192.168.2.23	194.36.144.87	0x2b2e	Standard query (0)	watchmepull.dyn. [malformed]	256	272	false
Mar 19, 2025 19:29:36.057568073 CET	192.168.2.23	194.36.144.87	0x2b2e	Standard query (0)	watchmepull.dyn. [malformed]	256	272	false
Mar 19, 2025 19:29:36.082834959 CET	192.168.2.23	194.36.144.87	0x2b2e	Standard query (0)	watchmepull.dyn. [malformed]	256	272	false
Mar 19, 2025 19:29:36.106446028 CET	192.168.2.23	194.36.144.87	0x2b2e	Standard query (0)	watchmepull.dyn. [malformed]	256	272	false
Mar 19, 2025 19:29:47.724829912 CET	192.168.2.23	51.158.108.203	0xbc73	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:59.369502068 CET	192.168.2.23	168.235.111.72	0x175d	Standard query (0)	watchmepull.dyn. [malformed]	256	295	false
Mar 19, 2025 19:29:59.460669994 CET	192.168.2.23	168.235.111.72	0x175d	Standard query (0)	watchmepull.dyn. [malformed]	256	295	false
Mar 19, 2025 19:29:59.551913977 CET	192.168.2.23	168.235.111.72	0x175d	Standard query (0)	watchmepull.dyn. [malformed]	256	295	false
Mar 19, 2025 19:29:59.645450115 CET	192.168.2.23	168.235.111.72	0x175d	Standard query (0)	watchmepull.dyn. [malformed]	256	295	false
Mar 19, 2025 19:29:59.735328913 CET	192.168.2.23	168.235.111.72	0x175d	Standard query (0)	watchmepull.dyn. [malformed]	256	295	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 19, 2025 19:28:02.972443104 CET	194.36.144.87	192.168.2.23	0x5c97	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:02.972443104 CET	194.36.144.87	192.168.2.23	0x5c97	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:02.972443104 CET	194.36.144.87	192.168.2.23	0x5c97	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:26.307404995 CET	51.158.108.203	192.168.2.23	0xf1a4	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:26.307404995 CET	51.158.108.203	192.168.2.23	0xf1a4	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:26.307404995 CET	51.158.108.203	192.168.2.23	0xf1a4	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:37.969584942 CET	185.181.61.24	192.168.2.23	0x363b	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:37.969584942 CET	185.181.61.24	192.168.2.23	0x363b	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:28:37.969584942 CET	185.181.61.24	192.168.2.23	0x363b	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:01.413372993 CET	168.235.111.72	192.168.2.23	0x1237	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:01.413372993 CET	168.235.111.72	192.168.2.23	0x1237	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:01.413372993 CET	168.235.111.72	192.168.2.23	0x1237	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:13.041723967 CET	51.158.108.203	192.168.2.23	0x6392	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	505	false
Mar 19, 2025 19:29:13.061542988 CET	51.158.108.203	192.168.2.23	0x6392	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	505	false
Mar 19, 2025 19:29:13.078835964 CET	51.158.108.203	192.168.2.23	0x6392	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	505	false
Mar 19, 2025 19:29:13.095026970 CET	51.158.108.203	192.168.2.23	0x6392	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	505	false
Mar 19, 2025 19:29:13.111550093 CET	51.158.108.203	192.168.2.23	0x6392	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	505	false
Mar 19, 2025 19:29:24.346957922 CET	152.53.15.127	192.168.2.23	0x48a2	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	260	false
Mar 19, 2025 19:29:24.366311073 CET	152.53.15.127	192.168.2.23	0x48a2	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	260	false
Mar 19, 2025 19:29:24.391412020 CET	152.53.15.127	192.168.2.23	0x48a2	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	260	false
Mar 19, 2025 19:29:24.411000013 CET	152.53.15.127	192.168.2.23	0x48a2	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	260	false
Mar 19, 2025 19:29:24.429207087 CET	152.53.15.127	192.168.2.23	0x48a2	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	260	false
Mar 19, 2025 19:29:36.029783010 CET	194.36.144.87	192.168.2.23	0x2b2e	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	272	false
Mar 19, 2025 19:29:36.055332899 CET	194.36.144.87	192.168.2.23	0x2b2e	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	272	false
Mar 19, 2025 19:29:36.081583023 CET	194.36.144.87	192.168.2.23	0x2b2e	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	272	false
Mar 19, 2025 19:29:36.105211020 CET	194.36.144.87	192.168.2.23	0x2b2e	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	272	false
Mar 19, 2025 19:29:36.129096985 CET	194.36.144.87	192.168.2.23	0x2b2e	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	272	false
Mar 19, 2025 19:29:47.740293026 CET	51.158.108.203	192.168.2.23	0xbc73	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:47.740293026 CET	51.158.108.203	192.168.2.23	0xbc73	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:29:47.740293026 CET	51.158.108.203	192.168.2.23	0xbc73	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zerarm.elf PID: 6238, Parent PID: 6156

General

Start time (UTC):	18:28:01
Start date (UTC):	19/03/2025
Path:	/tmp/zerarm.elf
Arguments:	/tmp/zerarm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerarm.elf PID: 6240, Parent PID: 6238

General

Start time (UTC):	18:28:01
Start date (UTC):	19/03/2025
Path:	/tmp/zerarm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: zerarm.elf PID: 6242, Parent PID: 6240

General

Start time (UTC):	18:28:01
Start date (UTC):	19/03/2025
Path:	/tmp/zerarm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerarm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerarm.elf PID: 6238, Parent PID: 6156

General

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerarm.elf PID: 6240, Parent PID: 6238

General

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Linux Analysis Report
zerarm.elf