Edit tour

Linux Analysis Report
zersh4.elf

Overview

General Information

Sample name:zersh4.elf
Analysis ID:1643359
MD5:d0c8cacaacda4a5913390fb80d277eb4
SHA1:ec7c186b799114c34767f5e4156bc375731ab98b
SHA256:8110805cc9f3281bb755e647428044f0736dd566e1350658d95dd6e3c9452bd8
Tags:elfuser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1643359
Start date and time:2025-03-19 19:37:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:zersh4.elf
Detection:MAL
Classification:mal48.linELF@0/0@2/0
Command:/tmp/zersh4.elf
PID:5444
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
gosh that chinese family at the other table sure ate a lot
Standard Error:
  • system is lnxubuntu20
  • zersh4.elf (PID: 5444, Parent: 5362, MD5: 8943e5f8f8c280467b4472c15ae93ba9) Arguments: /tmp/zersh4.elf
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: zersh4.elfVirustotal: Detection: 23%Perma Link
Source: zersh4.elfReversingLabs: Detection: 22%
Source: global trafficTCP traffic: 192.168.2.13:40566 -> 185.220.204.227:1440
Source: /tmp/zersh4.elf (PID: 5444)Socket: 127.0.0.1:39148Jump to behavior
Source: unknownUDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknownUDP traffic detected without corresponding DNS query: 168.235.111.72
Source: global trafficDNS traffic detected: DNS query: watchmepull.dyn
Source: global trafficDNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne >> > .d
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal48.linELF@0/0@2/0
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/5385/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/230/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/110/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/231/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/111/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/232/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/112/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/233/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/113/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/234/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/114/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/235/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/115/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/236/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/116/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/237/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/117/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/238/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/118/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/239/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/119/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3633/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/914/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/10/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/917/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/11/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/12/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/13/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/14/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/15/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/16/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/17/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/18/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/19/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/240/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3095/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/120/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/241/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/121/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/242/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/122/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/243/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/2/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/123/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/244/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/124/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/245/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1588/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/125/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/4/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/246/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/126/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/5/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/247/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/127/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/6/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/248/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/128/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/7/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/249/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/129/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/8/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/800/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/9/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1906/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/802/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/803/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/20/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/21/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/22/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/23/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/24/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/25/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/26/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/27/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/28/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/29/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3420/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1482/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/490/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1480/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/250/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/371/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/130/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/251/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/5281/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/131/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/252/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/132/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/253/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/254/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1238/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/134/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/255/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/256/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/257/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/378/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3413/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/258/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/259/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/1475/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/936/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)File opened: /proc/3777/commJump to behavior
Source: /tmp/zersh4.elf (PID: 5444)Queries kernel information via 'uname': Jump to behavior
Source: zersh4.elf, 5444.1.00007ffe7ef73000.00007ffe7ef94000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
Source: zersh4.elf, 5444.1.00007ffe7ef73000.00007ffe7ef94000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-sh4/tmp/zersh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zersh4.elf
Source: zersh4.elf, 5444.1.000055b734eda000.000055b734f5e000.rw-.sdmpBinary or memory string: U5!/etc/qemu-binfmt/sh4
Source: zersh4.elf, 5444.1.000055b734eda000.000055b734f5e000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume Access1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643359 Sample: zersh4.elf Startdate: 19/03/2025 Architecture: LINUX Score: 48 14 185.220.204.227, 1440, 40566, 40568 CLOUDWEBMANAGE-EUGB Israel 2->14 16 watchmepull.dyn 2->16 18 ohlookthereismyboats.geek 2->18 20 Multi AV Scanner detection for submitted file 2->20 8 zersh4.elf 2->8         started        signatures3 process4 process5 10 zersh4.elf 8->10         started        process6 12 zersh4.elf 10->12         started       
SourceDetectionScannerLabelLink
zersh4.elf23%VirustotalBrowse
zersh4.elf22%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
watchmepull.dyn
45.147.251.145
truefalse
    high
    ohlookthereismyboats.geek
    45.147.251.145
    truefalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      185.220.204.227
      unknownIsrael
      41436CLOUDWEBMANAGE-EUGBfalse
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      185.220.204.227zerarm.elfGet hashmaliciousUnknownBrowse
        zermips.elfGet hashmaliciousUnknownBrowse
          zerx86.elfGet hashmaliciousUnknownBrowse
            zerppc.elfGet hashmaliciousUnknownBrowse
              zermpsl.elfGet hashmaliciousUnknownBrowse
                zerm68k.elfGet hashmaliciousUnknownBrowse
                  zersh4.elfGet hashmaliciousUnknownBrowse
                    zerarm7.elfGet hashmaliciousUnknownBrowse
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ohlookthereismyboats.geekjklarm5.elfGet hashmaliciousUnknownBrowse
                      • 104.248.47.182
                      jklx86.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      nklx86.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      nklarm7.elfGet hashmaliciousUnknownBrowse
                      • 45.147.251.145
                      nabarm5.elfGet hashmaliciousUnknownBrowse
                      • 45.147.251.145
                      zerarm.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      splmips.elfGet hashmaliciousUnknownBrowse
                      • 45.147.251.145
                      jklmpsl.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      jklmips.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      arm.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CLOUDWEBMANAGE-EUGBzerarm.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zermips.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zerx86.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zerppc.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zermpsl.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zerm68k.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zersh4.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      zerarm7.elfGet hashmaliciousUnknownBrowse
                      • 185.220.204.227
                      https://basvur-acildenizv2denizkredi.site/Get hashmaliciousHTMLPhisherBrowse
                      • 5.180.183.64
                      https://basvur-acildenizv2denizkredi.xyz/Get hashmaliciousHTMLPhisherBrowse
                      • 5.180.183.64
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                      Entropy (8bit):6.7477100583201315
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:zersh4.elf
                      File size:42'260 bytes
                      MD5:d0c8cacaacda4a5913390fb80d277eb4
                      SHA1:ec7c186b799114c34767f5e4156bc375731ab98b
                      SHA256:8110805cc9f3281bb755e647428044f0736dd566e1350658d95dd6e3c9452bd8
                      SHA512:b72d71a9b26cea9fa8dbefa42a1ee6804613e5da94e7bc2a94d012e65fe286cd427f3ab99be79641143d078fdad76b5cfdefef03dfd32e5c071f8227c9678fc7
                      SSDEEP:768:CZahPwtkdSs6Gq4UFKvzMGCWc6U+C3+oSXrCZGXP:0adwtkTVOiQG66U+GkrCZGXP
                      TLSH:AB137D76CCADAE94C51992B4F834897C1F63F200C6571EFB5A49852680439BCFB09BF9
                      File Content Preview:.ELF..............*.......@.4...\.......4. ...(...............@...@.X...X...............\...\.A.\.A..... ...........Q.td............................././"O.n........#.*@........#.*@.....o&O.n...l..............................././.../.a"O.!...n...a.b("...q.

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:<unknown>
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - System V
                      ABI Version:0
                      Entry Point Address:0x4001a0
                      Flags:0x9
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:41820
                      Section Header Size:40
                      Number of Section Headers:11
                      Header String Table Index:10
                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x4000940x940x300x00x6AX004
                      .textPROGBITS0x4000e00xe00x97e00x00x6AX0032
                      .finiPROGBITS0x4098c00x98c00x240x00x6AX004
                      .rodataPROGBITS0x4098e40x98e40x8740x00x2A004
                      .ctorsPROGBITS0x41a15c0xa15c0x80x00x3WA004
                      .dtorsPROGBITS0x41a1640xa1640x80x00x3WA004
                      .jcrPROGBITS0x41a16c0xa16c0x40x00x3WA004
                      .dataPROGBITS0x41a1700xa1700x1a80x00x3WA004
                      .bssNOBITS0x41a3180xa3180x2640x00x3WA004
                      .shstrtabSTRTAB0x00xa3180x430x00x0001
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x4000000x4000000xa1580xa1586.80340x5R E0x10000.init .text .fini .rodata
                      LOAD0xa15c0x41a15c0x41a15c0x1bc0x4202.32890x6RW 0x10000.ctors .dtors .jcr .data .bss
                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                      Download Network PCAP: filteredfull

                      • Total Packets: 14
                      • 1440 undefined
                      • 53 (DNS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 19, 2025 19:38:17.560584068 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:17.565308094 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:17.565546036 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:17.581842899 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:17.586564064 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:17.586606979 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:17.591347933 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:27.592061996 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:27.596868038 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:27.780064106 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:27.780375957 CET405661440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:27.785175085 CET144040566185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:28.870593071 CET405681440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:28.875351906 CET144040568185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:28.875430107 CET405681440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:28.876166105 CET405681440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:28.880860090 CET144040568185.220.204.227192.168.2.13
                      Mar 19, 2025 19:38:28.880914927 CET405681440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:38:28.885611057 CET144040568185.220.204.227192.168.2.13
                      Mar 19, 2025 19:39:28.934314966 CET405681440192.168.2.13185.220.204.227
                      Mar 19, 2025 19:39:28.940119028 CET144040568185.220.204.227192.168.2.13
                      Mar 19, 2025 19:39:29.121844053 CET144040568185.220.204.227192.168.2.13
                      Mar 19, 2025 19:39:29.122040987 CET405681440192.168.2.13185.220.204.227
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 19, 2025 19:38:17.541085005 CET5719253192.168.2.13202.61.197.122
                      Mar 19, 2025 19:38:17.558522940 CET5357192202.61.197.122192.168.2.13
                      Mar 19, 2025 19:38:28.782557964 CET4902853192.168.2.13168.235.111.72
                      Mar 19, 2025 19:38:28.869832039 CET5349028168.235.111.72192.168.2.13
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 19, 2025 19:38:17.541085005 CET192.168.2.13202.61.197.1220xc195Standard query (0)watchmepull.dynA (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:28.782557964 CET192.168.2.13168.235.111.720x9d85Standard query (0)ohlookthereismyboats.geekA (IP address)IN (0x0001)false
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 19, 2025 19:38:17.558522940 CET202.61.197.122192.168.2.130xc195No error (0)watchmepull.dyn45.147.251.145A (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:17.558522940 CET202.61.197.122192.168.2.130xc195No error (0)watchmepull.dyn185.220.204.227A (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:17.558522940 CET202.61.197.122192.168.2.130xc195No error (0)watchmepull.dyn104.248.47.182A (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:28.869832039 CET168.235.111.72192.168.2.130x9d85No error (0)ohlookthereismyboats.geek45.147.251.145A (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:28.869832039 CET168.235.111.72192.168.2.130x9d85No error (0)ohlookthereismyboats.geek185.220.204.227A (IP address)IN (0x0001)false
                      Mar 19, 2025 19:38:28.869832039 CET168.235.111.72192.168.2.130x9d85No error (0)ohlookthereismyboats.geek104.248.47.182A (IP address)IN (0x0001)false

                      System Behavior

                      Start time (UTC):18:38:16
                      Start date (UTC):19/03/2025
                      Path:/tmp/zersh4.elf
                      Arguments:-
                      File size:4139976 bytes
                      MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                      Start time (UTC):18:38:16
                      Start date (UTC):19/03/2025
                      Path:/tmp/zersh4.elf
                      Arguments:-
                      File size:4139976 bytes
                      MD5 hash:8943e5f8f8c280467b4472c15ae93ba9