Edit tour

Linux Analysis Report
zerspc.elf

Overview

General Information

Sample name:	zerspc.elf
Analysis ID:	1643360
MD5:	fcb9e1fd3ad21f17c562ee52296f4edb
SHA1:	b00ef70e060fa953ae36028fa2d1e6ae8f91d870
SHA256:	3cdc65486bc8428160f8831025b72740d7f764ed683ac2072fb387d2451f931b
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	52
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1643360
Start date and time:	2025-03-19 19:37:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerspc.elf
Detection:	MAL
Classification:	mal52.troj.linELF@0/0@44/0

Runtime Messages

Command:	/tmp/zerspc.elf
PID:	5529
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerspc.elf (PID: 5529, Parent: 5445, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/zerspc.elf

zerspc.elf New Fork (PID: 5532, Parent: 5529)

zerspc.elf New Fork (PID: 5534, Parent: 5532)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerspc.elf	Virustotal: Detection: 37%			Perma Link
Source: zerspc.elf	ReversingLabs: Detection: 33%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: watchmepull.dyn. [malformed]

Source: global traffic	TCP traffic: 192.168.2.14:56026 -> 104.248.47.182:1440
Source: global traffic	TCP traffic: 192.168.2.14:36008 -> 45.147.251.145:1440

Source: /tmp/zerspc.elf (PID: 5529)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72

Source: global traffic	DNS traffic detected: DNS query: ohlookthereismyboats.geek
Source: global traffic	DNS traffic detected: DNS query: watchmepull.dyn. [malformed]

Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne >> > .d

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal52.troj.linELF@0/0@44/0

Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1583/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/2672/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1577/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/10/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/917/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/11/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/12/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/13/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/14/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/15/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/16/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/17/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/18/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/19/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1593/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/240/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/120/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3094/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/121/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/242/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3406/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/122/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/243/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/2/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/123/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/244/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1589/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/124/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/245/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1588/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/125/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/4/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/246/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3402/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/126/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/5/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/247/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/127/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/6/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/248/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/128/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/7/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/249/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/8/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/129/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/800/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/9/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/801/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/803/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/20/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/806/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/21/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/807/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/928/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/22/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/23/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/24/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/25/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/26/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/27/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/28/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/29/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3420/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/490/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/250/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/130/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/251/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/131/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/252/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/132/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/253/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/254/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/255/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/135/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/256/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1599/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/257/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/378/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/258/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/3412/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/259/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/30/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/35/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/1371/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/260/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/261/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/262/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/142/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/263/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/264/comm	Jump to behavior
Source: /tmp/zerspc.elf (PID: 5529)	File opened: /proc/265/comm	Jump to behavior

Source: /tmp/zerspc.elf (PID: 5529)

Queries kernel information via 'uname':

Jump to behavior

Source: zerspc.elf, 5529.1.00005647a96b6000.00005647a973b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: zerspc.elf, 5529.1.00005647a96b6000.00005647a973b000.rw-.sdmp	Binary or memory string: GV!/etc/qemu-binfmt/sparc
Source: zerspc.elf, 5529.1.00007ffcb0679000.00007ffcb069a000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-sparc/tmp/zerspc.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerspc.elf
Source: zerspc.elf, 5529.1.00007ffcb0679000.00007ffcb069a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerspc.elf	38%	Virustotal		Browse
zerspc.elf	33%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ohlookthereismyboats.geek	45.147.251.145	true	false		high
watchmepull.dyn. [malformed]	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.248.47.182	unknown	United States		14061	DIGITALOCEAN-ASNUS	false
45.147.251.145	ohlookthereismyboats.geek	Germany		197518	RACKMARKTES	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.248.47.182	zerarm.elf	Get hash	malicious	Unknown	Browse
45.147.251.145	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	zerarm7.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ohlookthereismyboats.geek	jklarm5.elf	Get hash	malicious	Unknown	Browse	104.248.47.182
	jklx86.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	nklx86.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	nklarm7.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	nabarm5.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerarm.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	splmips.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	jklmpsl.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	jklmips.elf	Get hash	malicious	Unknown	Browse	185.220.204.227
	arm.elf	Get hash	malicious	Unknown	Browse	185.220.204.227

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	zerarm.elf	Get hash	malicious	Unknown	Browse	104.248.47.182
	resgod.ppc.elf	Get hash	malicious	Mirai	Browse	206.189.186.139
	http://jcbajqjo.abdomed-ua.online/redirect/#ZDJsc2JtRkFjSEpsZEhkcGJDNWpieTU2WVE9PQ==&_blank	Get hash	malicious	Unknown	Browse	134.209.177.172
	https://trezzerwalletse.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	167.99.228.137
	https://surl.li/Pd-clientes	Get hash	malicious	Unknown	Browse	198.199.109.95
	https://billing-app-pago-group00.codeanyapp.com/21P.MN/auth/	Get hash	malicious	Unknown	Browse	198.199.109.95
	http://communaute-protestante-berlin.de/din	Get hash	malicious	Unknown	Browse	104.131.67.145
	http://marketplace-items-8236237852.hstn.me/	Get hash	malicious	Unknown	Browse	146.185.171.8
	https://w-si.link/LLddh9rL23sraRLUz	Get hash	malicious	HTMLPhisher	Browse	67.207.79.245
	https://surl.li/Pd-clientes	Get hash	malicious	Unknown	Browse	198.199.109.95
RACKMARKTES	zerarm.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	graviola.dll	Get hash	malicious	Unknown	Browse	185.228.72.203
	graviola.dll	Get hash	malicious	Unknown	Browse	185.228.72.203
	zerarm.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerarm5.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerx86.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerspc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerppc.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zermpsl.elf	Get hash	malicious	Unknown	Browse	45.147.251.145
	zerm68k.elf	Get hash	malicious	Unknown	Browse	45.147.251.145

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.009423608058012
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerspc.elf
File size:	50'120 bytes
MD5:	fcb9e1fd3ad21f17c562ee52296f4edb
SHA1:	b00ef70e060fa953ae36028fa2d1e6ae8f91d870
SHA256:	3cdc65486bc8428160f8831025b72740d7f764ed683ac2072fb387d2451f931b
SHA512:	2b63006e9bcb1a4016378adad61a88165c2aa687e371aa7616fc2370e06834ff666a3c0f4b8227e7053dcad9e4552a054681bd25be0ccb59c516428fa6101142
SSDEEP:	768:8Jo8Iq9c7VTeorqsTnMloqXSEVn74QULO+4X4dH/JZ:8JHISc7VTe+qsTnMlBXdZ8QKIKH/L
TLSH:	91234B21B9792E1BC4D5A87E22F74724B2F11B0E25F8CB1D7C321E4AFF25A4055136B9
File Content Preview:	.ELF...........................4.........4. ...(...........................................................8........dt.Q................................@..(....@.,.................#.....a...`.....!..... ...@.....".........`......$ ... ...@...........`....

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	49680
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0xb374	0x0	0x6	AX	4
.fini	PROGBITS	0x1b424	0xb424	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x1b438	0xb438	0x990	0x0	0x2	A	8
.ctors	PROGBITS	0x2c000	0xc000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x2c008	0xc008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x2c010	0xc010	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x2c018	0xc018	0x1b4	0x0	0x3	WA	8
.bss	NOBITS	0x2c1d0	0xc1cc	0x268	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0xc1cc	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0xbdc8	0xbdc8	6.0847	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0xc000	0x2c000	0x2c000	0x1cc	0x438	2.2636	0x6	RW	0x10000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 105
• 1440 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 19:38:21.799968958 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:21.804817915 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:21.804872036 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:21.810029030 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:21.814735889 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:21.814775944 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:21.819438934 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:31.820102930 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:31.824888945 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:32.032083035 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:32.032453060 CET	56026	1440	192.168.2.14	104.248.47.182
Mar 19, 2025 19:38:32.037111998 CET	1440	56026	104.248.47.182	192.168.2.14
Mar 19, 2025 19:38:32.051265955 CET	36008	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:32.056144953 CET	1440	36008	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:32.056202888 CET	36008	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:32.057291985 CET	36008	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:32.061984062 CET	1440	36008	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:32.062031031 CET	36008	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:32.066703081 CET	1440	36008	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:42.678385019 CET	1440	36008	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:42.678896904 CET	36008	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:42.683639050 CET	1440	36008	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:42.776016951 CET	36010	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:42.780719042 CET	1440	36010	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:42.780817032 CET	36010	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:42.782038927 CET	36010	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:42.786711931 CET	1440	36010	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:42.786760092 CET	36010	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:42.791409016 CET	1440	36010	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:53.397038937 CET	1440	36010	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:53.397300005 CET	36010	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:53.402122974 CET	1440	36010	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:53.509567022 CET	36012	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:53.514987946 CET	1440	36012	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:53.515098095 CET	36012	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:53.516619921 CET	36012	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:53.521539927 CET	1440	36012	45.147.251.145	192.168.2.14
Mar 19, 2025 19:38:53.521656036 CET	36012	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:38:53.526570082 CET	1440	36012	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:04.134963036 CET	1440	36012	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:04.135590076 CET	36012	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:04.140367031 CET	1440	36012	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:04.690429926 CET	36014	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:04.697225094 CET	1440	36014	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:04.697294950 CET	36014	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:04.698260069 CET	36014	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:04.702903986 CET	1440	36014	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:04.702955008 CET	36014	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:04.708041906 CET	1440	36014	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:15.311671019 CET	1440	36014	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:15.311943054 CET	36014	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:15.316704035 CET	1440	36014	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:15.424645901 CET	36016	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:15.429508924 CET	1440	36016	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:15.429589987 CET	36016	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:15.431035042 CET	36016	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:15.435736895 CET	1440	36016	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:15.435806036 CET	36016	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:15.440514088 CET	1440	36016	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:26.046242952 CET	1440	36016	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:26.046751022 CET	36016	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:26.051577091 CET	1440	36016	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:26.138200045 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:26.143244982 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:26.143493891 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:26.145402908 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:26.150084972 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:26.150176048 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:26.154874086 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.155313969 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.161469936 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.382710934 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.383008003 CET	36018	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.387856960 CET	1440	36018	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.479446888 CET	36020	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.484823942 CET	1440	36020	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.484901905 CET	36020	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.486087084 CET	36020	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.490791082 CET	1440	36020	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:36.490873098 CET	36020	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:36.495553017 CET	1440	36020	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:47.106183052 CET	1440	36020	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:47.106410980 CET	36020	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:47.111167908 CET	1440	36020	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:47.208795071 CET	36022	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:47.213464022 CET	1440	36022	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:47.213538885 CET	36022	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:47.214682102 CET	36022	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:47.219511986 CET	1440	36022	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:47.219573975 CET	36022	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:47.224164963 CET	1440	36022	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:57.843354940 CET	1440	36022	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:57.843585014 CET	36022	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:57.848551989 CET	1440	36022	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:57.861285925 CET	36024	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:57.868082047 CET	1440	36024	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:57.868140936 CET	36024	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:57.868997097 CET	36024	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:57.875974894 CET	1440	36024	45.147.251.145	192.168.2.14
Mar 19, 2025 19:39:57.876029015 CET	36024	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:39:57.881376982 CET	1440	36024	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:08.492441893 CET	1440	36024	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:08.492969990 CET	36024	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:08.497697115 CET	1440	36024	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:08.945530891 CET	36026	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:08.950265884 CET	1440	36026	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:08.950347900 CET	36026	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:08.951754093 CET	36026	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:08.956512928 CET	1440	36026	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:08.956566095 CET	36026	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:08.961222887 CET	1440	36026	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:19.584286928 CET	1440	36026	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:19.584498882 CET	36026	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:19.590100050 CET	1440	36026	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:20.046082973 CET	36028	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:20.050797939 CET	1440	36028	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:20.050847054 CET	36028	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:20.051681042 CET	36028	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:20.056256056 CET	1440	36028	45.147.251.145	192.168.2.14
Mar 19, 2025 19:40:20.056302071 CET	36028	1440	192.168.2.14	45.147.251.145
Mar 19, 2025 19:40:20.060950994 CET	1440	36028	45.147.251.145	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 19:38:21.766334057 CET	35470	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:38:21.790222883 CET	53	35470	194.36.144.87	192.168.2.14
Mar 19, 2025 19:38:32.033550024 CET	59156	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:38:32.050570965 CET	53	59156	194.36.144.87	192.168.2.14
Mar 19, 2025 19:38:42.680248976 CET	57419	53	192.168.2.14	202.61.197.122
Mar 19, 2025 19:38:42.697534084 CET	53	57419	202.61.197.122	192.168.2.14
Mar 19, 2025 19:38:42.699162006 CET	54896	53	192.168.2.14	202.61.197.122
Mar 19, 2025 19:38:42.716491938 CET	53	54896	202.61.197.122	192.168.2.14
Mar 19, 2025 19:38:42.718111038 CET	58612	53	192.168.2.14	202.61.197.122
Mar 19, 2025 19:38:42.735460997 CET	53	58612	202.61.197.122	192.168.2.14
Mar 19, 2025 19:38:42.737217903 CET	40394	53	192.168.2.14	202.61.197.122
Mar 19, 2025 19:38:42.755008936 CET	53	40394	202.61.197.122	192.168.2.14
Mar 19, 2025 19:38:42.756835938 CET	41705	53	192.168.2.14	202.61.197.122
Mar 19, 2025 19:38:42.774831057 CET	53	41705	202.61.197.122	192.168.2.14
Mar 19, 2025 19:38:53.399312973 CET	34200	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:38:53.416292906 CET	53	34200	152.53.15.127	192.168.2.14
Mar 19, 2025 19:38:53.417571068 CET	36650	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:38:53.440170050 CET	53	36650	152.53.15.127	192.168.2.14
Mar 19, 2025 19:38:53.441894054 CET	34776	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:38:53.458726883 CET	53	34776	152.53.15.127	192.168.2.14
Mar 19, 2025 19:38:53.460532904 CET	52827	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:38:53.483477116 CET	53	52827	152.53.15.127	192.168.2.14
Mar 19, 2025 19:38:53.485388994 CET	37273	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:38:53.508474112 CET	53	37273	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:04.137070894 CET	35706	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:04.224097013 CET	53	35706	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:04.226367950 CET	42151	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:04.314332962 CET	53	42151	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:04.316519976 CET	45314	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:04.507694006 CET	53	45314	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:04.509464025 CET	38704	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:04.600552082 CET	53	38704	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:04.601877928 CET	52470	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:04.689430952 CET	53	52470	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:15.313584089 CET	48599	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:39:15.330543041 CET	53	48599	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:15.332537889 CET	55510	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:39:15.355366945 CET	53	55510	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:15.357214928 CET	52201	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:39:15.374226093 CET	53	52201	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:15.375953913 CET	52818	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:39:15.398802042 CET	53	52818	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:15.400645018 CET	34646	53	192.168.2.14	152.53.15.127
Mar 19, 2025 19:39:15.423724890 CET	53	34646	152.53.15.127	192.168.2.14
Mar 19, 2025 19:39:26.048824072 CET	57919	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:39:26.136231899 CET	53	57919	168.235.111.72	192.168.2.14
Mar 19, 2025 19:39:36.385445118 CET	58367	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:36.401303053 CET	53	58367	51.158.108.203	192.168.2.14
Mar 19, 2025 19:39:36.402687073 CET	44010	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:36.425286055 CET	53	44010	51.158.108.203	192.168.2.14
Mar 19, 2025 19:39:36.426862001 CET	42592	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:36.442989111 CET	53	42592	51.158.108.203	192.168.2.14
Mar 19, 2025 19:39:36.444638968 CET	49993	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:36.461536884 CET	53	49993	51.158.108.203	192.168.2.14
Mar 19, 2025 19:39:36.462798119 CET	50378	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:36.478637934 CET	53	50378	51.158.108.203	192.168.2.14
Mar 19, 2025 19:39:47.107686996 CET	33846	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:39:47.130049944 CET	53	33846	194.36.144.87	192.168.2.14
Mar 19, 2025 19:39:47.131355047 CET	59179	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:39:47.148114920 CET	53	59179	194.36.144.87	192.168.2.14
Mar 19, 2025 19:39:47.149408102 CET	35776	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:39:47.172055006 CET	53	35776	194.36.144.87	192.168.2.14
Mar 19, 2025 19:39:47.173348904 CET	36224	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:39:47.190377951 CET	53	36224	194.36.144.87	192.168.2.14
Mar 19, 2025 19:39:47.191627026 CET	39596	53	192.168.2.14	194.36.144.87
Mar 19, 2025 19:39:47.208193064 CET	53	39596	194.36.144.87	192.168.2.14
Mar 19, 2025 19:39:57.844835997 CET	35386	53	192.168.2.14	51.158.108.203
Mar 19, 2025 19:39:57.860682964 CET	53	35386	51.158.108.203	192.168.2.14
Mar 19, 2025 19:40:08.494820118 CET	36070	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:08.585874081 CET	53	36070	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:08.587615967 CET	33243	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:08.675292969 CET	53	33243	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:08.677484989 CET	49393	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:08.764704943 CET	53	49393	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:08.766668081 CET	49840	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:08.854170084 CET	53	49840	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:08.855427027 CET	53394	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:08.944458961 CET	53	53394	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:19.585623026 CET	58311	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:19.681068897 CET	53	58311	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:19.682133913 CET	35280	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:19.768933058 CET	53	35280	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:19.770015001 CET	37122	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:19.858529091 CET	53	37122	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:19.859602928 CET	38438	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:19.951128960 CET	53	38438	168.235.111.72	192.168.2.14
Mar 19, 2025 19:40:19.952491045 CET	45803	53	192.168.2.14	168.235.111.72
Mar 19, 2025 19:40:20.045319080 CET	53	45803	168.235.111.72	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 19, 2025 19:38:21.766334057 CET	192.168.2.14	194.36.144.87	0xa0cc	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:32.033550024 CET	192.168.2.14	194.36.144.87	0xb13f	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:42.680248976 CET	192.168.2.14	202.61.197.122	0x7388	Standard query (0)	watchmepull.dyn. [malformed]	256	306	false
Mar 19, 2025 19:38:42.699162006 CET	192.168.2.14	202.61.197.122	0x7388	Standard query (0)	watchmepull.dyn. [malformed]	256	306	false
Mar 19, 2025 19:38:42.718111038 CET	192.168.2.14	202.61.197.122	0x7388	Standard query (0)	watchmepull.dyn. [malformed]	256	306	false
Mar 19, 2025 19:38:42.737217903 CET	192.168.2.14	202.61.197.122	0x7388	Standard query (0)	watchmepull.dyn. [malformed]	256	306	false
Mar 19, 2025 19:38:42.756835938 CET	192.168.2.14	202.61.197.122	0x7388	Standard query (0)	watchmepull.dyn. [malformed]	256	306	false
Mar 19, 2025 19:38:53.399312973 CET	192.168.2.14	152.53.15.127	0xa347	Standard query (0)	watchmepull.dyn. [malformed]	256	317	false
Mar 19, 2025 19:38:53.417571068 CET	192.168.2.14	152.53.15.127	0xa347	Standard query (0)	watchmepull.dyn. [malformed]	256	317	false
Mar 19, 2025 19:38:53.441894054 CET	192.168.2.14	152.53.15.127	0xa347	Standard query (0)	watchmepull.dyn. [malformed]	256	317	false
Mar 19, 2025 19:38:53.460532904 CET	192.168.2.14	152.53.15.127	0xa347	Standard query (0)	watchmepull.dyn. [malformed]	256	317	false
Mar 19, 2025 19:38:53.485388994 CET	192.168.2.14	152.53.15.127	0xa347	Standard query (0)	watchmepull.dyn. [malformed]	256	317	false
Mar 19, 2025 19:39:04.137070894 CET	192.168.2.14	168.235.111.72	0x991	Standard query (0)	watchmepull.dyn. [malformed]	256	328	false
Mar 19, 2025 19:39:04.226367950 CET	192.168.2.14	168.235.111.72	0x991	Standard query (0)	watchmepull.dyn. [malformed]	256	328	false
Mar 19, 2025 19:39:04.316519976 CET	192.168.2.14	168.235.111.72	0x991	Standard query (0)	watchmepull.dyn. [malformed]	256	328	false
Mar 19, 2025 19:39:04.509464025 CET	192.168.2.14	168.235.111.72	0x991	Standard query (0)	watchmepull.dyn. [malformed]	256	328	false
Mar 19, 2025 19:39:04.601877928 CET	192.168.2.14	168.235.111.72	0x991	Standard query (0)	watchmepull.dyn. [malformed]	256	328	false
Mar 19, 2025 19:39:15.313584089 CET	192.168.2.14	152.53.15.127	0xc949	Standard query (0)	watchmepull.dyn. [malformed]	256	339	false
Mar 19, 2025 19:39:15.332537889 CET	192.168.2.14	152.53.15.127	0xc949	Standard query (0)	watchmepull.dyn. [malformed]	256	339	false
Mar 19, 2025 19:39:15.357214928 CET	192.168.2.14	152.53.15.127	0xc949	Standard query (0)	watchmepull.dyn. [malformed]	256	339	false
Mar 19, 2025 19:39:15.375953913 CET	192.168.2.14	152.53.15.127	0xc949	Standard query (0)	watchmepull.dyn. [malformed]	256	339	false
Mar 19, 2025 19:39:15.400645018 CET	192.168.2.14	152.53.15.127	0xc949	Standard query (0)	watchmepull.dyn. [malformed]	256	339	false
Mar 19, 2025 19:39:26.048824072 CET	192.168.2.14	168.235.111.72	0x39c3	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:36.385445118 CET	192.168.2.14	51.158.108.203	0x2276	Standard query (0)	watchmepull.dyn. [malformed]	256	360	false
Mar 19, 2025 19:39:36.402687073 CET	192.168.2.14	51.158.108.203	0x2276	Standard query (0)	watchmepull.dyn. [malformed]	256	360	false
Mar 19, 2025 19:39:36.426862001 CET	192.168.2.14	51.158.108.203	0x2276	Standard query (0)	watchmepull.dyn. [malformed]	256	360	false
Mar 19, 2025 19:39:36.444638968 CET	192.168.2.14	51.158.108.203	0x2276	Standard query (0)	watchmepull.dyn. [malformed]	256	360	false
Mar 19, 2025 19:39:36.462798119 CET	192.168.2.14	51.158.108.203	0x2276	Standard query (0)	watchmepull.dyn. [malformed]	256	360	false
Mar 19, 2025 19:39:47.107686996 CET	192.168.2.14	194.36.144.87	0xfc3f	Standard query (0)	watchmepull.dyn. [malformed]	256	371	false
Mar 19, 2025 19:39:47.131355047 CET	192.168.2.14	194.36.144.87	0xfc3f	Standard query (0)	watchmepull.dyn. [malformed]	256	371	false
Mar 19, 2025 19:39:47.149408102 CET	192.168.2.14	194.36.144.87	0xfc3f	Standard query (0)	watchmepull.dyn. [malformed]	256	371	false
Mar 19, 2025 19:39:47.173348904 CET	192.168.2.14	194.36.144.87	0xfc3f	Standard query (0)	watchmepull.dyn. [malformed]	256	371	false
Mar 19, 2025 19:39:47.191627026 CET	192.168.2.14	194.36.144.87	0xfc3f	Standard query (0)	watchmepull.dyn. [malformed]	256	371	false
Mar 19, 2025 19:39:57.844835997 CET	192.168.2.14	51.158.108.203	0x86a0	Standard query (0)	ohlookthereismyboats.geek	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:40:08.494820118 CET	192.168.2.14	168.235.111.72	0xc2a9	Standard query (0)	watchmepull.dyn. [malformed]	256	392	false
Mar 19, 2025 19:40:08.587615967 CET	192.168.2.14	168.235.111.72	0xc2a9	Standard query (0)	watchmepull.dyn. [malformed]	256	392	false
Mar 19, 2025 19:40:08.677484989 CET	192.168.2.14	168.235.111.72	0xc2a9	Standard query (0)	watchmepull.dyn. [malformed]	256	392	false
Mar 19, 2025 19:40:08.766668081 CET	192.168.2.14	168.235.111.72	0xc2a9	Standard query (0)	watchmepull.dyn. [malformed]	256	392	false
Mar 19, 2025 19:40:08.855427027 CET	192.168.2.14	168.235.111.72	0xc2a9	Standard query (0)	watchmepull.dyn. [malformed]	256	392	false
Mar 19, 2025 19:40:19.585623026 CET	192.168.2.14	168.235.111.72	0xef9c	Standard query (0)	watchmepull.dyn. [malformed]	256	403	false
Mar 19, 2025 19:40:19.682133913 CET	192.168.2.14	168.235.111.72	0xef9c	Standard query (0)	watchmepull.dyn. [malformed]	256	403	false
Mar 19, 2025 19:40:19.770015001 CET	192.168.2.14	168.235.111.72	0xef9c	Standard query (0)	watchmepull.dyn. [malformed]	256	403	false
Mar 19, 2025 19:40:19.859602928 CET	192.168.2.14	168.235.111.72	0xef9c	Standard query (0)	watchmepull.dyn. [malformed]	256	403	false
Mar 19, 2025 19:40:19.952491045 CET	192.168.2.14	168.235.111.72	0xef9c	Standard query (0)	watchmepull.dyn. [malformed]	256	404	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 19, 2025 19:38:21.790222883 CET	194.36.144.87	192.168.2.14	0xa0cc	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:21.790222883 CET	194.36.144.87	192.168.2.14	0xa0cc	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:21.790222883 CET	194.36.144.87	192.168.2.14	0xa0cc	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:32.050570965 CET	194.36.144.87	192.168.2.14	0xb13f	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:32.050570965 CET	194.36.144.87	192.168.2.14	0xb13f	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:32.050570965 CET	194.36.144.87	192.168.2.14	0xb13f	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:38:53.416292906 CET	152.53.15.127	192.168.2.14	0xa347	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	317	false
Mar 19, 2025 19:38:53.440170050 CET	152.53.15.127	192.168.2.14	0xa347	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	317	false
Mar 19, 2025 19:38:53.458726883 CET	152.53.15.127	192.168.2.14	0xa347	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	317	false
Mar 19, 2025 19:38:53.483477116 CET	152.53.15.127	192.168.2.14	0xa347	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	317	false
Mar 19, 2025 19:38:53.508474112 CET	152.53.15.127	192.168.2.14	0xa347	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	317	false
Mar 19, 2025 19:39:15.330543041 CET	152.53.15.127	192.168.2.14	0xc949	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	339	false
Mar 19, 2025 19:39:15.355366945 CET	152.53.15.127	192.168.2.14	0xc949	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	339	false
Mar 19, 2025 19:39:15.374226093 CET	152.53.15.127	192.168.2.14	0xc949	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	339	false
Mar 19, 2025 19:39:15.398802042 CET	152.53.15.127	192.168.2.14	0xc949	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	339	false
Mar 19, 2025 19:39:15.423724890 CET	152.53.15.127	192.168.2.14	0xc949	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	339	false
Mar 19, 2025 19:39:26.136231899 CET	168.235.111.72	192.168.2.14	0x39c3	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:26.136231899 CET	168.235.111.72	192.168.2.14	0x39c3	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:26.136231899 CET	168.235.111.72	192.168.2.14	0x39c3	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:36.401303053 CET	51.158.108.203	192.168.2.14	0x2276	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	360	false
Mar 19, 2025 19:39:36.425286055 CET	51.158.108.203	192.168.2.14	0x2276	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	360	false
Mar 19, 2025 19:39:36.442989111 CET	51.158.108.203	192.168.2.14	0x2276	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	360	false
Mar 19, 2025 19:39:36.461536884 CET	51.158.108.203	192.168.2.14	0x2276	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	360	false
Mar 19, 2025 19:39:36.478637934 CET	51.158.108.203	192.168.2.14	0x2276	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	360	false
Mar 19, 2025 19:39:47.130049944 CET	194.36.144.87	192.168.2.14	0xfc3f	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	371	false
Mar 19, 2025 19:39:47.148114920 CET	194.36.144.87	192.168.2.14	0xfc3f	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	371	false
Mar 19, 2025 19:39:47.172055006 CET	194.36.144.87	192.168.2.14	0xfc3f	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	371	false
Mar 19, 2025 19:39:47.190377951 CET	194.36.144.87	192.168.2.14	0xfc3f	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	371	false
Mar 19, 2025 19:39:47.208193064 CET	194.36.144.87	192.168.2.14	0xfc3f	Format error (1)	watchmepull.dyn. [malformed]	none	none	256	371	false
Mar 19, 2025 19:39:57.860682964 CET	51.158.108.203	192.168.2.14	0x86a0	No error (0)	ohlookthereismyboats.geek		45.147.251.145	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:57.860682964 CET	51.158.108.203	192.168.2.14	0x86a0	No error (0)	ohlookthereismyboats.geek		104.248.47.182	A (IP address)	IN (0x0001)	false
Mar 19, 2025 19:39:57.860682964 CET	51.158.108.203	192.168.2.14	0x86a0	No error (0)	ohlookthereismyboats.geek		185.220.204.227	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zerspc.elf PID: 5529, Parent PID: 5445

General

Start time (UTC):	18:38:19
Start date (UTC):	19/03/2025
Path:	/tmp/zerspc.elf
Arguments:	/tmp/zerspc.elf
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerspc.elf PID: 5532, Parent PID: 5529

General

Start time (UTC):	18:38:20
Start date (UTC):	19/03/2025
Path:	/tmp/zerspc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Process Activities

Process Forked

Thread Sleep

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: zerspc.elf PID: 5534, Parent PID: 5532

General

Start time (UTC):	18:38:20
Start date (UTC):	19/03/2025
Path:	/tmp/zerspc.elf
Arguments:	-
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerspc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerspc.elf PID: 5529, Parent PID: 5445

General

File Activities

File Opened

File Read

File Moved

Directory Enumerated

Process Activities

Process Forked

Prctl Requested

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: zerspc.elf PID: 5532, Parent PID: 5529

General

Process Activities

Process Forked

Thread Sleep

Linux Analysis Report
zerspc.elf