Edit tour

Linux Analysis Report
zerarm.elf

Overview

General Information

Sample name:	zerarm.elf
Analysis ID:	1604432
MD5:	ac8f3b8f700e1693dba319978fa99989
SHA1:	29e0936130539188a8f8053138dce79eb52e3ffd
SHA256:	49bd7ec5866221a5ca5002470b4582df540c442d90d4654315df58ff16c7888f
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604432
Start date and time:	2025-02-01 14:45:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerarm.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/0@15/0

Runtime Messages

Command:	/tmp/zerarm.elf
PID:	5515
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerarm.elf (PID: 5515, Parent: 5434, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zerarm.elf

zerarm.elf New Fork (PID: 5517, Parent: 5515)

zerarm.elf New Fork (PID: 5519, Parent: 5517)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerarm.elf	Virustotal: Detection: 41%			Perma Link
Source: zerarm.elf	ReversingLabs: Detection: 42%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: serisbot.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.14:54694 -> 64.225.86.206:1440
Source: global traffic	TCP traffic: 192.168.2.14:43740 -> 209.38.56.135:1440
Source: global traffic	TCP traffic: 192.168.2.14:37620 -> 209.38.188.134:1440
Source: global traffic	TCP traffic: 192.168.2.14:57054 -> 68.183.244.135:1440
Source: global traffic	TCP traffic: 192.168.2.14:44284 -> 209.38.56.129:1440

Source: /tmp/zerarm.elf (PID: 5515)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203

Source: global traffic	DNS traffic detected: DNS query: serisbot.geek
Source: global traffic	DNS traffic detected: DNS query: serisontop.dyn
Source: global traffic	DNS traffic detected: DNS query: serisbot.geek. [malformed]

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/0@15/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zerarm.elf (PID: 5515)

File: /tmp/zerarm.elf

Jump to behavior

Source: /tmp/zerarm.elf (PID: 5515)

Queries kernel information via 'uname':

Jump to behavior

Source: zerarm.elf, 5515.1.0000563ae4ed0000.0000563ae4ffe000.rw-.sdmp	Binary or memory string: :V!/etc/qemu-binfmt/arm
Source: zerarm.elf, 5515.1.0000563ae4ed0000.0000563ae4ffe000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zerarm.elf, 5515.1.00007ffe9ceef000.00007ffe9cf10000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: zerarm.elf, 5515.1.00007ffe9ceef000.00007ffe9cf10000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zerarm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerarm.elf	41%	Virustotal		Browse
zerarm.elf	42%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
serisontop.dyn	64.225.86.206	true	false	high
serisbot.geek	64.225.86.206	true	false	high
serisbot.geek. [malformed]	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.86.206	serisontop.dyn	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.56.129	unknown	United States	7018	ATT-INTERNET4US	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
209.38.56.135	unknown	United States	7018	ATT-INTERNET4US	false
68.183.244.135	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.188.134	unknown	United States	7018	ATT-INTERNET4US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.125.190.26	arm5.elf	Get hash	malicious	Mirai	Browse
	spc.elf	Get hash	malicious	Mirai	Browse
	yakuza.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	176.65.134.111-boatnet.arm6-2025-02-01T00_59_15.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	i686.elf	Get hash	malicious	Mirai	Browse
	x86_64.elf	Get hash	malicious	Mirai, Okiru	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	hold.x86_64.elf	Get hash	malicious	Okiru	Browse
	hold.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
serisontop.dyn	splppc.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabppc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	splarm.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	nklx86.elf	Get hash	malicious	Unknown	Browse	146.190.204.203
	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	193.143.1.32-arm-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	146.190.204.203
	193.143.1.32-x86-2025-02-01T10_16_50.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	splm68k.elf	Get hash	malicious	Unknown	Browse	154.216.16.250
	nklarm7.elf	Get hash	malicious	Unknown	Browse	154.216.16.244
	splarm7.elf	Get hash	malicious	Unknown	Browse	209.38.192.73
serisbot.geek	nabppc.elf	Get hash	malicious	Unknown	Browse	209.38.188.134

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	splppc.elf	Get hash	malicious	Unknown	Browse	196.53.198.189
	splarm.elf	Get hash	malicious	Unknown	Browse	99.110.125.170
	nklx86.elf	Get hash	malicious	Unknown	Browse	12.170.82.39
	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	12.171.150.17
	193.143.1.32-arm-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	69.234.8.197
	Fantazy.arm7.elf	Get hash	malicious	Mirai	Browse	99.146.205.16
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	76.228.30.231
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	71.136.166.233
	i686.elf	Get hash	malicious	Mirai	Browse	69.150.225.5
	https://princetonmercerregionalchamberofcommerce.growthzoneapp.com/ap/r/ab6a4316cf944142a2bf4308dc59665d	Get hash	malicious	Unknown	Browse	172.170.249.2
CANONICAL-ASGB	Fantazy.arc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	Fantazy.arm6.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	i686.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	aarch64.elf	Get hash	malicious	Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
DIGITALOCEAN-ASNUS	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	138.68.122.136
	https://cn.42mbetx.com/index.php/	Get hash	malicious	Unknown	Browse	139.59.107.226
	https://cn.310manx.com/home/	Get hash	malicious	Unknown	Browse	139.59.107.226
	http://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=s1DYVAfXq0GW6Lk4FvadfsA_WbUNnbROrKLIbauDU1xUNzBDNkg0RFRSSFMwVldFOE42WVc1Wkg3Ty4u	Get hash	malicious	HTMLPhisher	Browse	167.99.8.102
	AWB#_4365052.exe	Get hash	malicious	FormBook	Browse	178.128.48.21
	https://php-omanzinge-adac-allservning20251.codeanyapp.com/cada/web/login.php	Get hash	malicious	Unknown	Browse	198.199.109.95
	https://cn.manbetx22.pro/home/register/	Get hash	malicious	Unknown	Browse	139.59.107.226
	https://seamars.com/home/register/	Get hash	malicious	Unknown	Browse	139.59.107.226
	https://templates.rjuuc.edu.np	Get hash	malicious	Unknown	Browse	167.172.148.114
	http://www.investecprivatebank.co.za	Get hash	malicious	Unknown	Browse	157.245.20.41

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	5.992824015040782
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerarm.elf
File size:	50'408 bytes
MD5:	ac8f3b8f700e1693dba319978fa99989
SHA1:	29e0936130539188a8f8053138dce79eb52e3ffd
SHA256:	49bd7ec5866221a5ca5002470b4582df540c442d90d4654315df58ff16c7888f
SHA512:	5e7786ecc9bce6c1d551ef65b1faf9cfb4365a1e2be160a0e1d43f4eab0b1c3cc469d29d7c713fd2a54641ad3edc5fe7d4b4284a1ec1b129c07272b7b582dba0
SSDEEP:	768:smI7eBNc6DnhnVG9pZESJGYWzdo6wH8rA2/hnm8QbaCN7zle4C1:a7INYpZ9gYEMH8U25m8xF
TLSH:	70330855B8C19A17C5E023BBFA2E419C372523B8E2DF7217CD122F513B8A82F0DA7655
File Content Preview:	.ELF...a..........(.........4...0.......4. ...(.....................(...(...............,...,...,.......(...........Q.td..................................-...L."...............0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	49968
Section Header Size:	40
Number of Section Headers:	11
Header String Table Index:	10

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xb8b0	0x0	0x6	AX	16
.fini	PROGBITS	0x13960	0xb960	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x13974	0xb974	0x7b4	0x0	0x2	A	4
.ctors	PROGBITS	0x1c12c	0xc12c	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1c134	0xc134	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x1c13c	0xc13c	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x1c140	0xc140	0x1ac	0x0	0x3	WA	4
.bss	NOBITS	0x1c2ec	0xc2ec	0x268	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xc2ec	0x43	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xc128	0xc128	6.0234	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xc12c	0x1c12c	0x1c12c	0x1c0	0x428	2.3054	0x6	RW	0x8000	.ctors .dtors .jcr .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 14:46:18.065093040 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:18.069930077 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:18.069988012 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:18.071444035 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:18.076190948 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:18.076234102 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:18.081037045 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:28.081357956 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:28.086239100 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:28.641881943 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:28.642445087 CET	54694	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:46:28.647362947 CET	1440	54694	64.225.86.206	192.168.2.14
Feb 1, 2025 14:46:29.679682016 CET	43740	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:46:29.684505939 CET	1440	43740	209.38.56.135	192.168.2.14
Feb 1, 2025 14:46:29.684588909 CET	43740	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:46:29.685390949 CET	43740	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:46:29.690175056 CET	1440	43740	209.38.56.135	192.168.2.14
Feb 1, 2025 14:46:29.690238953 CET	43740	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:46:29.694969893 CET	1440	43740	209.38.56.135	192.168.2.14
Feb 1, 2025 14:46:29.729242086 CET	46540	443	192.168.2.14	185.125.190.26
Feb 1, 2025 14:46:41.120348930 CET	1440	43740	209.38.56.135	192.168.2.14
Feb 1, 2025 14:46:41.120650053 CET	43740	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:46:41.125437975 CET	1440	43740	209.38.56.135	192.168.2.14
Feb 1, 2025 14:46:42.141747952 CET	37620	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 14:46:42.146541119 CET	1440	37620	209.38.188.134	192.168.2.14
Feb 1, 2025 14:46:42.146657944 CET	37620	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 14:46:42.147908926 CET	37620	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 14:46:42.152663946 CET	1440	37620	209.38.188.134	192.168.2.14
Feb 1, 2025 14:46:42.152754068 CET	37620	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 14:46:42.157557011 CET	1440	37620	209.38.188.134	192.168.2.14
Feb 1, 2025 14:46:52.774765968 CET	1440	37620	209.38.188.134	192.168.2.14
Feb 1, 2025 14:46:52.774983883 CET	37620	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 14:46:52.779867887 CET	1440	37620	209.38.188.134	192.168.2.14
Feb 1, 2025 14:46:53.797326088 CET	57054	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:46:53.802134037 CET	1440	57054	68.183.244.135	192.168.2.14
Feb 1, 2025 14:46:53.802208900 CET	57054	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:46:53.803714037 CET	57054	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:46:53.808465958 CET	1440	57054	68.183.244.135	192.168.2.14
Feb 1, 2025 14:46:53.808527946 CET	57054	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:46:53.813323975 CET	1440	57054	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:00.192250967 CET	46540	443	192.168.2.14	185.125.190.26
Feb 1, 2025 14:47:05.158977032 CET	1440	57054	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:05.159282923 CET	57054	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:05.164097071 CET	1440	57054	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:06.249392986 CET	57056	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:06.254271030 CET	1440	57056	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:06.254352093 CET	57056	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:06.255906105 CET	57056	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:06.260668039 CET	1440	57056	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:06.260720015 CET	57056	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:06.265552998 CET	1440	57056	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:17.580879927 CET	1440	57056	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:17.581149101 CET	57056	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:47:17.585954905 CET	1440	57056	68.183.244.135	192.168.2.14
Feb 1, 2025 14:47:18.607728958 CET	43748	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:18.612601042 CET	1440	43748	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:18.612667084 CET	43748	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:18.613616943 CET	43748	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:18.618424892 CET	1440	43748	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:18.618469954 CET	43748	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:18.623250961 CET	1440	43748	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:30.059027910 CET	1440	43748	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:30.059331894 CET	43748	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:30.066745996 CET	1440	43748	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:31.079977989 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:31.085102081 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:31.085155010 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:31.086370945 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:31.091155052 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:31.091200113 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:31.095983982 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:41.096239090 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:41.101933002 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:41.695564032 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:41.696187973 CET	43750	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 14:47:41.701008081 CET	1440	43750	209.38.56.135	192.168.2.14
Feb 1, 2025 14:47:42.730040073 CET	54708	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:47:42.734914064 CET	1440	54708	64.225.86.206	192.168.2.14
Feb 1, 2025 14:47:42.735007048 CET	54708	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:47:42.736100912 CET	54708	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:47:42.740963936 CET	1440	54708	64.225.86.206	192.168.2.14
Feb 1, 2025 14:47:42.741022110 CET	54708	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:47:42.745793104 CET	1440	54708	64.225.86.206	192.168.2.14
Feb 1, 2025 14:47:54.040636063 CET	1440	54708	64.225.86.206	192.168.2.14
Feb 1, 2025 14:47:54.040828943 CET	54708	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 14:47:54.045577049 CET	1440	54708	64.225.86.206	192.168.2.14
Feb 1, 2025 14:47:55.077584028 CET	44284	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 14:47:55.082340002 CET	1440	44284	209.38.56.129	192.168.2.14
Feb 1, 2025 14:47:55.082432032 CET	44284	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 14:47:55.083507061 CET	44284	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 14:47:55.088291883 CET	1440	44284	209.38.56.129	192.168.2.14
Feb 1, 2025 14:47:55.088350058 CET	44284	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 14:47:55.093064070 CET	1440	44284	209.38.56.129	192.168.2.14
Feb 1, 2025 14:48:06.445494890 CET	1440	44284	209.38.56.129	192.168.2.14
Feb 1, 2025 14:48:06.445708990 CET	44284	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 14:48:06.450930119 CET	1440	44284	209.38.56.129	192.168.2.14
Feb 1, 2025 14:48:07.467370987 CET	57066	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:07.472243071 CET	1440	57066	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:07.472342014 CET	57066	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:07.473321915 CET	57066	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:07.478075027 CET	1440	57066	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:07.478138924 CET	57066	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:07.482907057 CET	1440	57066	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:18.790261030 CET	1440	57066	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:18.790441990 CET	57066	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:18.795401096 CET	1440	57066	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:19.810524940 CET	57068	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:19.816334963 CET	1440	57068	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:19.816427946 CET	57068	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:19.817709923 CET	57068	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:19.822650909 CET	1440	57068	68.183.244.135	192.168.2.14
Feb 1, 2025 14:48:19.822743893 CET	57068	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 14:48:19.827567101 CET	1440	57068	68.183.244.135	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 14:46:18.030462027 CET	53406	53	192.168.2.14	185.181.61.24
Feb 1, 2025 14:46:18.063790083 CET	53	53406	185.181.61.24	192.168.2.14
Feb 1, 2025 14:46:29.645742893 CET	34515	53	192.168.2.14	185.181.61.24
Feb 1, 2025 14:46:29.678843975 CET	53	34515	185.181.61.24	192.168.2.14
Feb 1, 2025 14:46:42.123651028 CET	60900	53	192.168.2.14	152.53.15.127
Feb 1, 2025 14:46:42.140882015 CET	53	60900	152.53.15.127	192.168.2.14
Feb 1, 2025 14:46:53.779098034 CET	33984	53	192.168.2.14	152.53.15.127
Feb 1, 2025 14:46:53.796448946 CET	53	33984	152.53.15.127	192.168.2.14
Feb 1, 2025 14:47:06.163115025 CET	46080	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:06.179338932 CET	53	46080	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:06.181040049 CET	55683	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:06.196772099 CET	53	55683	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:06.198246002 CET	47756	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:06.213969946 CET	53	47756	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:06.215774059 CET	57518	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:06.231679916 CET	53	57518	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:06.233191013 CET	38296	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:06.248483896 CET	53	38296	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:18.584275007 CET	43128	53	192.168.2.14	194.36.144.87
Feb 1, 2025 14:47:18.607060909 CET	53	43128	194.36.144.87	192.168.2.14
Feb 1, 2025 14:47:31.063297987 CET	49653	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:47:31.078865051 CET	53	49653	51.158.108.203	192.168.2.14
Feb 1, 2025 14:47:42.700836897 CET	35673	53	192.168.2.14	81.169.136.222
Feb 1, 2025 14:47:42.728163958 CET	53	35673	81.169.136.222	192.168.2.14
Feb 1, 2025 14:47:55.043235064 CET	45274	53	192.168.2.14	185.181.61.24
Feb 1, 2025 14:47:55.077068090 CET	53	45274	185.181.61.24	192.168.2.14
Feb 1, 2025 14:48:07.448549032 CET	47631	53	192.168.2.14	202.61.197.122
Feb 1, 2025 14:48:07.466658115 CET	53	47631	202.61.197.122	192.168.2.14
Feb 1, 2025 14:48:19.794176102 CET	34501	53	192.168.2.14	51.158.108.203
Feb 1, 2025 14:48:19.809778929 CET	53	34501	51.158.108.203	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 1, 2025 14:46:18.030462027 CET	192.168.2.14	185.181.61.24	0xe26b	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.645742893 CET	192.168.2.14	185.181.61.24	0x6b7d	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.123651028 CET	192.168.2.14	152.53.15.127	0xb18f	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.779098034 CET	192.168.2.14	152.53.15.127	0xb8ef	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:06.163115025 CET	192.168.2.14	51.158.108.203	0x596f	Standard query (0)	serisbot.geek. [malformed]	256	474	false
Feb 1, 2025 14:47:06.181040049 CET	192.168.2.14	51.158.108.203	0x596f	Standard query (0)	serisbot.geek. [malformed]	256	474	false
Feb 1, 2025 14:47:06.198246002 CET	192.168.2.14	51.158.108.203	0x596f	Standard query (0)	serisbot.geek. [malformed]	256	474	false
Feb 1, 2025 14:47:06.215774059 CET	192.168.2.14	51.158.108.203	0x596f	Standard query (0)	serisbot.geek. [malformed]	256	474	false
Feb 1, 2025 14:47:06.233191013 CET	192.168.2.14	51.158.108.203	0x596f	Standard query (0)	serisbot.geek. [malformed]	256	474	false
Feb 1, 2025 14:47:18.584275007 CET	192.168.2.14	194.36.144.87	0x69cb	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.063297987 CET	192.168.2.14	51.158.108.203	0x531c	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.700836897 CET	192.168.2.14	81.169.136.222	0x956b	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.043235064 CET	192.168.2.14	185.181.61.24	0x870c	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.448549032 CET	192.168.2.14	202.61.197.122	0x227a	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.794176102 CET	192.168.2.14	51.158.108.203	0x177a	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:18.063790083 CET	185.181.61.24	192.168.2.14	0xe26b	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:29.678843975 CET	185.181.61.24	192.168.2.14	0x6b7d	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:42.140882015 CET	152.53.15.127	192.168.2.14	0xb18f	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:46:53.796448946 CET	152.53.15.127	192.168.2.14	0xb8ef	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:06.179338932 CET	51.158.108.203	192.168.2.14	0x596f	Format error (1)	serisbot.geek. [malformed]	none	none	256	474	false
Feb 1, 2025 14:47:06.196772099 CET	51.158.108.203	192.168.2.14	0x596f	Format error (1)	serisbot.geek. [malformed]	none	none	256	474	false
Feb 1, 2025 14:47:06.213969946 CET	51.158.108.203	192.168.2.14	0x596f	Format error (1)	serisbot.geek. [malformed]	none	none	256	474	false
Feb 1, 2025 14:47:06.231679916 CET	51.158.108.203	192.168.2.14	0x596f	Format error (1)	serisbot.geek. [malformed]	none	none	256	474	false
Feb 1, 2025 14:47:06.248483896 CET	51.158.108.203	192.168.2.14	0x596f	Format error (1)	serisbot.geek. [malformed]	none	none	256	474	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:18.607060909 CET	194.36.144.87	192.168.2.14	0x69cb	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:31.078865051 CET	51.158.108.203	192.168.2.14	0x531c	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:42.728163958 CET	81.169.136.222	192.168.2.14	0x956b	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:47:55.077068090 CET	185.181.61.24	192.168.2.14	0x870c	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:07.466658115 CET	202.61.197.122	192.168.2.14	0x227a	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 14:48:19.809778929 CET	51.158.108.203	192.168.2.14	0x177a	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zerarm.elf PID: 5515, Parent PID: 5434

General

Start time (UTC):	13:46:16
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm.elf
Arguments:	/tmp/zerarm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zerarm.elf PID: 5517, Parent PID: 5515

General

Start time (UTC):	13:46:16
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zerarm.elf PID: 5519, Parent PID: 5517

General

Start time (UTC):	13:46:16
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerarm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerarm.elf PID: 5515, Parent PID: 5434

General

Chronological Activities

Analysis Process: zerarm.elf PID: 5517, Parent PID: 5515

General

Chronological Activities

Analysis Process: zerarm.elf PID: 5519, Parent PID: 5517

General

Chronological Activities

Linux Analysis Report
zerarm.elf