Edit tour

Linux Analysis Report
zermpsl.elf

Overview

General Information

Sample name:	zermpsl.elf
Analysis ID:	1604468
MD5:	e4faad8308ce38d8b11bb0c80273186b
SHA1:	2975a9de732111199480b910b8450da7be802884
SHA256:	a4f64b48e28ea2c6eecef1e58f77ca86853bb3e26405c0608879fbe42191bae7
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604468
Start date and time:	2025-02-01 15:26:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zermpsl.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/0@27/0

Runtime Messages

Command:	/tmp/zermpsl.elf
PID:	5494
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zermpsl.elf (PID: 5494, Parent: 5411, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/zermpsl.elf

zermpsl.elf New Fork (PID: 5496, Parent: 5494)

zermpsl.elf New Fork (PID: 5498, Parent: 5496)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zermpsl.elf	Virustotal: Detection: 24%			Perma Link
Source: zermpsl.elf	ReversingLabs: Detection: 31%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: serisbot.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.14:57048 -> 68.183.244.135:1440
Source: global traffic	TCP traffic: 192.168.2.14:44272 -> 209.38.56.129:1440
Source: global traffic	TCP traffic: 192.168.2.14:43744 -> 209.38.56.135:1440
Source: global traffic	TCP traffic: 192.168.2.14:54704 -> 64.225.86.206:1440
Source: global traffic	TCP traffic: 192.168.2.14:37628 -> 209.38.188.134:1440

Source: /tmp/zermpsl.elf (PID: 5494)

Socket: 127.0.0.1:39148

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.14:46540 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	TCP traffic detected without corresponding DNS query: 185.125.190.26
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 185.181.61.24
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 194.36.144.87
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222

Source: global traffic	DNS traffic detected: DNS query: serisbot.geek
Source: global traffic	DNS traffic detected: DNS query: serisontop.dyn
Source: global traffic	DNS traffic detected: DNS query: serisbot.geek. [malformed]

Source: unknown

Network traffic detected: HTTP traffic on port 46540 -> 443

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/0@27/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zermpsl.elf (PID: 5494)

File: /tmp/zermpsl.elf

Jump to behavior

Source: /tmp/zermpsl.elf (PID: 5494)

Queries kernel information via 'uname':

Jump to behavior

Source: zermpsl.elf, 5494.1.0000562c1385e000.0000562c138e5000.rw-.sdmp	Binary or memory string: ,V!/etc/qemu-binfmt/mipsel
Source: zermpsl.elf, 5494.1.0000562c1385e000.0000562c138e5000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: zermpsl.elf, 5494.1.00007ffebbb61000.00007ffebbb82000.rw-.sdmp	Binary or memory string: ix86_64/usr/bin/qemu-mipsel/tmp/zermpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zermpsl.elf
Source: zermpsl.elf, 5494.1.00007ffebbb61000.00007ffebbb82000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zermpsl.elf	24%	Virustotal		Browse
zermpsl.elf	32%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
serisontop.dyn	146.190.204.203	true	false	high
serisbot.geek	209.38.56.129	true	false	high
serisbot.geek. [malformed]	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.86.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.56.129	serisbot.geek	United States	7018	ATT-INTERNET4US	false
185.125.190.26	unknown	United Kingdom	41231	CANONICAL-ASGB	false
209.38.56.135	unknown	United States	7018	ATT-INTERNET4US	false
68.183.244.135	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.188.134	unknown	United States	7018	ATT-INTERNET4US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
64.225.86.206	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
209.38.56.129	zermips.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
185.125.190.26	zerm68k.elf	Get hash	malicious	Unknown	Browse
	nklarm6.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Mirai	Browse
	spc.elf	Get hash	malicious	Mirai	Browse
	yakuza.x86.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	176.65.134.111-boatnet.arm6-2025-02-01T00_59_15.elf	Get hash	malicious	Mirai	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	i686.elf	Get hash	malicious	Mirai	Browse
209.38.56.135	zermips.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
68.183.244.135	zermips.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
209.38.188.134	zermips.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
serisbot.geek	nabarm.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
serisontop.dyn	nabspc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	nabarm5.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.56.129
	splarm7.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	nabmips.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerm68k.elf	Get hash	malicious	Unknown	Browse	209.38.56.135
	splmips.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.56.135
	nabm68k.elf	Get hash	malicious	Unknown	Browse	209.38.56.129
	jklppc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	nabspc.elf	Get hash	malicious	Unknown	Browse	12.5.172.171
	nabarm5.elf	Get hash	malicious	Unknown	Browse	12.99.237.67
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabarm.elf	Get hash	malicious	Unknown	Browse	63.207.251.13
	splarm7.elf	Get hash	malicious	Unknown	Browse	13.194.189.46
	nabmips.elf	Get hash	malicious	Unknown	Browse	99.117.204.44
	splmips.elf	Get hash	malicious	Unknown	Browse	12.169.146.176
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabm68k.elf	Get hash	malicious	Unknown	Browse	108.195.224.194
	jklppc.elf	Get hash	malicious	Unknown	Browse	76.216.58.25
CANONICAL-ASGB	zerm68k.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerx86.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	nklarm6.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zerppc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	zerarm.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	zersh4.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	Fantazy.arc.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
DIGITALOCEAN-ASNUS	zermips.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerm68k.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerx86.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerarm5.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerspc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerppc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerarm.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zersh4.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	138.68.122.136
	https://cn.42mbetx.com/index.php/	Get hash	malicious	Unknown	Browse	139.59.107.226
ATT-INTERNET4US	nabspc.elf	Get hash	malicious	Unknown	Browse	12.5.172.171
	nabarm5.elf	Get hash	malicious	Unknown	Browse	12.99.237.67
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabarm.elf	Get hash	malicious	Unknown	Browse	63.207.251.13
	splarm7.elf	Get hash	malicious	Unknown	Browse	13.194.189.46
	nabmips.elf	Get hash	malicious	Unknown	Browse	99.117.204.44
	splmips.elf	Get hash	malicious	Unknown	Browse	12.169.146.176
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabm68k.elf	Get hash	malicious	Unknown	Browse	108.195.224.194
	jklppc.elf	Get hash	malicious	Unknown	Browse	76.216.58.25

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.3625389216853705
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zermpsl.elf
File size:	67'692 bytes
MD5:	e4faad8308ce38d8b11bb0c80273186b
SHA1:	2975a9de732111199480b910b8450da7be802884
SHA256:	a4f64b48e28ea2c6eecef1e58f77ca86853bb3e26405c0608879fbe42191bae7
SHA512:	5904613fff4990943c7e200292a429b44abc199d83af16dca9329cfeeb6deb132d489f3819f4bf7affff6280d637e67f084025cb6075dade624cf2214699eb7b
SSDEEP:	768:i79+h7ifbq19xCj3dQ5Qb20g4Kqd5gfevteo1etFKnxJ96Xir/5wMXyZ6:i794izq19Yjm1/4/damt91AFKnHRX1
TLSH:	6863B615BF611FF7DC6BCC374AA91B4528CDA51A21A83B357934D828F24B65F06E38B0
File Content Preview:	.ELF....................`.@.4...........4. ...(...............@...@...........................E...E.....h...........Q.td...............................<L..'!......'.......................<(..'!... .........9'.. ........................<...'!.............9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	67092
Section Header Size:	40
Number of Section Headers:	15
Header String Table Index:	14

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0xf0e0	0x0	0x6	AX	16
.fini	PROGBITS	0x40f200	0xf200	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x40f260	0xf260	0x840	0x0	0x2	A	16
.ctors	PROGBITS	0x450000	0x10000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x450008	0x10008	0x8	0x0	0x3	WA	4
.jcr	PROGBITS	0x450010	0x10010	0x4	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x450014	0x10014	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x450020	0x10020	0x1d0	0x0	0x3	WA	16
.got	PROGBITS	0x4501f0	0x101f0	0x3b8	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x4505a8	0x105a8	0x1c	0x0	0x10000003	WAp	4
.bss	NOBITS	0x4505d0	0x105a8	0x298	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0x72c	0x105a8	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x105a8	0x69	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0xfaa0	0xfaa0	5.4658	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x10000	0x450000	0x450000	0x5a8	0x868	3.5798	0x6	RW	0x10000	.ctors .dtors .jcr .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 15:27:02.030981064 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:02.035800934 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:02.035861969 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:02.038512945 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:02.043338060 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:02.043390036 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:02.048125029 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:11.349020958 CET	46540	443	192.168.2.14	185.125.190.26
Feb 1, 2025 15:27:12.043600082 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:12.207672119 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:12.758054972 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:12.758346081 CET	57048	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:12.763114929 CET	1440	57048	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:13.799985886 CET	57050	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:13.808496952 CET	1440	57050	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:13.808636904 CET	57050	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:13.810182095 CET	57050	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:13.818289995 CET	1440	57050	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:13.818356037 CET	57050	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:13.826778889 CET	1440	57050	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:25.063694000 CET	1440	57050	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:25.064043045 CET	57050	1440	192.168.2.14	68.183.244.135
Feb 1, 2025 15:27:25.068959951 CET	1440	57050	68.183.244.135	192.168.2.14
Feb 1, 2025 15:27:26.160176992 CET	44272	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 15:27:26.165813923 CET	1440	44272	209.38.56.129	192.168.2.14
Feb 1, 2025 15:27:26.165941000 CET	44272	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 15:27:26.167500019 CET	44272	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 15:27:26.173223972 CET	1440	44272	209.38.56.129	192.168.2.14
Feb 1, 2025 15:27:26.173295975 CET	44272	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 15:27:26.178765059 CET	1440	44272	209.38.56.129	192.168.2.14
Feb 1, 2025 15:27:37.604913950 CET	1440	44272	209.38.56.129	192.168.2.14
Feb 1, 2025 15:27:37.605268002 CET	44272	1440	192.168.2.14	209.38.56.129
Feb 1, 2025 15:27:37.610054970 CET	1440	44272	209.38.56.129	192.168.2.14
Feb 1, 2025 15:27:38.644169092 CET	43744	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:38.649561882 CET	1440	43744	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:38.649687052 CET	43744	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:38.650901079 CET	43744	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:38.655690908 CET	1440	43744	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:38.655762911 CET	43744	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:38.660563946 CET	1440	43744	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:42.835666895 CET	46540	443	192.168.2.14	185.125.190.26
Feb 1, 2025 15:27:50.027753115 CET	1440	43744	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:50.028284073 CET	43744	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:50.033613920 CET	1440	43744	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:51.135610104 CET	43746	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:51.141901016 CET	1440	43746	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:51.141988039 CET	43746	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:51.143296003 CET	43746	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:51.148077011 CET	1440	43746	209.38.56.135	192.168.2.14
Feb 1, 2025 15:27:51.148149967 CET	43746	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:27:51.154275894 CET	1440	43746	209.38.56.135	192.168.2.14
Feb 1, 2025 15:28:02.577603102 CET	1440	43746	209.38.56.135	192.168.2.14
Feb 1, 2025 15:28:02.577821016 CET	43746	1440	192.168.2.14	209.38.56.135
Feb 1, 2025 15:28:02.582696915 CET	1440	43746	209.38.56.135	192.168.2.14
Feb 1, 2025 15:28:03.675812006 CET	54704	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 15:28:03.680526018 CET	1440	54704	64.225.86.206	192.168.2.14
Feb 1, 2025 15:28:03.680610895 CET	54704	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 15:28:03.681761026 CET	54704	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 15:28:03.687555075 CET	1440	54704	64.225.86.206	192.168.2.14
Feb 1, 2025 15:28:03.687637091 CET	54704	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 15:28:03.701881886 CET	1440	54704	64.225.86.206	192.168.2.14
Feb 1, 2025 15:28:14.982171059 CET	1440	54704	64.225.86.206	192.168.2.14
Feb 1, 2025 15:28:14.982439995 CET	54704	1440	192.168.2.14	64.225.86.206
Feb 1, 2025 15:28:14.987245083 CET	1440	54704	64.225.86.206	192.168.2.14
Feb 1, 2025 15:28:16.004900932 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:16.009648085 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:16.009696960 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:16.010792971 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:16.015564919 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:16.015609980 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:16.020353079 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:26.018153906 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:26.023010969 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:26.310554981 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:26.310761929 CET	37628	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:26.315566063 CET	1440	37628	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:27.418653965 CET	37630	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:27.423453093 CET	1440	37630	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:27.423573971 CET	37630	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:27.424638033 CET	37630	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:27.429392099 CET	1440	37630	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:27.429491997 CET	37630	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:27.434407949 CET	1440	37630	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:38.095523119 CET	1440	37630	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:38.095899105 CET	37630	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:38.100759983 CET	1440	37630	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:39.124068022 CET	37632	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:39.128859043 CET	1440	37632	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:39.129021883 CET	37632	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:39.130426884 CET	37632	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:39.135185957 CET	1440	37632	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:39.135286093 CET	37632	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:39.140100002 CET	1440	37632	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:49.767494917 CET	1440	37632	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:49.768058062 CET	37632	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:49.772783041 CET	1440	37632	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:50.914407015 CET	37634	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:50.919182062 CET	1440	37634	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:50.919275045 CET	37634	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:50.920553923 CET	37634	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:50.925318003 CET	1440	37634	209.38.188.134	192.168.2.14
Feb 1, 2025 15:28:50.925406933 CET	37634	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:28:50.930222034 CET	1440	37634	209.38.188.134	192.168.2.14
Feb 1, 2025 15:29:01.592752934 CET	1440	37634	209.38.188.134	192.168.2.14
Feb 1, 2025 15:29:01.593172073 CET	37634	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:29:01.597970009 CET	1440	37634	209.38.188.134	192.168.2.14
Feb 1, 2025 15:29:02.739836931 CET	37636	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:29:02.744615078 CET	1440	37636	209.38.188.134	192.168.2.14
Feb 1, 2025 15:29:02.744713068 CET	37636	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:29:02.746103048 CET	37636	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:29:02.750868082 CET	1440	37636	209.38.188.134	192.168.2.14
Feb 1, 2025 15:29:02.750935078 CET	37636	1440	192.168.2.14	209.38.188.134
Feb 1, 2025 15:29:02.755701065 CET	1440	37636	209.38.188.134	192.168.2.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 15:27:01.986232042 CET	35490	53	192.168.2.14	185.181.61.24
Feb 1, 2025 15:27:02.019435883 CET	53	35490	185.181.61.24	192.168.2.14
Feb 1, 2025 15:27:13.762047052 CET	57064	53	192.168.2.14	185.181.61.24
Feb 1, 2025 15:27:13.798823118 CET	53	57064	185.181.61.24	192.168.2.14
Feb 1, 2025 15:27:26.068785906 CET	56986	53	192.168.2.14	168.235.111.72
Feb 1, 2025 15:27:26.158885002 CET	53	56986	168.235.111.72	192.168.2.14
Feb 1, 2025 15:27:38.609684944 CET	54989	53	192.168.2.14	185.181.61.24
Feb 1, 2025 15:27:38.642890930 CET	53	54989	185.181.61.24	192.168.2.14
Feb 1, 2025 15:27:51.031620979 CET	47071	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:27:51.051012039 CET	53	47071	152.53.15.127	192.168.2.14
Feb 1, 2025 15:27:51.052802086 CET	60207	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:27:51.077337027 CET	53	60207	152.53.15.127	192.168.2.14
Feb 1, 2025 15:27:51.078702927 CET	53661	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:27:51.096267939 CET	53	53661	152.53.15.127	192.168.2.14
Feb 1, 2025 15:27:51.097688913 CET	46545	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:27:51.115573883 CET	53	46545	152.53.15.127	192.168.2.14
Feb 1, 2025 15:27:51.116890907 CET	40950	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:27:51.134700060 CET	53	40950	152.53.15.127	192.168.2.14
Feb 1, 2025 15:28:03.581118107 CET	55375	53	192.168.2.14	168.235.111.72
Feb 1, 2025 15:28:03.674789906 CET	53	55375	168.235.111.72	192.168.2.14
Feb 1, 2025 15:28:15.985796928 CET	55542	53	192.168.2.14	202.61.197.122
Feb 1, 2025 15:28:16.004169941 CET	53	55542	202.61.197.122	192.168.2.14
Feb 1, 2025 15:28:27.314268112 CET	47032	53	192.168.2.14	194.36.144.87
Feb 1, 2025 15:28:27.331118107 CET	53	47032	194.36.144.87	192.168.2.14
Feb 1, 2025 15:28:27.332870960 CET	59693	53	192.168.2.14	194.36.144.87
Feb 1, 2025 15:28:27.355633020 CET	53	59693	194.36.144.87	192.168.2.14
Feb 1, 2025 15:28:27.357105970 CET	48483	53	192.168.2.14	194.36.144.87
Feb 1, 2025 15:28:27.373704910 CET	53	48483	194.36.144.87	192.168.2.14
Feb 1, 2025 15:28:27.375358105 CET	45328	53	192.168.2.14	194.36.144.87
Feb 1, 2025 15:28:27.394320011 CET	53	45328	194.36.144.87	192.168.2.14
Feb 1, 2025 15:28:27.395488024 CET	55135	53	192.168.2.14	194.36.144.87
Feb 1, 2025 15:28:27.417992115 CET	53	55135	194.36.144.87	192.168.2.14
Feb 1, 2025 15:28:39.100070953 CET	55828	53	192.168.2.14	152.53.15.127
Feb 1, 2025 15:28:39.122879982 CET	53	55828	152.53.15.127	192.168.2.14
Feb 1, 2025 15:28:50.772068977 CET	44633	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:28:50.799745083 CET	53	44633	81.169.136.222	192.168.2.14
Feb 1, 2025 15:28:50.801724911 CET	38756	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:28:50.828428984 CET	53	38756	81.169.136.222	192.168.2.14
Feb 1, 2025 15:28:50.829710007 CET	38111	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:28:50.856383085 CET	53	38111	81.169.136.222	192.168.2.14
Feb 1, 2025 15:28:50.858068943 CET	56852	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:28:50.884977102 CET	53	56852	81.169.136.222	192.168.2.14
Feb 1, 2025 15:28:50.886782885 CET	49520	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:28:50.913562059 CET	53	49520	81.169.136.222	192.168.2.14
Feb 1, 2025 15:29:02.597315073 CET	54965	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:29:02.624048948 CET	53	54965	81.169.136.222	192.168.2.14
Feb 1, 2025 15:29:02.625696898 CET	55919	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:29:02.652417898 CET	53	55919	81.169.136.222	192.168.2.14
Feb 1, 2025 15:29:02.654252052 CET	43486	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:29:02.681143045 CET	53	43486	81.169.136.222	192.168.2.14
Feb 1, 2025 15:29:02.682899952 CET	39480	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:29:02.710422993 CET	53	39480	81.169.136.222	192.168.2.14
Feb 1, 2025 15:29:02.711951971 CET	42208	53	192.168.2.14	81.169.136.222
Feb 1, 2025 15:29:02.739041090 CET	53	42208	81.169.136.222	192.168.2.14

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 1, 2025 15:27:01.986232042 CET	192.168.2.14	185.181.61.24	0x10e3	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.762047052 CET	192.168.2.14	185.181.61.24	0x7d8a	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.068785906 CET	192.168.2.14	168.235.111.72	0x5acb	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.609684944 CET	192.168.2.14	185.181.61.24	0xb8f0	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:51.031620979 CET	192.168.2.14	152.53.15.127	0xfefd	Standard query (0)	serisbot.geek. [malformed]	256	359	false
Feb 1, 2025 15:27:51.052802086 CET	192.168.2.14	152.53.15.127	0xfefd	Standard query (0)	serisbot.geek. [malformed]	256	359	false
Feb 1, 2025 15:27:51.078702927 CET	192.168.2.14	152.53.15.127	0xfefd	Standard query (0)	serisbot.geek. [malformed]	256	359	false
Feb 1, 2025 15:27:51.097688913 CET	192.168.2.14	152.53.15.127	0xfefd	Standard query (0)	serisbot.geek. [malformed]	256	359	false
Feb 1, 2025 15:27:51.116890907 CET	192.168.2.14	152.53.15.127	0xfefd	Standard query (0)	serisbot.geek. [malformed]	256	359	false
Feb 1, 2025 15:28:03.581118107 CET	192.168.2.14	168.235.111.72	0x5b8e	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:15.985796928 CET	192.168.2.14	202.61.197.122	0xffad	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:27.314268112 CET	192.168.2.14	194.36.144.87	0x550a	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 1, 2025 15:28:27.332870960 CET	192.168.2.14	194.36.144.87	0x550a	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 1, 2025 15:28:27.357105970 CET	192.168.2.14	194.36.144.87	0x550a	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 1, 2025 15:28:27.375358105 CET	192.168.2.14	194.36.144.87	0x550a	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 1, 2025 15:28:27.395488024 CET	192.168.2.14	194.36.144.87	0x550a	Standard query (0)	serisbot.geek. [malformed]	256	395	false
Feb 1, 2025 15:28:39.100070953 CET	192.168.2.14	152.53.15.127	0x485e	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:50.772068977 CET	192.168.2.14	81.169.136.222	0x4c0a	Standard query (0)	serisbot.geek. [malformed]	256	418	false
Feb 1, 2025 15:28:50.801724911 CET	192.168.2.14	81.169.136.222	0x4c0a	Standard query (0)	serisbot.geek. [malformed]	256	418	false
Feb 1, 2025 15:28:50.829710007 CET	192.168.2.14	81.169.136.222	0x4c0a	Standard query (0)	serisbot.geek. [malformed]	256	418	false
Feb 1, 2025 15:28:50.858068943 CET	192.168.2.14	81.169.136.222	0x4c0a	Standard query (0)	serisbot.geek. [malformed]	256	418	false
Feb 1, 2025 15:28:50.886782885 CET	192.168.2.14	81.169.136.222	0x4c0a	Standard query (0)	serisbot.geek. [malformed]	256	418	false
Feb 1, 2025 15:29:02.597315073 CET	192.168.2.14	81.169.136.222	0x7fd1	Standard query (0)	serisbot.geek. [malformed]	256	430	false
Feb 1, 2025 15:29:02.625696898 CET	192.168.2.14	81.169.136.222	0x7fd1	Standard query (0)	serisbot.geek. [malformed]	256	430	false
Feb 1, 2025 15:29:02.654252052 CET	192.168.2.14	81.169.136.222	0x7fd1	Standard query (0)	serisbot.geek. [malformed]	256	430	false
Feb 1, 2025 15:29:02.682899952 CET	192.168.2.14	81.169.136.222	0x7fd1	Standard query (0)	serisbot.geek. [malformed]	256	430	false
Feb 1, 2025 15:29:02.711951971 CET	192.168.2.14	81.169.136.222	0x7fd1	Standard query (0)	serisbot.geek. [malformed]	256	430	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:02.019435883 CET	185.181.61.24	192.168.2.14	0x10e3	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:13.798823118 CET	185.181.61.24	192.168.2.14	0x7d8a	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:26.158885002 CET	168.235.111.72	192.168.2.14	0x5acb	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:38.642890930 CET	185.181.61.24	192.168.2.14	0xb8f0	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:27:51.051012039 CET	152.53.15.127	192.168.2.14	0xfefd	Format error (1)	serisbot.geek. [malformed]	none	none	256	359	false
Feb 1, 2025 15:27:51.077337027 CET	152.53.15.127	192.168.2.14	0xfefd	Format error (1)	serisbot.geek. [malformed]	none	none	256	359	false
Feb 1, 2025 15:27:51.096267939 CET	152.53.15.127	192.168.2.14	0xfefd	Format error (1)	serisbot.geek. [malformed]	none	none	256	359	false
Feb 1, 2025 15:27:51.115573883 CET	152.53.15.127	192.168.2.14	0xfefd	Format error (1)	serisbot.geek. [malformed]	none	none	256	359	false
Feb 1, 2025 15:27:51.134700060 CET	152.53.15.127	192.168.2.14	0xfefd	Format error (1)	serisbot.geek. [malformed]	none	none	256	359	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:03.674789906 CET	168.235.111.72	192.168.2.14	0x5b8e	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:16.004169941 CET	202.61.197.122	192.168.2.14	0xffad	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:27.331118107 CET	194.36.144.87	192.168.2.14	0x550a	Format error (1)	serisbot.geek. [malformed]	none	none	256	395	false
Feb 1, 2025 15:28:27.355633020 CET	194.36.144.87	192.168.2.14	0x550a	Format error (1)	serisbot.geek. [malformed]	none	none	256	395	false
Feb 1, 2025 15:28:27.373704910 CET	194.36.144.87	192.168.2.14	0x550a	Format error (1)	serisbot.geek. [malformed]	none	none	256	395	false
Feb 1, 2025 15:28:27.394320011 CET	194.36.144.87	192.168.2.14	0x550a	Format error (1)	serisbot.geek. [malformed]	none	none	256	395	false
Feb 1, 2025 15:28:27.417992115 CET	194.36.144.87	192.168.2.14	0x550a	Format error (1)	serisbot.geek. [malformed]	none	none	256	395	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:39.122879982 CET	152.53.15.127	192.168.2.14	0x485e	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zermpsl.elf PID: 5494, Parent PID: 5411

General

Start time (UTC):	14:27:00
Start date (UTC):	01/02/2025
Path:	/tmp/zermpsl.elf
Arguments:	/tmp/zermpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: zermpsl.elf PID: 5496, Parent PID: 5494

General

Start time (UTC):	14:27:00
Start date (UTC):	01/02/2025
Path:	/tmp/zermpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: zermpsl.elf PID: 5498, Parent PID: 5496

General

Start time (UTC):	14:27:00
Start date (UTC):	01/02/2025
Path:	/tmp/zermpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zermpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zermpsl.elf PID: 5494, Parent PID: 5411

General

Chronological Activities

Analysis Process: zermpsl.elf PID: 5496, Parent PID: 5494

General

Chronological Activities

Analysis Process: zermpsl.elf PID: 5498, Parent PID: 5496

General

Chronological Activities

Linux Analysis Report
zermpsl.elf