Edit tour

Linux Analysis Report
zerarm7.elf

Overview

General Information

Sample name:	zerarm7.elf
Analysis ID:	1604470
MD5:	4c0725b09a3315b154f27659636ec08a
SHA1:	0af8abf486fb04a3cc300c83449de61d98c775b1
SHA256:	a6c59e3347982e3f37b9785910af1e6879f24ae91c7461043d86308651a0e16f
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Sample deletes itself

Sends malformed DNS queries

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604470
Start date and time:	2025-02-01 15:27:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	zerarm7.elf
Detection:	MAL
Classification:	mal56.troj.evad.linELF@0/0@35/0

Runtime Messages

Command:	/tmp/zerarm7.elf
PID:	5543
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	gosh that chinese family at the other table sure ate a lot
Standard Error:

Process Tree

system is lnxubuntu20

zerarm7.elf (PID: 5543, Parent: 5463, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/zerarm7.elf

zerarm7.elf New Fork (PID: 5545, Parent: 5543)

zerarm7.elf New Fork (PID: 5547, Parent: 5545)

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: zerarm7.elf	Virustotal: Detection: 25%			Perma Link
Source: zerarm7.elf	ReversingLabs: Detection: 34%

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: serisbot.geek. [malformed]

Source: global traffic	TCP traffic: 192.168.2.15:52394 -> 64.225.86.206:1440
Source: global traffic	TCP traffic: 192.168.2.15:60646 -> 209.38.188.134:1440
Source: global traffic	TCP traffic: 192.168.2.15:52378 -> 68.183.244.135:1440
Source: global traffic	TCP traffic: 192.168.2.15:41458 -> 209.38.56.135:1440

Source: /tmp/zerarm7.elf (PID: 5543)

Socket: 127.0.0.1:39148

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 81.169.136.222
Source: unknown	UDP traffic detected without corresponding DNS query: 168.235.111.72
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 152.53.15.127
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 202.61.197.122
Source: unknown	UDP traffic detected without corresponding DNS query: 51.158.108.203

Source: global traffic	DNS traffic detected: DNS query: serisbot.geek
Source: global traffic	DNS traffic detected: DNS query: serisontop.dyn
Source: global traffic	DNS traffic detected: DNS query: serisbot.geek. [malformed]

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal56.troj.evad.linELF@0/0@35/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/zerarm7.elf (PID: 5543)

File: /tmp/zerarm7.elf

Jump to behavior

Source: /tmp/zerarm7.elf (PID: 5543)

Queries kernel information via 'uname':

Jump to behavior

Source: zerarm7.elf, 5543.1.000056199e71b000.000056199e86b000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: zerarm7.elf, 5543.1.000056199e71b000.000056199e86b000.rw-.sdmp	Binary or memory string: V!/etc/qemu-binfmt/arm
Source: zerarm7.elf, 5543.1.00007ffff62ae000.00007ffff62cf000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: zerarm7.elf, 5543.1.00007ffff62ae000.00007ffff62cf000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/zerarm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/zerarm7.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 File Deletion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
zerarm7.elf	26%	Virustotal		Browse
zerarm7.elf	34%	ReversingLabs	Linux.Backdoor.Mirai

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
serisontop.dyn	209.38.188.134	true	false	high
serisbot.geek	146.190.204.203	true	false	high
serisbot.geek. [malformed]	unknown	unknown	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.86.206	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.56.135	unknown	United States	7018	ATT-INTERNET4US	false
68.183.244.135	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
209.38.188.134	serisontop.dyn	United States	7018	ATT-INTERNET4US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
64.225.86.206	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
209.38.56.135	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
68.183.244.135	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zerm68k.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse
209.38.188.134	zermpsl.elf	Get hash	malicious	Unknown	Browse
	zermips.elf	Get hash	malicious	Unknown	Browse
	zerx86.elf	Get hash	malicious	Unknown	Browse
	zerarm5.elf	Get hash	malicious	Unknown	Browse
	zerspc.elf	Get hash	malicious	Unknown	Browse
	zerppc.elf	Get hash	malicious	Unknown	Browse
	zerarm.elf	Get hash	malicious	Unknown	Browse
	zersh4.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
serisbot.geek	nabarm.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
serisontop.dyn	nklarm.elf	Get hash	malicious	Unknown	Browse	209.38.56.129
	zermpsl.elf	Get hash	malicious	Unknown	Browse	146.190.204.203
	nabspc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	nabarm5.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.56.129
	splarm7.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	nabmips.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerm68k.elf	Get hash	malicious	Unknown	Browse	209.38.56.135
	splmips.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.56.135

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DIGITALOCEAN-ASNUS	zermpsl.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zermips.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerm68k.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerx86.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerarm5.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerspc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerppc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerarm.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zersh4.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	138.68.122.136
DIGITALOCEAN-ASNUS	zermpsl.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zermips.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerm68k.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerx86.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerarm5.elf	Get hash	malicious	Unknown	Browse	64.225.86.206
	zerspc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerppc.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zerarm.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	zersh4.elf	Get hash	malicious	Unknown	Browse	68.183.244.135
	193.143.1.32-mips-2025-02-01T10_01_48.elf	Get hash	malicious	Unknown	Browse	138.68.122.136
ATT-INTERNET4US	nklarm.elf	Get hash	malicious	Unknown	Browse	99.6.50.217
	zermpsl.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabspc.elf	Get hash	malicious	Unknown	Browse	12.5.172.171
	nabarm5.elf	Get hash	malicious	Unknown	Browse	12.99.237.67
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabarm.elf	Get hash	malicious	Unknown	Browse	63.207.251.13
	splarm7.elf	Get hash	malicious	Unknown	Browse	13.194.189.46
	nabmips.elf	Get hash	malicious	Unknown	Browse	99.117.204.44
	splmips.elf	Get hash	malicious	Unknown	Browse	12.169.146.176
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
ATT-INTERNET4US	nklarm.elf	Get hash	malicious	Unknown	Browse	99.6.50.217
	zermpsl.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabspc.elf	Get hash	malicious	Unknown	Browse	12.5.172.171
	nabarm5.elf	Get hash	malicious	Unknown	Browse	12.99.237.67
	zermips.elf	Get hash	malicious	Unknown	Browse	209.38.188.134
	nabarm.elf	Get hash	malicious	Unknown	Browse	63.207.251.13
	splarm7.elf	Get hash	malicious	Unknown	Browse	13.194.189.46
	nabmips.elf	Get hash	malicious	Unknown	Browse	99.117.204.44
	splmips.elf	Get hash	malicious	Unknown	Browse	12.169.146.176
	zerx86.elf	Get hash	malicious	Unknown	Browse	209.38.188.134

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.0058678912543355
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	zerarm7.elf
File size:	73'348 bytes
MD5:	4c0725b09a3315b154f27659636ec08a
SHA1:	0af8abf486fb04a3cc300c83449de61d98c775b1
SHA256:	a6c59e3347982e3f37b9785910af1e6879f24ae91c7461043d86308651a0e16f
SHA512:	fd2832b55375ff5091285e9bfc4e8c8478d8028fd40e8f14d6a053ad5bbeb511eead925aea19b33cdda0a851a1b444fd01b42eede96ce1ccc715eff1e4d17c2e
SSDEEP:	1536:FQnTL3+lI/A0hBZN86OrhSW1DXMHODMxC6yPimg979l9aigHwJfR5:U+q/pZFuJxXMuDMxC6yPimQWwJ5
TLSH:	3563F649F8819F01D5E822BAFA1E118D332367A8E3EF7212DD115B1577CA92F0E77912
File Content Preview:	.ELF..............(.........4...........4. ...(........p............................................................................X...T2..........................................Q.td..................................-...L..................@-.,@...0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8194
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	72668
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	16

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	4
.text	PROGBITS	0x80f0	0xf0	0x10e58	0x0	0x6	AX	0	16
.fini	PROGBITS	0x18f48	0x10f48	0x10	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x18f58	0x10f58	0x85c	0x0	0x2	A	0	4
.ARM.extab	PROGBITS	0x197b4	0x117b4	0x18	0x0	0x2	A	0	4
.ARM.exidx	ARM_EXIDX	0x197cc	0x117cc	0x118	0x0	0x82	AL	2	4
.eh_frame	PROGBITS	0x218e4	0x118e4	0x4	0x0	0x3	WA	0	4
.tbss	NOBITS	0x218e8	0x118e8	0x8	0x0	0x403	WAT	0	4
.init_array	INIT_ARRAY	0x218e8	0x118e8	0x4	0x0	0x3	WA	0	4
.fini_array	FINI_ARRAY	0x218ec	0x118ec	0x4	0x0	0x3	WA	0	4
.jcr	PROGBITS	0x218f0	0x118f0	0x4	0x0	0x3	WA	0	4
.got	PROGBITS	0x218f4	0x118f4	0xa8	0x4	0x3	WA	0	4
.data	PROGBITS	0x2199c	0x1199c	0x1a0	0x0	0x3	WA	0	4
.bss	NOBITS	0x21b3c	0x11b3c	0x2ffc	0x0	0x3	WA	0	4
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x11b3c	0x16	0x0	0x0		0	1
.shstrtab	STRTAB	0x0	0x11b52	0x88	0x0	0x0		0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x117cc	0x197cc	0x197cc	0x118	0x118	4.3641	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x118e4	0x118e4	6.0266	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x118e4	0x218e4	0x218e4	0x258	0x3254	3.5497	0x6	RW	0x8000	.eh_frame .tbss .init_array .fini_array .jcr .got .data .bss
TLS	0x118e8	0x218e8	0x218e8	0x0	0x8	0.0000	0x4	R	0x4	.tbss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 15:28:32.129586935 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:32.134476900 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:32.134543896 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:32.148147106 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:32.153383970 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:32.153435946 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:32.158684969 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:42.158323050 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:42.163157940 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:42.753982067 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:42.754518032 CET	52394	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:42.759295940 CET	1440	52394	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:43.774576902 CET	52396	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:43.779473066 CET	1440	52396	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:43.779553890 CET	52396	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:43.780776978 CET	52396	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:43.785542011 CET	1440	52396	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:43.785604954 CET	52396	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:43.790391922 CET	1440	52396	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:55.083873987 CET	1440	52396	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:55.084315062 CET	52396	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:55.089063883 CET	1440	52396	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:56.172776937 CET	52398	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:56.177582979 CET	1440	52398	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:56.177664995 CET	52398	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:56.179147959 CET	52398	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:56.183967113 CET	1440	52398	64.225.86.206	192.168.2.15
Feb 1, 2025 15:28:56.184040070 CET	52398	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:28:56.188838959 CET	1440	52398	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:07.449331045 CET	1440	52398	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:07.449547052 CET	52398	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:07.454305887 CET	1440	52398	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:08.598670006 CET	52400	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:08.605087996 CET	1440	52400	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:08.605158091 CET	52400	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:08.606168985 CET	52400	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:08.611022949 CET	1440	52400	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:08.611092091 CET	52400	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:08.615883112 CET	1440	52400	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:19.886787891 CET	1440	52400	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:19.886944056 CET	52400	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:19.891843081 CET	1440	52400	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:20.998064041 CET	52402	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:21.002938986 CET	1440	52402	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:21.003026962 CET	52402	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:21.004347086 CET	52402	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:21.009098053 CET	1440	52402	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:21.009160995 CET	52402	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:21.013926029 CET	1440	52402	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:32.284719944 CET	1440	52402	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:32.285098076 CET	52402	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:32.289975882 CET	1440	52402	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:33.385010004 CET	52404	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:33.389856100 CET	1440	52404	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:33.389966965 CET	52404	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:33.391524076 CET	52404	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:33.396365881 CET	1440	52404	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:33.396451950 CET	52404	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:33.401349068 CET	1440	52404	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:44.693921089 CET	1440	52404	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:44.694339991 CET	52404	1440	192.168.2.15	64.225.86.206
Feb 1, 2025 15:29:44.699645996 CET	1440	52404	64.225.86.206	192.168.2.15
Feb 1, 2025 15:29:45.726886034 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:45.731822014 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:45.731914997 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:45.733474016 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:45.738840103 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:45.738910913 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:45.744452000 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:55.743400097 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:55.748212099 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:56.047173023 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:56.047458887 CET	60646	1440	192.168.2.15	209.38.188.134
Feb 1, 2025 15:29:56.052293062 CET	1440	60646	209.38.188.134	192.168.2.15
Feb 1, 2025 15:29:57.151717901 CET	52378	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:29:57.156528950 CET	1440	52378	68.183.244.135	192.168.2.15
Feb 1, 2025 15:29:57.156594992 CET	52378	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:29:57.157671928 CET	52378	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:29:57.162461996 CET	1440	52378	68.183.244.135	192.168.2.15
Feb 1, 2025 15:29:57.162616968 CET	52378	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:29:57.167434931 CET	1440	52378	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:08.460536957 CET	1440	52378	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:08.461105108 CET	52378	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:08.465939999 CET	1440	52378	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:09.563294888 CET	52380	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:09.568176031 CET	1440	52380	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:09.568247080 CET	52380	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:09.569447041 CET	52380	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:09.574421883 CET	1440	52380	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:09.574484110 CET	52380	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:09.579360008 CET	1440	52380	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:20.881844997 CET	1440	52380	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:20.882190943 CET	52380	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:20.887001038 CET	1440	52380	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:21.983275890 CET	52382	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:21.988101006 CET	1440	52382	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:21.988204002 CET	52382	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:21.989614964 CET	52382	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:21.994409084 CET	1440	52382	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:21.994489908 CET	52382	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:21.999552011 CET	1440	52382	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:33.299130917 CET	1440	52382	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:33.299329996 CET	52382	1440	192.168.2.15	68.183.244.135
Feb 1, 2025 15:30:33.304064989 CET	1440	52382	68.183.244.135	192.168.2.15
Feb 1, 2025 15:30:34.318978071 CET	41458	1440	192.168.2.15	209.38.56.135
Feb 1, 2025 15:30:34.323735952 CET	1440	41458	209.38.56.135	192.168.2.15
Feb 1, 2025 15:30:34.323837996 CET	41458	1440	192.168.2.15	209.38.56.135
Feb 1, 2025 15:30:34.325052977 CET	41458	1440	192.168.2.15	209.38.56.135
Feb 1, 2025 15:30:34.329850912 CET	1440	41458	209.38.56.135	192.168.2.15
Feb 1, 2025 15:30:34.329915047 CET	41458	1440	192.168.2.15	209.38.56.135
Feb 1, 2025 15:30:34.334664106 CET	1440	41458	209.38.56.135	192.168.2.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 1, 2025 15:28:32.097846985 CET	60405	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:28:32.121702909 CET	53	60405	152.53.15.127	192.168.2.15
Feb 1, 2025 15:28:43.758102894 CET	55188	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:43.773480892 CET	53	55188	51.158.108.203	192.168.2.15
Feb 1, 2025 15:28:56.088026047 CET	37358	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:56.103507996 CET	53	37358	51.158.108.203	192.168.2.15
Feb 1, 2025 15:28:56.105262041 CET	52716	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:56.120820999 CET	53	52716	51.158.108.203	192.168.2.15
Feb 1, 2025 15:28:56.122461081 CET	46090	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:56.138174057 CET	53	46090	51.158.108.203	192.168.2.15
Feb 1, 2025 15:28:56.139682055 CET	43163	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:56.154967070 CET	53	43163	51.158.108.203	192.168.2.15
Feb 1, 2025 15:28:56.156546116 CET	35023	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:28:56.171973944 CET	53	35023	51.158.108.203	192.168.2.15
Feb 1, 2025 15:29:08.453222990 CET	54437	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:08.480247974 CET	53	54437	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:08.481543064 CET	51439	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:08.509358883 CET	53	51439	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:08.510346889 CET	40730	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:08.537468910 CET	53	40730	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:08.538923025 CET	54004	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:08.570101023 CET	53	54004	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:08.571382999 CET	37316	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:08.598180056 CET	53	37316	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:20.890815020 CET	39099	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:29:20.907995939 CET	53	39099	152.53.15.127	192.168.2.15
Feb 1, 2025 15:29:20.909625053 CET	52632	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:29:20.932605982 CET	53	52632	152.53.15.127	192.168.2.15
Feb 1, 2025 15:29:20.934161901 CET	60074	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:29:20.951773882 CET	53	60074	152.53.15.127	192.168.2.15
Feb 1, 2025 15:29:20.953226089 CET	55485	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:29:20.970640898 CET	53	55485	152.53.15.127	192.168.2.15
Feb 1, 2025 15:29:20.974448919 CET	40268	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:29:20.997368097 CET	53	40268	152.53.15.127	192.168.2.15
Feb 1, 2025 15:29:33.289498091 CET	48499	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:29:33.307593107 CET	53	48499	202.61.197.122	192.168.2.15
Feb 1, 2025 15:29:33.309370041 CET	33922	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:29:33.326736927 CET	53	33922	202.61.197.122	192.168.2.15
Feb 1, 2025 15:29:33.328321934 CET	60047	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:29:33.345752954 CET	53	60047	202.61.197.122	192.168.2.15
Feb 1, 2025 15:29:33.347362995 CET	57815	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:29:33.364835978 CET	53	57815	202.61.197.122	192.168.2.15
Feb 1, 2025 15:29:33.366416931 CET	42680	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:29:33.384100914 CET	53	42680	202.61.197.122	192.168.2.15
Feb 1, 2025 15:29:45.698635101 CET	55413	53	192.168.2.15	81.169.136.222
Feb 1, 2025 15:29:45.725588083 CET	53	55413	81.169.136.222	192.168.2.15
Feb 1, 2025 15:29:57.050744057 CET	58363	53	192.168.2.15	168.235.111.72
Feb 1, 2025 15:29:57.150949955 CET	53	58363	168.235.111.72	192.168.2.15
Feb 1, 2025 15:30:09.464802027 CET	38136	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:30:09.481904984 CET	53	38136	152.53.15.127	192.168.2.15
Feb 1, 2025 15:30:09.483668089 CET	47882	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:30:09.500952959 CET	53	47882	152.53.15.127	192.168.2.15
Feb 1, 2025 15:30:09.502429008 CET	44349	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:30:09.519433022 CET	53	44349	152.53.15.127	192.168.2.15
Feb 1, 2025 15:30:09.521150112 CET	46663	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:30:09.544128895 CET	53	46663	152.53.15.127	192.168.2.15
Feb 1, 2025 15:30:09.545376062 CET	41363	53	192.168.2.15	152.53.15.127
Feb 1, 2025 15:30:09.562578917 CET	53	41363	152.53.15.127	192.168.2.15
Feb 1, 2025 15:30:21.885735989 CET	48007	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:30:21.903232098 CET	53	48007	202.61.197.122	192.168.2.15
Feb 1, 2025 15:30:21.904786110 CET	54868	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:30:21.922353029 CET	53	54868	202.61.197.122	192.168.2.15
Feb 1, 2025 15:30:21.923885107 CET	60908	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:30:21.941312075 CET	53	60908	202.61.197.122	192.168.2.15
Feb 1, 2025 15:30:21.942924023 CET	40004	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:30:21.962903976 CET	53	40004	202.61.197.122	192.168.2.15
Feb 1, 2025 15:30:21.964346886 CET	46204	53	192.168.2.15	202.61.197.122
Feb 1, 2025 15:30:21.982441902 CET	53	46204	202.61.197.122	192.168.2.15
Feb 1, 2025 15:30:34.302346945 CET	54553	53	192.168.2.15	51.158.108.203
Feb 1, 2025 15:30:34.318108082 CET	53	54553	51.158.108.203	192.168.2.15

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 1, 2025 15:28:32.097846985 CET	192.168.2.15	152.53.15.127	0x2a05	Standard query (0)	serisbot.geek	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.758102894 CET	192.168.2.15	51.158.108.203	0x42cb	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:56.088026047 CET	192.168.2.15	51.158.108.203	0xe1bc	Standard query (0)	serisbot.geek. [malformed]	256	424	false
Feb 1, 2025 15:28:56.105262041 CET	192.168.2.15	51.158.108.203	0xe1bc	Standard query (0)	serisbot.geek. [malformed]	256	424	false
Feb 1, 2025 15:28:56.122461081 CET	192.168.2.15	51.158.108.203	0xe1bc	Standard query (0)	serisbot.geek. [malformed]	256	424	false
Feb 1, 2025 15:28:56.139682055 CET	192.168.2.15	51.158.108.203	0xe1bc	Standard query (0)	serisbot.geek. [malformed]	256	424	false
Feb 1, 2025 15:28:56.156546116 CET	192.168.2.15	51.158.108.203	0xe1bc	Standard query (0)	serisbot.geek. [malformed]	256	424	false
Feb 1, 2025 15:29:08.453222990 CET	192.168.2.15	81.169.136.222	0xcc9a	Standard query (0)	serisbot.geek. [malformed]	256	436	false
Feb 1, 2025 15:29:08.481543064 CET	192.168.2.15	81.169.136.222	0xcc9a	Standard query (0)	serisbot.geek. [malformed]	256	436	false
Feb 1, 2025 15:29:08.510346889 CET	192.168.2.15	81.169.136.222	0xcc9a	Standard query (0)	serisbot.geek. [malformed]	256	436	false
Feb 1, 2025 15:29:08.538923025 CET	192.168.2.15	81.169.136.222	0xcc9a	Standard query (0)	serisbot.geek. [malformed]	256	436	false
Feb 1, 2025 15:29:08.571382999 CET	192.168.2.15	81.169.136.222	0xcc9a	Standard query (0)	serisbot.geek. [malformed]	256	436	false
Feb 1, 2025 15:29:20.890815020 CET	192.168.2.15	152.53.15.127	0x811d	Standard query (0)	serisbot.geek. [malformed]	256	448	false
Feb 1, 2025 15:29:20.909625053 CET	192.168.2.15	152.53.15.127	0x811d	Standard query (0)	serisbot.geek. [malformed]	256	448	false
Feb 1, 2025 15:29:20.934161901 CET	192.168.2.15	152.53.15.127	0x811d	Standard query (0)	serisbot.geek. [malformed]	256	448	false
Feb 1, 2025 15:29:20.953226089 CET	192.168.2.15	152.53.15.127	0x811d	Standard query (0)	serisbot.geek. [malformed]	256	448	false
Feb 1, 2025 15:29:20.974448919 CET	192.168.2.15	152.53.15.127	0x811d	Standard query (0)	serisbot.geek. [malformed]	256	448	false
Feb 1, 2025 15:29:33.289498091 CET	192.168.2.15	202.61.197.122	0x4a6c	Standard query (0)	serisbot.geek. [malformed]	256	461	false
Feb 1, 2025 15:29:33.309370041 CET	192.168.2.15	202.61.197.122	0x4a6c	Standard query (0)	serisbot.geek. [malformed]	256	461	false
Feb 1, 2025 15:29:33.328321934 CET	192.168.2.15	202.61.197.122	0x4a6c	Standard query (0)	serisbot.geek. [malformed]	256	461	false
Feb 1, 2025 15:29:33.347362995 CET	192.168.2.15	202.61.197.122	0x4a6c	Standard query (0)	serisbot.geek. [malformed]	256	461	false
Feb 1, 2025 15:29:33.366416931 CET	192.168.2.15	202.61.197.122	0x4a6c	Standard query (0)	serisbot.geek. [malformed]	256	461	false
Feb 1, 2025 15:29:45.698635101 CET	192.168.2.15	81.169.136.222	0xd446	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.050744057 CET	192.168.2.15	168.235.111.72	0x33e1	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:09.464802027 CET	192.168.2.15	152.53.15.127	0xc248	Standard query (0)	serisbot.geek. [malformed]	256	497	false
Feb 1, 2025 15:30:09.483668089 CET	192.168.2.15	152.53.15.127	0xc248	Standard query (0)	serisbot.geek. [malformed]	256	497	false
Feb 1, 2025 15:30:09.502429008 CET	192.168.2.15	152.53.15.127	0xc248	Standard query (0)	serisbot.geek. [malformed]	256	497	false
Feb 1, 2025 15:30:09.521150112 CET	192.168.2.15	152.53.15.127	0xc248	Standard query (0)	serisbot.geek. [malformed]	256	497	false
Feb 1, 2025 15:30:09.545376062 CET	192.168.2.15	152.53.15.127	0xc248	Standard query (0)	serisbot.geek. [malformed]	256	497	false
Feb 1, 2025 15:30:21.885735989 CET	192.168.2.15	202.61.197.122	0xf963	Standard query (0)	serisbot.geek. [malformed]	256	509	false
Feb 1, 2025 15:30:21.904786110 CET	192.168.2.15	202.61.197.122	0xf963	Standard query (0)	serisbot.geek. [malformed]	256	509	false
Feb 1, 2025 15:30:21.923885107 CET	192.168.2.15	202.61.197.122	0xf963	Standard query (0)	serisbot.geek. [malformed]	256	509	false
Feb 1, 2025 15:30:21.942924023 CET	192.168.2.15	202.61.197.122	0xf963	Standard query (0)	serisbot.geek. [malformed]	256	509	false
Feb 1, 2025 15:30:21.964346886 CET	192.168.2.15	202.61.197.122	0xf963	Standard query (0)	serisbot.geek. [malformed]	256	509	false
Feb 1, 2025 15:30:34.302346945 CET	192.168.2.15	51.158.108.203	0x7aa4	Standard query (0)	serisontop.dyn	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:32.121702909 CET	152.53.15.127	192.168.2.15	0x2a05	No error (0)	serisbot.geek		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:43.773480892 CET	51.158.108.203	192.168.2.15	0x42cb	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:28:56.103507996 CET	51.158.108.203	192.168.2.15	0xe1bc	Format error (1)	serisbot.geek. [malformed]	none	none	256	424	false
Feb 1, 2025 15:28:56.120820999 CET	51.158.108.203	192.168.2.15	0xe1bc	Format error (1)	serisbot.geek. [malformed]	none	none	256	424	false
Feb 1, 2025 15:28:56.138174057 CET	51.158.108.203	192.168.2.15	0xe1bc	Format error (1)	serisbot.geek. [malformed]	none	none	256	424	false
Feb 1, 2025 15:28:56.154967070 CET	51.158.108.203	192.168.2.15	0xe1bc	Format error (1)	serisbot.geek. [malformed]	none	none	256	424	false
Feb 1, 2025 15:28:56.171973944 CET	51.158.108.203	192.168.2.15	0xe1bc	Format error (1)	serisbot.geek. [malformed]	none	none	256	424	false
Feb 1, 2025 15:29:20.907995939 CET	152.53.15.127	192.168.2.15	0x811d	Format error (1)	serisbot.geek. [malformed]	none	none	256	448	false
Feb 1, 2025 15:29:20.932605982 CET	152.53.15.127	192.168.2.15	0x811d	Format error (1)	serisbot.geek. [malformed]	none	none	256	448	false
Feb 1, 2025 15:29:20.951773882 CET	152.53.15.127	192.168.2.15	0x811d	Format error (1)	serisbot.geek. [malformed]	none	none	256	448	false
Feb 1, 2025 15:29:20.970640898 CET	152.53.15.127	192.168.2.15	0x811d	Format error (1)	serisbot.geek. [malformed]	none	none	256	448	false
Feb 1, 2025 15:29:20.997368097 CET	152.53.15.127	192.168.2.15	0x811d	Format error (1)	serisbot.geek. [malformed]	none	none	256	448	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:45.725588083 CET	81.169.136.222	192.168.2.15	0xd446	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:29:57.150949955 CET	168.235.111.72	192.168.2.15	0x33e1	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:09.481904984 CET	152.53.15.127	192.168.2.15	0xc248	Format error (1)	serisbot.geek. [malformed]	none	none	256	497	false
Feb 1, 2025 15:30:09.500952959 CET	152.53.15.127	192.168.2.15	0xc248	Format error (1)	serisbot.geek. [malformed]	none	none	256	497	false
Feb 1, 2025 15:30:09.519433022 CET	152.53.15.127	192.168.2.15	0xc248	Format error (1)	serisbot.geek. [malformed]	none	none	256	497	false
Feb 1, 2025 15:30:09.544128895 CET	152.53.15.127	192.168.2.15	0xc248	Format error (1)	serisbot.geek. [malformed]	none	none	256	497	false
Feb 1, 2025 15:30:09.562578917 CET	152.53.15.127	192.168.2.15	0xc248	Format error (1)	serisbot.geek. [malformed]	none	none	256	497	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		209.38.56.129	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		64.225.86.206	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		68.183.244.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		209.38.56.135	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		209.38.188.134	A (IP address)	IN (0x0001)	false
Feb 1, 2025 15:30:34.318108082 CET	51.158.108.203	192.168.2.15	0x7aa4	No error (0)	serisontop.dyn		146.190.204.203	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: zerarm7.elf PID: 5543, Parent PID: 5463

General

Start time (UTC):	14:28:31
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm7.elf
Arguments:	/tmp/zerarm7.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zerarm7.elf PID: 5545, Parent PID: 5543

General

Start time (UTC):	14:28:31
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: zerarm7.elf PID: 5547, Parent PID: 5545

General

Start time (UTC):	14:28:31
Start date (UTC):	01/02/2025
Path:	/tmp/zerarm7.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report zerarm7.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: zerarm7.elf PID: 5543, Parent PID: 5463

General

Chronological Activities

Analysis Process: zerarm7.elf PID: 5545, Parent PID: 5543

General

Chronological Activities

Analysis Process: zerarm7.elf PID: 5547, Parent PID: 5545

General

Chronological Activities

Linux Analysis Report
zerarm7.elf