Edit tour

Linux Analysis Report
http://31.214.243.29/Demon.mips

Overview

General Information

Sample URL:	http://31.214.243.29/Demon.mips
Analysis ID:	831144
Infos:

Detection

Gafgyt, Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Yara detected Gafgyt

Writes ELF files to disk

Yara signature match

Creates hidden files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Queries the installed Ubuntu/CentOS release

Classification

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	831144
Start date and time:	2023-03-21 06:16:03 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://31.214.243.29/Demon.mips
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal72.troj.lin@0/45@31/0

Warnings

Excluded domains from analysis (whitelisted): incoming.telemetry.mozilla.org, aus5.mozilla.org
VT rate limit hit for: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1
VT rate limit hit for: http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1

Process Tree

system is lnxubuntu20

exo-open (PID: 6242, Parent: 6229, MD5: 60a307a6a6325e2034eb5cc56bff1abd) Arguments: exo-open http://31.214.243.29/Demon.mips

exo-open New Fork (PID: 6243, Parent: 6242)

exo-open New Fork (PID: 6244, Parent: 6243)

exo-helper-2 (PID: 6244, Parent: 1860, MD5: ab59c8990baa7254463cdf800a83b9e3) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 --launch WebBrowser http://31.214.243.29/Demon.mips

exo-helper-2 New Fork (PID: 6247, Parent: 6244)

sensible-browser (PID: 6247, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/bin/sensible-browser http://31.214.243.29/Demon.mips

sensible-browser New Fork (PID: 6248, Parent: 6247)

which (PID: 6248, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: which sensible-browser

x-www-browser (PID: 6247, Parent: 6244, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/bin/x-www-browser http://31.214.243.29/Demon.mips

x-www-browser New Fork (PID: 6249, Parent: 6247)

which (PID: 6249, Parent: 6247, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: which /usr/bin/x-www-browser

firefox (PID: 6247, Parent: 6244, MD5: bf9680bcd223dba6b6e38b63bc4f73d7) Arguments: /usr/lib/firefox/firefox http://31.214.243.29/Demon.mips

firefox New Fork (PID: 6251, Parent: 6247)

firefox New Fork (PID: 6252, Parent: 6247)

firefox New Fork (PID: 6270, Parent: 6247)

lsb_release (PID: 6270, Parent: 6247, MD5: 69f442c3e33b5f9a66b722c29ad89435) Arguments: /usr/bin/lsb_release -idrc

firefox New Fork (PID: 6295, Parent: 6247)

dbus-launch (PID: 6295, Parent: 6247, MD5: 0b22a45154a51c6121bb1d208d8ab203) Arguments: dbus-launch --autolaunch=ee49dfd4fa47433baee88884e2d7de7c --binary-syntax --close-stderr

firefox New Fork (PID: 6304, Parent: 6247)

firefox New Fork (PID: 6306, Parent: 6304)

firefox (PID: 6304, Parent: 6247, MD5: bf9680bcd223dba6b6e38b63bc4f73d7) Arguments: /usr/lib/firefox/firefox -contentproc -parentBuildID 20210816143654 -prefsLen 1 -prefMapSize 238647 -appdir /usr/lib/firefox/browser 6247 true socket

firefox New Fork (PID: 6340, Parent: 6247)

firefox New Fork (PID: 6342, Parent: 6340)

firefox (PID: 6340, Parent: 6247, MD5: bf9680bcd223dba6b6e38b63bc4f73d7) Arguments: /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 188 -prefMapSize 238647 -jsInit 285716 -parentBuildID 20210816143654 -appdir /usr/lib/firefox/browser 6247 true tab

firefox New Fork (PID: 6383, Parent: 6247)

firefox New Fork (PID: 6385, Parent: 6383)

firefox (PID: 6383, Parent: 6247, MD5: bf9680bcd223dba6b6e38b63bc4f73d7) Arguments: /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 5911 -prefMapSize 238647 -jsInit 285716 -parentBuildID 20210816143654 -appdir /usr/lib/firefox/browser 6247 true tab

firefox New Fork (PID: 6434, Parent: 6247)

firefox New Fork (PID: 6436, Parent: 6434)

firefox (PID: 6434, Parent: 6247, MD5: bf9680bcd223dba6b6e38b63bc4f73d7) Arguments: /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 6099 -prefMapSize 238647 -jsInit 285716 -parentBuildID 20210816143654 -appdir /usr/lib/firefox/browser 6247 true tab

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Bashlite, Gafgyt	Bashlite is a malware family which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.	No Attribution	http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/ https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ https://blog.netlab.360.com/public-cloud-threat-intelligence-202203/ https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukraine_and_russia_in_recent_days/ https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x1546e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15482:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15496:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154aa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154be:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154d2:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154e6:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x154fa:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1550e:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15588:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1559c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155b0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155c4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155d8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x155ec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15600:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15614:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15628:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1563c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15650:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x15664:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
dump.pcap	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x1541e:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64

Dropped Files

Source	Rule	Description	Author	Strings
/tmp/khk19L2S.mips.part	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/tmp/khk19L2S.mips.part	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
/tmp/khk19L2S.mips.part	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x128c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1292c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1297c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
/tmp/khk19L2S.mips.part	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x12878:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1	JoeSecurity_Gafgyt	Yara detected Gafgyt	Joe Security
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x128c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x128f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12904:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12918:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1292c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12940:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12954:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12968:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x1297c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12990:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x129f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a08:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a1c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a30:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a44:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x12a58:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1	Linux_Trojan_Gafgyt_ea92cca8	unknown	unknown	0x12878:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
Click to see the 3 entries

HTTP traffic detected: POST /submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-a714-345a0583faf2 HTTP/1.1Host: incoming.telemetry.mozilla.orgUser-Agent: Glean/39.0.0 (Rust on Linux)Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brx-client-type: Gleanx-client-version: 39.0.0content-type: application/json; charset=utf-8date: Tue, 21 Mar 2023 06:17:35 GMTcontent-encoding: gzipcontent-length: 284Connection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: no-corsSec-Fetch-Site: nonePragma: no-cacheCache-Control: no-cache

Source: unknown

HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.23:57056 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /tmp/khk19L2S.mips.part, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED	Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16

Source: classification engine

Classification label: mal72.troj.lin@0/45@31/0

Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: khk19L2S.mips.part.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memcpy.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/string/mips/memset.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crt1.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crti.S
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	ELF static info symbol of dropped file: libc/sysdeps/linux/mips/crtn.S

Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /tmp/khk19L2S.mips.part			Jump to dropped file
Source: /usr/lib/firefox/firefox (PID: 6247)	File written: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1			Jump to dropped file

Source: /usr/bin/exo-open (PID: 6242)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.cache	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.local	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Directory: /home/saturnino/.config	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Directory: /home/saturnino/.cache	Jump to behavior

Source: /usr/bin/exo-open (PID: 6242)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2 (PID: 6244)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6247)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6252)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/dbus-launch (PID: 6295)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6340)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6383)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/firefox/firefox (PID: 6434)	Queries kernel information via 'uname':	Jump to behavior

Source: /usr/lib/firefox/firefox (PID: 6270)

Arguments: /usr/bin/lsb_release -> /usr/bin/lsb_release -idrc

Jump to behavior

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Remote Access Functionality

Yara detected Mirai

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Yara detected Gafgyt

Source: Yara match	File source: /tmp/khk19L2S.mips.part, type: DROPPED
Source: Yara match	File source: /home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	4 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Ingress Tool Transfer	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://31.214.243.29/Demon.mips	100%	Avira URL Cloud	malware

Dropped Files

Source	Detection	Scanner	Label	Link
/tmp/khk19L2S.mips.part	62%	ReversingLabs	Linux.Trojan.Mirai

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.billybobbot.com/crawler/)	0%	URL Reputation	safe
http://www.billybobbot.com/crawler/)	0%	URL Reputation	safe
https://trr.dns.nextdns.io/	0%	URL Reputation	safe
https://trr.dns.nextdns.io/	0%	URL Reputation	safe
http://pki.goog/repo/certs/gtsr1.der04	0%	URL Reputation	safe
https://firefox.dns.next	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://firefox.dns.nextdns.io/	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
http://fast.no/support/crawler.asp)	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.pki.goog/gtsr1/gtsr1.crl0W	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://feedback.redkolibri.com/	0%	URL Reputation	safe
http://31.214.243.29/	0%	Avira URL Cloud	safe
http://31.214.243.29/predictor::seen1	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1	0%	Avira URL Cloud	safe
http://31.214.243.29/	10%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
star-mini.c10r.facebook.com	157.240.20.35	true	false	high
fennec-catalog-cdn.prod.mozaws.net	34.111.73.144	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	unknown
twitter.com	104.244.42.129	true	false	high
youtube-ui.l.google.com	142.250.185.142	true	false	high
autopush.prod.mozaws.net	52.10.254.200	true	false	high
reddit.map.fastly.net	151.101.65.140	true	false	unknown
firefox.settings.services.mozilla.com	35.241.9.150	true	false	high
prod.ingestion-edge.prod.dataops.mozgcp.net	34.120.208.123	true	false	unknown
dyna.wikimedia.org	91.198.174.192	true	false	high
www.example.com	93.184.216.34	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	unknown
www.facebook.com	unknown	unknown	false	high
www.reddit.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
push.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high
firefox-settings-attachments.cdn.mozilla.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://firefox.settings.services.mozilla.com/v1/	false	high
http://31.214.243.29/Demon.mips	true	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl	false	high
https://push.services.mozilla.com/	false	high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US	false	high
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com/policies/privacy/	scriptCache-new.bin.42.dr	false		high
http://www.billybobbot.com/crawler/)	730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://settings.stage.mozaws.net/v1/buckets/main-preview/collections/search-config/records	scriptCache-new.bin.42.dr	false		high
https://support.mozilla.org/kb/	scriptCache-new.bin.42.dr	false		high
https://yandex.com	scriptCache-new.bin.42.dr	false		high
https://trr.dns.nextdns.io/	scriptCache-new.bin.42.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=921157	scriptCache-new.bin.42.dr	false		high
https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes	scriptCache-new.bin.42.dr	false		high
https://private.canadianshield.cira.ca/dns-query	3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	false		high
http://31.214.243.29/	134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mozilla.org/MPL/2.0/.	asrouter.ftl.tmp.42.dr, DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1238180	scriptCache-new.bin.42.dr	false		high
https://ebay.com	scriptCache-new.bin.42.dr	false		high
https://www.openh264.org/	scriptCache-new.bin.42.dr	false		high
http://pki.goog/repo/certs/gtsr1.der04	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
https://firefox.dns.next	3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings	scriptCache-new.bin.42.dr	false		high
http://31.214.243.29/predictor::seen1	134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	false	Avira URL Cloud: safe	unknown
https://twitter.com	scriptCache-new.bin.42.dr	false		high
http://x1.c.lencr.org/0	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://firefox.dns.nextdns.io/	scriptCache-new.bin.42.dr	false	URL Reputation: safe	unknown
https://remote-settings.readthedocs.io	F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	false		high
https://profiler.firefox.com	scriptCache-new.bin.42.dr	false		high
http://json-schema.org/draft-04/schema#	scriptCache-new.bin.42.dr	false		high
http://www.baidu.com/search/spider.html)	730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	false		high
https://mozilla.cloudflare-dns.com/dns-query	3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	false	URL Reputation: safe	unknown
http://fast.no/support/crawler.asp)	khk19L2S.mips.part.42.dr	false	URL Reputation: safe	unknown
https://doh.xfinity.com/dns-query	3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	254256B27E0C48CF9B80B695F0B3B8CA84610495.42.dr	false		high
http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes	F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	false		high
https://www.widevine.com/	scriptCache-new.bin.42.dr	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
https://settings.stage.mozaws.net/v1/buckets/main/collections/search-config/records	scriptCache-new.bin.42.dr	false		high
http://crl.pki.goog/gtsr1/gtsr1.crl0W	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations	scriptCache-child-new.bin.42.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	cert9.db.42.dr, cert9.db-journal.42.dr	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes	scriptCache-new.bin.42.dr	false		high
https://pki.goog/repository/0	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1	730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	true	Avira URL Cloud: safe	unknown
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-	DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	false		high
https://firefox.settings.services.mozilla.com/v1	scriptCache-new.bin.42.dr	false		high
https://duckduckgo.com	scriptCache-new.bin.42.dr	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records	scriptCache-new.bin.42.dr	false		high
https://github.com/Kinto/kinto-attachment/	F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	false		high
https://amazon.com	scriptCache-new.bin.42.dr	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help	scriptCache-new.bin.42.dr	false		high
https://firefox-settings-attachments.cdn.mozilla.net/	F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	false		high
https://support.mozilla.org/kb/flash-protected-mode-autodisabled	scriptCache-new.bin.42.dr	false		high
http://crl.pki.goog/gsr2/gsr2.crl0?	cert9.db.42.dr, cert9.db-journal.42.dr	false	URL Reputation: safe	unknown
https://google.com	scriptCache-new.bin.42.dr	false		high
http://feedback.redkolibri.com/	730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	false	URL Reputation: safe	unknown
http://www.baidu.com/search/spider.htm)	730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	false		high
https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5	scriptCache-new.bin.42.dr	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco	scriptCache-new.bin.42.dr	false		high
https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202	5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB.42.dr	false		high
https://baidu.com	scriptCache-new.bin.42.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
44.231.103.117	unknown	United States	16509	AMAZON-02US	false
52.25.208.227	unknown	United States	16509	AMAZON-02US	false
31.214.243.29	unknown	Germany	197071	ACTIVE-SERVERSactive-serverscomDE	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
34.120.208.123	prod.ingestion-edge.prod.dataops.mozgcp.net	United States	15169	GOOGLEUS	false
34.111.73.144	fennec-catalog-cdn.prod.mozaws.net	United States	15169	GOOGLEUS	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false
35.241.9.150	firefox.settings.services.mozilla.com	United States	15169	GOOGLEUS	false

Process:	/usr/lib/firefox/firefox
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Reputation:	low
Preview:	.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 43386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38690
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39200
Source: unknown	Network traffic detected: HTTP traffic on port 39200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57870
Source: unknown	Network traffic detected: HTTP traffic on port 57862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 39214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38248
Source: unknown	Network traffic detected: HTTP traffic on port 43386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57862
Source: unknown	Network traffic detected: HTTP traffic on port 38690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 39582 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29
Source: unknown	TCP traffic detected without corresponding DNS query: 31.214.243.29

Source: global traffic	HTTP traffic detected: GET /chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain HTTP/1.1Host: content-signature-2.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Sat, 31 Jul 2021 15:17:12 GMTIf-None-Match: "8cfd2c8fe1fb0bc900759661d7a6ee89"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: /HsD9zTc2lDu1K9P7e79lw==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Tue, 01 Jun 2021 14:28:23 GMTIf-None-Match: "1622557703112"
Source: global traffic	HTTP traffic detected: GET /v1/ HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl HTTP/1.1Host: firefox-settings-attachments.cdn.mozilla.netUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /update/3/GMP/91.0.1/20210816143654/Linux_x86_64-gcc3/null/release-cck-ubuntu/Linux%205.4.0-72-generic%20(GTK%203.24.20%2Clibpulse%2013.99.0)/canonical/1.0/update.xml HTTP/1.1Host: aus5.mozilla.orgUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cachePragma: no-cacheConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: no-corsSec-Fetch-Site: cross-site
Source: global traffic	HTTP traffic detected: GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1Host: firefox.settings.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/jsonConnection: keep-aliveSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-siteIf-Modified-Since: Fri, 25 Mar 2022 17:45:46 GMTIf-None-Match: "1648230346554"
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: Pv/Zvfj6YW6T57Phu897Ug==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: U4qUgcEAUSmpmIII+0JwlQ==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: push.services.mozilla.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brSec-WebSocket-Version: 13Origin: wss://push.services.mozilla.com/Sec-WebSocket-Protocol: push-notificationSec-WebSocket-Extensions: permessage-deflateSec-WebSocket-Key: xcYDBoWaCBwQWORghw2Mew==Connection: keep-alive, UpgradeSec-Fetch-Dest: websocketSec-Fetch-Mode: websocketSec-Fetch-Site: cross-sitePragma: no-cacheCache-Control: no-cacheUpgrade: websocket
Source: global traffic	HTTP traffic detected: GET /Demon.mips HTTP/1.1Host: 31.214.243.29User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-aliveUpgrade-Insecure-Requests: 1

Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mips
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr	String found in binary or memory: http://31.214.243.29/Demon.mipsstrongly-framed1request-methodGETresponse-headHTTP/1.1
Source: 134714F2DF01B21FA934AB16898B0583114E19B0.42.dr	String found in binary or memory: http://31.214.243.29/predictor::seen1
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: khk19L2S.mips.part.42.dr	String found in binary or memory: http://fast.no/support/crawler.asp)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://feedback.redkolibri.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: http://kinto.readthedocs.io/en/latest/tutorials/synchronisation.html#polling-for-remote-changes
Source: asrouter.ftl.tmp.42.dr, DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.htm)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.baidu.com/search/spider.html)
Source: 730FA68718E69A9EC1DE4154BF49B2A37241C7B1.42.dr, khk19L2S.mips.part.42.dr	String found in binary or memory: http://www.billybobbot.com/crawler/)
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: scriptCache-new.bin.42.dr	String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.c.lencr.org/0
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: http://x1.i.lencr.org/0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://amazon.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://baidu.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=921157
Source: 5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB.42.dr	String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: scriptCache-child-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/JavaScript_OS.File/OS.File.Info#Cross-platform_Attributes
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://doh.xfinity.com/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://duckduckgo.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://ebay.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/
Source: DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3.42.dr	String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-language-packs/4f1bcaa0-ddf9-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://firefox.dns.next
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: 254256B27E0C48CF9B80B695F0B3B8CA84610495.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://github.com/Kinto/kinto-attachment/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://google.com
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: 68B780A709FB903C666EF08F51EF5985A89FE446.42.dr	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://pki.goog/repository/0
Source: 3870112724rsegmnoittet-es.sqlite-wal.42.dr, 3870112724rsegmnoittet-es.sqlite.42.dr	String found in binary or memory: https://private.canadianshield.cira.ca/dns-query
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://profiler.firefox.com
Source: F8CBD54DDA10F4286A41EC6A537240712D6C2308.42.dr	String found in binary or memory: https://remote-settings.readthedocs.io
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main-preview/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://settings.stage.mozaws.net/v1/buckets/main/collections/search-config/records
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/flash-protected-mode-autodisabled
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://trr.dns.nextdns.io/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://twitter.com
Source: cert9.db.42.dr, cert9.db-journal.42.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.google.com/policies/privacy/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.openh264.org/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://www.widevine.com/
Source: scriptCache-new.bin.42.dr	String found in binary or memory: https://yandex.com

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2023 06:17:23.237967014 CET	58862	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:23.238112926 CET	53016	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:23.255949974 CET	53	53016	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:23.256042957 CET	53	58862	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:35.165245056 CET	56496	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:35.165478945 CET	44930	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:35.183171034 CET	53	44930	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:35.183228016 CET	53	56496	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:35.183821917 CET	39634	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:35.201853037 CET	53	39634	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:35.679447889 CET	57021	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:35.697139025 CET	53	57021	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:35.824021101 CET	40333	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:35.842788935 CET	53	40333	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:38.104825974 CET	52600	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:38.122525930 CET	53	52600	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:39.018667936 CET	52200	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:39.018774986 CET	48673	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:39.036520958 CET	53	52200	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:39.036636114 CET	53	48673	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:41.042417049 CET	43120	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:41.042736053 CET	58507	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:41.060601950 CET	53	43120	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:41.061301947 CET	53	58507	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:41.061706066 CET	37885	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:41.079900980 CET	53	37885	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:41.278846979 CET	59646	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:41.297071934 CET	53	59646	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:44.986042023 CET	39990	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:45.003951073 CET	53	39990	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:56.937290907 CET	40597	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:56.937804937 CET	58383	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:17:56.955193996 CET	53	40597	1.1.1.1	192.168.2.23
Mar 21, 2023 06:17:56.955722094 CET	53	58383	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.062733889 CET	36717	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.062994957 CET	42877	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.080677032 CET	53	42877	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.080779076 CET	53	36717	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.130449057 CET	46658	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.130737066 CET	36520	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.148289919 CET	53	46658	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.148864985 CET	53	36520	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.213614941 CET	36878	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.213829041 CET	43737	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.231379032 CET	53	43737	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.231416941 CET	53	36878	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.263957024 CET	40262	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.264198065 CET	60654	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.281903028 CET	53	40262	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.281965017 CET	53	60654	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.325733900 CET	48111	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.325872898 CET	35342	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.343791962 CET	53	48111	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.344152927 CET	53	35342	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.344654083 CET	48925	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.350140095 CET	44835	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.350322008 CET	53348	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:10.362646103 CET	53	48925	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.367979050 CET	53	44835	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:10.368037939 CET	53	53348	1.1.1.1	192.168.2.23
Mar 21, 2023 06:18:17.931102037 CET	49611	53	192.168.2.23	1.1.1.1
Mar 21, 2023 06:18:17.949184895 CET	53	49611	1.1.1.1	192.168.2.23

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2023 06:17:19.452233076 CET	1	OUT	GET /Demon.mips HTTP/1.1 Host: 31.214.243.29 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1
Mar 21, 2023 06:17:19.469438076 CET	2	IN	HTTP/1.1 200 OK Date: Tue, 21 Mar 2023 05:17:19 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Sat, 18 Mar 2023 21:24:02 GMT ETag: "1c717-5f733501889dd" Accept-Ranges: bytes Content-Length: 116503 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 00 02 00 08 00 00 00 01 00 40 02 a0 00 00 00 34 00 01 7b f4 00 00 10 07 00 34 00 20 00 04 00 28 00 15 00 12 70 00 00 00 00 00 00 b4 00 40 00 b4 00 40 00 b4 00 00 00 18 00 00 00 18 00 00 00 04 00 00 00 04 00 00 00 01 00 00 00 00 00 40 00 00 00 40 00 00 00 01 49 98 00 01 49 98 00 00 00 05 00 01 00 00 00 00 00 01 00 01 49 98 00 45 49 98 00 45 49 98 00 00 0e 38 00 00 71 fc 00 00 00 06 00 01 00 00 64 74 e5 51 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 04 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 45 d3 90 3c 1c 00 06 27 9c d2 c4 03 99 e0 21 27 bd ff e0 af bc 00 10 af bf 00 1c af bc 00 18 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c d2 a0 03 9f e0 21 8f 99 80 20 00 00 00 00 27 39 02 1c 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c d2 70 03 9f e0 21 8f 99 80 1c 00 00 00 00 27 39 0b f0 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 8f bf 00 1c 00 00 00 00 03 e0 00 08 27 bd 00 20 00 00 00 00 00 00 00 00 3c 1c 00 06 27 9c d2 30 03 99 e0 21 27 bd ff d8 af bf 00 20 af b1 00 1c af b0 00 18 af bc 00 10 8f 91 80 18 00 00 00 00 92 22 57 f0 00 00 00 00 14 40 00 1d 00 00 00 00 8f 90 80 18 00 00 00 00 8e 02 4e 90 00 00 00 00 8c 59 00 00 00 00 00 00 13 20 00 09 24 42 00 04 03 20 f8 09 ae 02 4e 90 8e 02 4e 90 8f bc 00 10 8c 59 00 00 00 00 00 00 17 20 ff f9 24 42 00 04 8f 82 82 d4 00 00 00 00 10 40 00 08 24 02 00 01 8f 84 80 1c 8f 99 82 d4 00 00 00 00 03 20 f8 09 24 84 49 94 8f bc 00 10 24 02 00 01 a2 22 57 f0 8f bf 00 20 8f b1 00 1c 8f b0 00 18 03 e0 00 08 27 bd 00 28 3c 1c 00 06 27 9c d1 74 03 99 e0 21 27 bd ff e0 af bf 00 18 af bc 00 10 8f 84 80 1c 8f 85 80 18 8f 82 80 f8 8f 99 80 f8 24 84 49 94 10 40 00 05 24 a5 57 f4 03 20 f8 09 00 00 00 00 8f bc 00 10 00 00 00 00 8f 84 80 18 8f 99 81 04 8c 82 49 a8 00 00 00 00 10 40 00 06 24 84 49 a8 13 20 00 04 00 00 00 00 8f bf 00 18 03 20 00 08 27 bd 00 20 8f bf 00 18 00 00 00 00 03 e0 00 08 27 bd 00 20 00 00 00 00 03 e0 00 21 04 11 00 01 00 00 00 00 3c 1c 00 06 27 9c d0 e4 03 9f e0 21 00 00 f8 21 8f 84 82 1c 8f a5 00 00 27 a6 00 04 24 01 ff f8 03 a1 e8 24 27 bd ff e0 8f 87 83 24 8f 88 81 dc 00 00 00 00 af a8 00 10 af a2 00 14 af bd 00 18 8f 99 82 34 00 00 00 00 03 20 f8 09 00 00 00 00 10 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 1c 00 06 27 9c d0 80 03 99 e0 21 27 bd ff e8 af be 00 10 03 a0 f0 21 af c4 00 18 8f 83 80 18 8f c2 00 18 00 00 00 00 ac 62 58 28 8f c3 00 18 3c 02 9e 37 34 42 79 b9 00 62 18 21 8f 82 80 18 00 00 00 00 24 42 58 28 ac 43 00 04 8f c3 00 18 3c 02 3c 6e 34 42 f3 72 00 62 18 21 8f 82 80 18 00 00 00 00 24 42 58 28 ac 43 00 08 24 02 00 03 af c2 00 08 10 00 00 23 00 00 00 00 8f c6 00 08 8f c2 00 08 00 00 00 00 24 42 ff fd 8f 83 80 18 00 02 20 80 24 62 58 28 00 82 10 21 8c 45 00 00 8f c2 00 08 00 00 00 00 24 42 ff fe 8f 83 80 18 00 02 20 80 24 62 58 28 00 82 10 21 8c 42 00 00 00 00 00 00 00 a2 18 26 8f c2 00 08 00 00 00 00 00 62 18 26 3c 02 9e 37 34 42 79 b9 00 62 20 26 8f 82 Data Ascii: ELF@4{4 (p@@@@IIIEIEI8qdtQE<'!'<'! '9 <'p!'9 ' <'0!' "W@NY $B NNY $B@$ $I$"W '(<'t!'$I@$W I@$I ' ' !<'!!'$$'$4 <'!'!bX(<74Byb!$BX(C<<n4Brb!$BX(C$#$B $bX(!E$B $bX(!B&b&<74Byb &
Mar 21, 2023 06:17:19.469520092 CET	4	IN	Data Raw: 80 18 00 06 18 80 24 42 58 28 00 62 10 21 ac 44 00 00 8f c2 00 08 00 00 00 00 24 42 00 01 af c2 00 08 8f c2 00 08 00 00 00 00 28 42 10 00 14 40 ff da 00 00 00 00 03 c0 e8 21 8f be 00 10 27 bd 00 18 03 e0 00 08 00 00 00 00 3c 1c 00 06 27 9c cf 54 Data Ascii: $BX(b!D$B(B@!'<'T!' !$I^!$BN$B0CCNBN $bX(!D!!D( (!
Mar 21, 2023 06:17:19.469598055 CET	5	IN	Data Raw: af c0 10 70 10 00 00 93 00 00 00 00 24 02 00 10 af c2 00 4c 27 c2 00 3c 27 c3 00 4c 8f c4 00 28 00 40 28 21 00 60 30 21 8f 99 80 d8 00 00 00 00 03 20 f8 09 00 00 00 00 8f dc 00 10 af c2 00 24 8f c3 00 24 24 02 ff ff 14 62 00 04 00 00 00 00 af c0 Data Ascii: p$L'<'L(@(!`0! $$$bp@C$D!(!< )'P@ !$E! @'P$B
Mar 21, 2023 06:17:19.469659090 CET	6	IN	Data Raw: 00 08 00 00 00 00 3c 1c 00 06 27 9c c5 a4 03 99 e0 21 27 bd ff d0 af bf 00 2c af be 00 28 03 a0 f0 21 af bc 00 10 af c4 00 30 af c5 00 34 af c6 00 38 af c7 00 3c af c0 00 24 24 02 00 20 af c2 00 20 8f c2 00 38 00 00 00 00 18 40 00 2a 00 00 00 00 Data Ascii: <'!',(!048<$$ 8@4$B$cb@8b@88C#8<0B@$0
Mar 21, 2023 06:17:19.469716072 CET	8	IN	Data Raw: af c4 00 50 af c5 00 54 af c6 00 58 af c0 00 34 10 00 01 49 00 00 00 00 8f c2 00 54 00 00 00 00 90 43 00 00 24 02 00 25 14 62 01 30 00 00 00 00 8f c2 00 54 00 00 00 00 24 42 00 01 af c2 00 54 af c0 00 38 8f c2 00 38 00 00 00 00 af c2 00 3c 8f c2 Data Ascii: PTX4ITC$%b0T$BT88<TB@;TC$%bTC$-bT$BT$8T$BT84B8TC$0b
Mar 21, 2023 06:17:19.469846010 CET	9	IN	Data Raw: 00 50 00 40 28 21 8f 82 80 20 00 00 00 00 24 59 0d 34 03 20 f8 09 00 00 00 00 8f dc 00 20 8f c2 00 34 00 00 00 00 24 42 00 01 af c2 00 34 8f c2 00 54 00 00 00 00 24 42 00 01 af c2 00 54 8f c2 00 54 00 00 00 00 90 42 00 00 00 00 00 00 14 40 fe b3 Data Ascii: P@(! $Y4 4$B4T$BTTB@P@PB@4!LH'P<' !',(!08<4$ @ !(!$
Mar 21, 2023 06:17:19.469903946 CET	10	IN	Data Raw: 8f 82 80 ec 00 00 00 00 8c 42 00 00 27 c3 00 c8 00 40 20 21 00 60 28 21 24 06 00 01 00 00 38 21 8f 99 83 f8 00 00 00 00 03 20 f8 09 00 00 00 00 8f dc 00 18 00 40 18 21 24 02 00 01 10 62 00 08 00 00 00 00 8f c2 00 34 00 00 00 00 a0 40 00 00 24 02 Data Ascii: B'@ !`(!$8! @!$b4@$"4C4$B4$b0$B0(B8B0C$B`4@0!
Mar 21, 2023 06:17:19.469958067 CET	12	IN	Data Raw: 00 04 00 40 20 21 8f 99 83 84 00 00 00 00 03 20 f8 09 00 00 00 00 8f dc 00 10 af c2 00 1c af c0 00 18 10 00 00 18 00 00 00 00 8f c2 00 18 00 00 00 00 00 02 10 80 00 40 18 21 8f c2 00 1c 00 00 00 00 00 62 20 21 8f c2 00 18 00 00 00 00 00 02 10 80 Data Ascii: @ ! @!b !@!Bb!B$B4 !04040ED$$!e@+! !!,((0+@
Mar 21, 2023 06:17:19.470032930 CET	13	IN	Data Raw: 8f c2 00 a8 00 00 00 00 00 02 18 80 00 03 10 80 00 43 10 23 8f c3 00 a8 00 00 00 00 00 43 10 21 00 02 10 40 00 82 20 23 af c4 00 a8 8f c3 00 a8 00 00 00 00 00 03 10 80 27 c3 00 18 00 43 10 21 8c 42 00 24 00 00 00 00 af c2 00 18 8f c2 00 1c 00 00 Data Ascii: C#C!@ #'C!B$,B2@-($8!8 ',(@(!$ ! @ !$b!*@(
Mar 21, 2023 06:17:19.470098019 CET	15	IN	Data Raw: 00 0c 00 00 00 00 8f c4 00 24 8f 99 80 f4 00 00 00 00 03 20 f8 09 00 00 00 00 8f dc 00 10 00 00 20 21 8f 99 81 44 00 00 00 00 03 20 f8 09 00 00 00 00 af c0 00 18 8f c2 00 18 00 00 00 00 24 42 00 01 af c2 00 18 10 00 ff c5 00 00 00 00 3c 1c 00 06 Data Ascii: $ !D $B<'!'H!$$0!t ( ! $@ ! ',@ !$@
Mar 21, 2023 06:17:19.487231970 CET	16	IN	Data Raw: 00 00 00 00 24 42 24 cc af a2 00 74 8f 82 80 1c 00 00 00 00 24 42 24 d0 af a2 00 78 8f 82 80 1c 00 00 00 00 24 42 24 d4 af a2 00 7c 8f 82 80 1c 00 00 00 00 24 42 24 d8 af a2 00 80 8f 82 80 1c 00 00 00 00 24 42 24 dc af a2 00 84 8f 82 80 1c 00 00 Data Ascii: $B$t$B$x$B$\|$B$$B$$B$$B$$B$$B$$B$$B$$B$$B$$B%$B%

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:23 UTC	0	OUT	GET /chains/remote-settings.content-signature.mozilla.org-2021-09-19-15-17-11.chain HTTP/1.1 Host: content-signature-2.cdn.mozilla.net User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site If-Modified-Since: Sat, 31 Jul 2021 15:17:12 GMT If-None-Match: "8cfd2c8fe1fb0bc900759661d7a6ee89"
2023-03-21 05:17:23 UTC	0	IN	HTTP/1.1 304 Not Modified Date: Tue, 21 Mar 2023 03:59:25 GMT Age: 4678 ETag: "8cfd2c8fe1fb0bc900759661d7a6ee89" Cache-Control: public,max-age=3600 Alt-Svc: clear Connection: close

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:38 UTC	1	OUT	POST /submit/firefox-desktop/deletion-request/1/7c4c3d68-b8c8-44e6-a714-345a0583faf2 HTTP/1.1 Host: incoming.telemetry.mozilla.org User-Agent: Glean/39.0.0 (Rust on Linux) Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br x-client-type: Glean x-client-version: 39.0.0 content-type: application/json; charset=utf-8 date: Tue, 21 Mar 2023 06:17:35 GMT content-encoding: gzip content-length: 284 Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: no-cors Sec-Fetch-Site: none Pragma: no-cache Cache-Control: no-cache
2023-03-21 05:17:38 UTC	1	OUT	Data Raw: 1f 8b 08 00 00 00 00 00 00 ff 85 90 c1 6e c3 20 10 44 ff 85 6b 43 b4 60 9b 38 fe 86 1e 7b 47 1b b3 34 28 36 76 01 a7 89 22 ff 7b b1 95 a4 51 2f 3d c2 9b 9d 99 dd 1b 1b 9d ff d4 ce db 81 35 37 16 e9 8b 35 b0 61 31 61 48 3a b9 9e 58 c3 24 c8 82 43 c1 a5 f8 00 d5 88 dd 1b 40 03 c0 36 8c bc f9 57 13 08 e3 e0 b3 02 53 4e 71 89 cd 1b d6 76 8e 7c 7a 86 26 ea a8 a7 14 ae 3a 9a 93 3e 4c ae 33 59 5f ec b7 b0 5d 1c 70 1c b5 71 71 ec f0 aa cf 14 a2 5b ed f6 22 63 b1 e0 d0 1e 5d a2 36 4d 61 29 72 a9 95 56 e5 7d ec e1 95 db 09 a8 85 12 65 a1 aa 07 6c 8f e8 3d 75 19 87 5c 00 23 e5 7f 43 67 d7 92 ee 07 b3 82 c9 9f fc f0 ed 33 18 e2 4b 76 b5 2d 5f b4 e8 27 8b 6b 7c f8 33 92 9f ef ce 4f 17 f6 bb f2 d2 c6 d6 20 60 6f 91 4b ac 0e bc b4 46 72 2c a5 e5 3b a5 a0 c0 9d 3d d4 b2 Data Ascii: n DkC`8{G4(6v"{Q/=575a1aH:X$C@6WSNqv\|z&:>L3Y_]pqq["c]6Ma)rV}el=u\#Cg3Kv-_'k\|3O `oKFr,;=
2023-03-21 05:17:38 UTC	2	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 21 Mar 2023 05:17:38 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Vary: Accept-Encoding Strict-Transport-Security: max-age=31536000 X-Frame-Options: DENY Access-Control-Allow-Methods: GET, POST, PUT, OPTIONS Access-Control-Max-Age: 1728000 Access-Control-Allow-Headers: Accept-Encoding,Connection,Content-Encoding,Content-Length,Content-Type,DNT,Date,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,User-Agent,X-Client-Type,X-Client-Version,X-Debug-ID,X-Forwarded-For,X-Pingsender-Version,X-Pipeline-Proxy,X-Source-Tags,X-Telemetry-Agent Via: 1.1 google Alt-Svc: clear Connection: close
2023-03-21 05:17:38 UTC	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:39 UTC	2	OUT	GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1 Host: firefox.settings.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site If-Modified-Since: Tue, 01 Jun 2021 14:28:23 GMT If-None-Match: "1622557703112"
2023-03-21 05:17:39 UTC	3	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Type, Retry-After, Last-Modified, Content-Length, Pragma, Expires, ETag, Backoff, Alert, Cache-Control Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none'; Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff Content-Length: 329 Via: 1.1 google Date: Tue, 21 Mar 2023 05:07:55 GMT Age: 584 Last-Modified: Fri, 25 Mar 2022 17:45:46 GMT ETag: "1648230346554" Content-Type: application/json Cache-Control: max-age=3600,public Alt-Svc: clear Connection: close
2023-03-21 05:17:39 UTC	3	IN	Data Raw: 7b 22 70 65 72 6d 69 73 73 69 6f 6e 73 22 3a 7b 7d 2c 22 64 61 74 61 22 3a 7b 22 61 74 74 61 63 68 6d 65 6e 74 22 3a 7b 22 68 61 73 68 22 3a 22 30 65 63 30 66 31 36 66 39 32 64 38 37 36 61 39 63 31 31 34 30 64 34 63 31 31 65 32 62 33 34 36 61 39 32 39 32 39 38 34 64 39 61 38 35 34 33 36 30 65 35 34 65 39 39 66 64 63 64 39 39 63 63 30 22 2c 22 73 69 7a 65 22 3a 37 35 38 31 2c 22 66 69 6c 65 6e 61 6d 65 22 3a 22 61 73 72 6f 75 74 65 72 2e 66 74 6c 22 2c 22 6c 6f 63 61 74 69 6f 6e 22 3a 22 6d 61 69 6e 2d 77 6f 72 6b 73 70 61 63 65 2f 6d 73 2d 6c 61 6e 67 75 61 67 65 2d 70 61 63 6b 73 2f 34 66 31 62 63 61 61 30 2d 64 64 66 39 2d 34 33 65 66 2d 61 63 61 33 2d 38 33 37 38 63 34 64 30 35 35 38 32 2e 66 74 6c 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 61 70 70 6c Data Ascii: {"permissions":{},"data":{"attachment":{"hash":"0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0","size":7581,"filename":"asrouter.ftl","location":"main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl","mimetype":"appl

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:40 UTC	4	OUT	GET /v1/ HTTP/1.1 Host: firefox.settings.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site
2023-03-21 05:17:40 UTC	4	IN	HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Content-Type, Backoff Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none'; Strict-Transport-Security: max-age=31536000 X-Content-Type-Options: nosniff Content-Length: 939 Via: 1.1 google Date: Tue, 21 Mar 2023 04:31:39 GMT Content-Type: application/json Age: 2761 Cache-Control: max-age=3600,public Alt-Svc: clear Connection: close
2023-03-21 05:17:40 UTC	5	IN	Data Raw: 7b 22 70 72 6f 6a 65 63 74 5f 6e 61 6d 65 22 3a 22 52 65 6d 6f 74 65 20 53 65 74 74 69 6e 67 73 20 50 52 4f 44 22 2c 22 70 72 6f 6a 65 63 74 5f 76 65 72 73 69 6f 6e 22 3a 22 31 35 2e 30 2e 30 22 2c 22 68 74 74 70 5f 61 70 69 5f 76 65 72 73 69 6f 6e 22 3a 22 31 2e 32 32 22 2c 22 70 72 6f 6a 65 63 74 5f 64 6f 63 73 22 3a 22 68 74 74 70 73 3a 2f 2f 72 65 6d 6f 74 65 2d 73 65 74 74 69 6e 67 73 2e 72 65 61 64 74 68 65 64 6f 63 73 2e 69 6f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 72 65 66 6f 78 2e 73 65 74 74 69 6e 67 73 2e 73 65 72 76 69 63 65 73 2e 6d 6f 7a 69 6c 6c 61 2e 63 6f 6d 2f 76 31 2f 22 2c 22 73 65 74 74 69 6e 67 73 22 3a 7b 22 72 65 61 64 6f 6e 6c 79 22 3a 74 72 75 65 2c 22 65 78 70 6c 69 63 69 74 5f 70 65 72 6d 69 73 73 69 6f 6e 73 Data Ascii: {"project_name":"Remote Settings PROD","project_version":"15.0.0","http_api_version":"1.22","project_docs":"https://remote-settings.readthedocs.io","url":"https://firefox.settings.services.mozilla.com/v1/","settings":{"readonly":true,"explicit_permissions
2023-03-21 05:17:40 UTC	5	IN	Data Raw: 63 72 69 70 74 69 6f 6e 22 3a 22 41 64 64 20 66 69 6c 65 20 61 74 74 61 63 68 6d 65 6e 74 73 20 74 6f 20 72 65 63 6f 72 64 73 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 4b 69 6e 74 6f 2f 6b 69 6e 74 6f 2d 61 74 74 61 63 68 6d 65 6e 74 2f 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 36 2e 33 2e 31 22 2c 22 62 61 73 65 5f 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 66 69 72 65 66 6f 78 2d 73 65 74 74 69 6e 67 73 2d 61 74 74 61 63 68 6d 65 6e 74 73 2e 63 64 6e 2e 6d 6f 7a 69 6c 6c 61 2e 6e 65 74 2f 22 7d 7d 7d Data Ascii: cription":"Add file attachments to records","url":"https://github.com/Kinto/kinto-attachment/","version":"6.3.1","base_url":"https://firefox-settings-attachments.cdn.mozilla.net/"}}}

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:41 UTC	5	OUT	GET /main-workspace/ms-language-packs/4f1bcaa0-ddf9-43ef-aca3-8378c4d05582.ftl HTTP/1.1 Host: firefox-settings-attachments.cdn.mozilla.net User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site
2023-03-21 05:17:41 UTC	6	IN	HTTP/1.1 200 OK X-Amz-Id-2: 4ZH80hNl23+3AYy7V3kNUmXg4pNAW1kg97rBsZ1wFrGt08Ff0L1utwDuy6BsQ23FpUDWVN+cWx4= X-Amz-Request-Id: WBGVPYV69JF31N9T X-Amz-Version-Id: e7B0bYbdxIH00OBFDtYjUYFukCC5PJRb Accept-Ranges: bytes Server: AmazonS3 Content-Length: 7581 Via: 1.1 google Date: Thu, 16 Mar 2023 19:19:19 GMT Age: 381502 Last-Modified: Fri, 25 Mar 2022 17:29:17 GMT ETag: "c460716b62456449360b23cf5663f275" Content-Type: application/octet-stream Cache-Control: public,max-age=604800 Alt-Svc: clear Connection: close
2023-03-21 05:17:41 UTC	6	IN	Data Raw: 23 20 54 68 69 73 20 53 6f 75 72 63 65 20 43 6f 64 65 20 46 6f 72 6d 20 69 73 20 73 75 62 6a 65 63 74 20 74 6f 20 74 68 65 20 74 65 72 6d 73 20 6f 66 20 74 68 65 20 4d 6f 7a 69 6c 6c 61 20 50 75 62 6c 69 63 0a 23 20 4c 69 63 65 6e 73 65 2c 20 76 2e 20 32 2e 30 2e 20 49 66 20 61 20 63 6f 70 79 20 6f 66 20 74 68 65 20 4d 50 4c 20 77 61 73 20 6e 6f 74 20 64 69 73 74 72 69 62 75 74 65 64 20 77 69 74 68 20 74 68 69 73 0a 23 20 66 69 6c 65 2c 20 59 6f 75 20 63 61 6e 20 6f 62 74 61 69 6e 20 6f 6e 65 20 61 74 20 68 74 74 70 3a 2f 2f 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 4d 50 4c 2f 32 2e 30 2f 2e 0a 0a 23 23 20 54 68 65 73 65 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 75 73 65 64 20 61 73 20 68 65 61 64 69 6e 67 73 20 69 6e 20 74 68 65 20 72 65 63 6f 6d 6d 65 6e 64 Data Ascii: # This Source Code Form is subject to the terms of the Mozilla Public# License, v. 2.0. If a copy of the MPL was not distributed with this# file, You can obtain one at http://mozilla.org/MPL/2.0/.## These messages are used as headings in the recommend
2023-03-21 05:17:41 UTC	7	IN	Data Raw: 68 6f 77 2d 72 65 63 6f 6d 6d 65 6e 64 61 74 69 6f 6e 20 3d 20 44 6f 6e e2 80 99 74 20 53 68 6f 77 20 4d 65 20 54 68 69 73 20 52 65 63 6f 6d 6d 65 6e 64 61 74 69 6f 6e 0a 20 20 2e 61 63 63 65 73 73 6b 65 79 20 3d 20 53 0a 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 65 78 74 65 6e 73 69 6f 6e 2d 6c 65 61 72 6e 2d 6d 6f 72 65 2d 6c 69 6e 6b 20 3d 20 4c 65 61 72 6e 20 6d 6f 72 65 0a 0a 23 20 54 68 69 73 20 73 74 72 69 6e 67 20 69 73 20 75 73 65 64 20 6f 6e 20 61 20 6e 65 77 20 6c 69 6e 65 20 62 65 6c 6f 77 20 74 68 65 20 61 64 64 2d 6f 6e 20 6e 61 6d 65 0a 23 20 56 61 72 69 61 62 6c 65 73 3a 0a 23 20 20 20 24 6e 61 6d 65 20 28 53 74 72 69 6e 67 29 20 2d 20 41 64 64 2d 6f 6e 20 61 75 74 68 6f 72 20 6e 61 6d 65 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 Data Ascii: how-recommendation = Dont Show Me This Recommendation .accesskey = Scfr-doorhanger-extension-learn-more-link = Learn more# This string is used on a new line below the add-on name# Variables:# $name (String) - Add-on author namecfr-doorhanger
2023-03-21 05:17:41 UTC	8	IN	Data Raw: 0a 23 20 20 20 24 74 6f 74 61 6c 20 28 4e 75 6d 62 65 72 29 20 2d 20 54 68 65 20 74 6f 74 61 6c 20 6e 75 6d 62 65 72 20 6f 66 20 75 73 65 72 73 20 75 73 69 6e 67 20 74 68 65 20 61 64 64 2d 6f 6e 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 65 78 74 65 6e 73 69 6f 6e 2d 74 6f 74 61 6c 2d 75 73 65 72 73 20 3d 0a 20 20 7b 20 24 74 6f 74 61 6c 20 2d 3e 0a 20 20 20 20 20 20 5b 6f 6e 65 5d 20 7b 20 24 74 6f 74 61 6c 20 7d 20 75 73 65 72 0a 20 20 20 20 20 2a 5b 6f 74 68 65 72 5d 20 7b 20 24 74 6f 74 61 6c 20 7d 20 75 73 65 72 73 0a 20 20 7d 0a 0a 23 23 20 46 69 72 65 66 6f 78 20 41 63 63 6f 75 6e 74 73 20 4d 65 73 73 61 67 65 0a 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 62 6f 6f 6b 6d 61 72 6b 2d 66 78 61 2d 68 65 61 64 65 72 20 3d 20 53 79 6e 63 20 79 Data Ascii: # $total (Number) - The total number of users using the add-oncfr-doorhanger-extension-total-users = { $total -> [one] { $total } user *[other] { $total } users }## Firefox Accounts Messagecfr-doorhanger-bookmark-fxa-header = Sync y
2023-03-21 05:17:41 UTC	10	IN	Data Raw: 4d 69 6c 65 73 74 6f 6e 65 73 0a 0a 23 20 56 61 72 69 61 62 6c 65 73 3a 0a 23 20 20 20 24 62 6c 6f 63 6b 65 64 43 6f 75 6e 74 20 28 4e 75 6d 62 65 72 29 20 2d 20 54 68 65 20 74 6f 74 61 6c 20 63 6f 75 6e 74 20 6f 66 20 62 6c 6f 63 6b 65 64 20 74 72 61 63 6b 65 72 73 2e 20 54 68 69 73 20 6e 75 6d 62 65 72 20 77 69 6c 6c 20 61 6c 77 61 79 73 20 62 65 20 67 72 65 61 74 65 72 20 74 68 61 6e 20 31 2e 0a 23 20 20 20 24 64 61 74 65 20 28 44 61 74 65 74 69 6d 65 29 20 2d 20 54 68 65 20 64 61 74 65 20 77 65 20 62 65 67 61 6e 20 72 65 63 6f 72 64 69 6e 67 20 74 68 65 20 63 6f 75 6e 74 20 6f 66 20 62 6c 6f 63 6b 65 64 20 74 72 61 63 6b 65 72 73 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 6d 69 6c 65 73 74 6f 6e 65 2d 68 65 61 64 69 6e 67 32 20 3d 0a 20 20 7b 20 Data Ascii: Milestones# Variables:# $blockedCount (Number) - The total count of blocked trackers. This number will always be greater than 1.# $date (Datetime) - The date we began recording the count of blocked trackerscfr-doorhanger-milestone-heading2 = {
2023-03-21 05:17:41 UTC	11	IN	Data Raw: 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 66 69 73 73 69 6f 6e 2d 70 72 69 6d 61 72 79 2d 62 75 74 74 6f 6e 20 3d 20 4f 4b 2c 20 47 6f 74 20 69 74 0a 20 20 2e 61 63 63 65 73 73 6b 65 79 20 3d 20 4f 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 66 69 73 73 69 6f 6e 2d 73 65 63 6f 6e 64 61 72 79 2d 62 75 74 74 6f 6e 20 3d 20 4c 65 61 72 6e 20 6d 6f 72 65 0a 20 20 2e 61 63 63 65 73 73 6b 65 79 20 3d 20 4c 0a 0a 23 23 20 46 75 6c 6c 20 56 69 64 65 6f 20 53 75 70 70 6f 72 74 20 43 46 52 20 6d 65 73 73 61 67 65 0a 0a 63 66 72 2d 64 6f 6f 72 68 61 6e 67 65 72 2d 76 69 64 65 6f 2d 73 75 70 70 6f 72 74 2d 62 6f 64 79 20 3d 20 56 69 64 65 6f 73 20 6f 6e 20 74 68 69 73 20 73 69 74 65 20 6d 61 79 20 6e 6f 74 20 70 6c 61 79 20 63 6f 72 72 65 63 74 6c 79 20 6f 6e 20 74 68 Data Ascii: -doorhanger-fission-primary-button = OK, Got it .accesskey = Ocfr-doorhanger-fission-secondary-button = Learn more .accesskey = L## Full Video Support CFR messagecfr-doorhanger-video-support-body = Videos on this site may not play correctly on th
2023-03-21 05:17:41 UTC	12	IN	Data Raw: 63 65 73 20 6c 69 6b 65 20 61 69 72 70 6f 72 74 73 20 61 6e 64 20 63 6f 66 66 65 65 20 73 68 6f 70 73 2e 0a 73 70 6f 74 6c 69 67 68 74 2d 70 75 62 6c 69 63 2d 77 69 66 69 2d 76 70 6e 2d 70 72 69 6d 61 72 79 2d 62 75 74 74 6f 6e 20 3d 20 53 74 61 79 20 70 72 69 76 61 74 65 20 77 69 74 68 20 7b 20 2d 6d 6f 7a 69 6c 6c 61 2d 76 70 6e 2d 62 72 61 6e 64 2d 6e 61 6d 65 20 7d 0a 20 20 2e 61 63 63 65 73 73 6b 65 79 20 3d 20 53 0a 73 70 6f 74 6c 69 67 68 74 2d 70 75 62 6c 69 63 2d 77 69 66 69 2d 76 70 6e 2d 6c 69 6e 6b 20 3d 20 4e 6f 74 20 4e 6f 77 0a 20 20 2e 61 63 63 65 73 73 6b 65 79 20 3d 20 4e 0a 0a 23 23 20 54 6f 74 61 6c 20 43 6f 6f 6b 69 65 20 50 72 6f 74 65 63 74 69 6f 6e 20 52 6f 6c 6c 6f 75 74 0a 0a 23 20 22 54 65 73 74 20 70 69 6c 6f 74 22 20 69 73 20 Data Ascii: ces like airports and coffee shops.spotlight-public-wifi-vpn-primary-button = Stay private with { -mozilla-vpn-brand-name } .accesskey = Sspotlight-public-wifi-vpn-link = Not Now .accesskey = N## Total Cookie Protection Rollout# "Test pilot" is
2023-03-21 05:17:41 UTC	13	IN	Data Raw: 72 20 69 6e 74 65 72 6e 65 74 20 73 74 61 72 74 73 20 77 69 74 68 20 79 6f 75 0a 73 70 6f 74 6c 69 67 68 74 2d 62 65 74 74 65 72 2d 69 6e 74 65 72 6e 65 74 2d 62 6f 64 79 20 3d 20 57 68 65 6e 20 79 6f 75 20 75 73 65 20 7b 20 2d 62 72 61 6e 64 2d 73 68 6f 72 74 2d 6e 61 6d 65 7d 2c 20 79 6f 75 e2 80 99 72 65 20 76 6f 74 69 6e 67 20 66 6f 72 20 61 6e 20 6f 70 65 6e 20 61 6e 64 20 61 63 63 65 73 73 69 62 6c 65 20 69 6e 74 65 72 6e 65 74 20 74 68 61 74 e2 80 99 73 20 62 65 74 74 65 72 20 66 6f 72 20 65 76 65 72 79 6f 6e 65 2e 0a 73 70 6f 74 6c 69 67 68 74 2d 70 65 61 63 65 2d 6d 69 6e 64 2d 68 65 61 64 65 72 20 3d 20 57 65 e2 80 99 76 65 20 67 6f 74 20 79 6f 75 20 63 6f 76 65 72 65 64 0a 73 70 6f 74 6c 69 67 68 74 2d 70 65 61 63 65 2d 6d 69 6e 64 2d 62 6f 64 Data Ascii: r internet starts with youspotlight-better-internet-body = When you use { -brand-short-name}, youre voting for an open and accessible internet thats better for everyone.spotlight-peace-mind-header = Weve got you coveredspotlight-peace-mind-bod

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:41 UTC	14	OUT	GET /update/3/GMP/91.0.1/20210816143654/Linux_x86_64-gcc3/null/release-cck-ubuntu/Linux%205.4.0-72-generic%20(GTK%203.24.20%2Clibpulse%2013.99.0)/canonical/1.0/update.xml HTTP/1.1 Host: aus5.mozilla.org User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cache-Control: no-cache Pragma: no-cache Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: no-cors Sec-Fetch-Site: cross-site
2023-03-21 05:17:41 UTC	14	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 21 Mar 2023 05:17:41 GMT Content-Type: text/xml; charset=utf-8 Content-Length: 720 Vary: Accept-Encoding Rule-ID: 17581 Rule-Data-Version: 16 Content-Signature: x5u=https://content-signature-2.cdn.mozilla.net/chains/aus.content-signature.mozilla.org-2023-04-30-16-53-15.chain; p384ecdsa=vPq58MixfE6UZfYeHNz6sXkifCVa1-Bqzd_ebLiEGBgTAqxlHQpJ1eMNwxIggFAv4lvf1CFnUR0aTvSe_agmK1zFZwzdnPzit9vt4pyestFwcM35Mmrw_kzxoWou2cd9 Strict-Transport-Security: max-age=31536000; X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'none'; frame-ancestors 'none' X-Proxy-Cache-Status: MISS Via: 1.1 google Cache-Control: public,max-age=90 Alt-Svc: clear Connection: close
2023-03-21 05:17:41 UTC	15	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e 0a 3c 75 70 64 61 74 65 73 3e 0a 20 20 20 20 3c 61 64 64 6f 6e 73 3e 0a 20 20 20 20 20 20 20 20 3c 61 64 64 6f 6e 20 69 64 3d 22 67 6d 70 2d 67 6d 70 6f 70 65 6e 68 32 36 34 22 20 55 52 4c 3d 22 68 74 74 70 3a 2f 2f 63 69 73 63 6f 62 69 6e 61 72 79 2e 6f 70 65 6e 68 32 36 34 2e 6f 72 67 2f 6f 70 65 6e 68 32 36 34 2d 6c 69 6e 75 78 36 34 2d 32 65 31 37 37 34 61 62 36 64 63 36 63 34 33 64 65 62 62 30 62 35 62 36 32 38 62 64 66 31 32 32 61 33 39 31 64 35 32 31 2e 7a 69 70 22 20 68 61 73 68 46 75 6e 63 74 69 6f 6e 3d 22 73 68 61 35 31 32 22 20 68 61 73 68 56 61 6c 75 65 3d 22 39 34 35 33 31 65 32 36 37 33 31 34 64 65 36 36 31 62 32 32 30 35 63 36 30 36 32 38 33 66 62 30 36 36 64 37 38 31 65 35 63 Data Ascii: <?xml version="1.0"?><updates> <addons> <addon id="gmp-gmpopenh264" URL="http://ciscobinary.openh264.org/openh264-linux64-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip" hashFunction="sha512" hashValue="94531e267314de661b2205c606283fb066d781e5c
2023-03-21 05:17:41 UTC	15	IN	Data Raw: 6c 75 65 3d 22 35 35 61 37 65 34 62 33 37 39 64 35 38 32 36 66 30 31 62 31 61 33 36 61 62 64 38 37 32 66 34 31 31 62 30 62 61 33 63 64 32 65 64 65 63 30 63 37 39 39 65 38 32 64 65 66 30 32 66 31 37 31 64 66 31 65 33 33 33 36 35 66 35 38 64 39 31 64 32 35 32 37 66 31 64 63 61 66 33 36 34 34 62 30 62 61 39 66 35 63 34 61 33 31 65 37 31 32 62 65 65 34 32 62 63 37 38 36 61 35 34 35 61 33 34 39 31 63 22 20 73 69 7a 65 3d 22 37 38 30 36 36 38 36 22 20 76 65 72 73 69 6f 6e 3d 22 34 2e 31 30 2e 32 35 35 37 2e 30 22 2f 3e 0a 20 20 20 20 3c 2f 61 64 64 6f 6e 73 3e 0a 3c 2f 75 70 64 61 74 65 73 3e Data Ascii: lue="55a7e4b379d5826f01b1a36abd872f411b0ba3cd2edec0c799e82def02f171df1e33365f58d91d2527f1dcaf3644b0ba9f5c4a31e712bee42bc786a545a3491c" size="7806686" version="4.10.2557.0"/> </addons></updates>

Timestamp	kBytes transferred	Direction	Data
2023-03-21 05:17:43 UTC	16	OUT	GET /v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US HTTP/1.1 Host: firefox.settings.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/json Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site If-Modified-Since: Fri, 25 Mar 2022 17:45:46 GMT If-None-Match: "1648230346554"
2023-03-21 05:17:43 UTC	16	IN	HTTP/1.1 304 Not Modified Date: Tue, 21 Mar 2023 05:03:05 GMT Age: 878 ETag: "1648230346554" Cache-Control: max-age=3600,public Alt-Svc: clear Connection: close

Start time:	06:16:50
Start date:	21/03/2023
Path:	/usr/bin/exo-open
Arguments:	exo-open http://31.214.243.29/Demon.mips
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Start time:	06:16:51
Start date:	21/03/2023
Path:	/usr/bin/exo-open
Arguments:	n/a
File size:	27264 bytes
MD5 hash:	60a307a6a6325e2034eb5cc56bff1abd

Start time:	06:16:52
Start date:	21/03/2023
Path:	/usr/lib/x86_64-linux-gnu/xfce4/exo-2/exo-helper-2
Arguments:	n/a
File size:	80256 bytes
MD5 hash:	ab59c8990baa7254463cdf800a83b9e3

Start time:	06:16:53
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Start time:	06:16:57
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Start time:	06:17:02
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Start time:	06:17:03
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report http://31.214.243.29/Demon.mips

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Malware Threat Intel

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/home/saturnino/.cache/dconf/user

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/134714F2DF01B21FA934AB16898B0583114E19B0

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/254256B27E0C48CF9B80B695F0B3B8CA84610495

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/5FFD69415953BE9CE9C07B2E9C26DA959ADEA6CB

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/68B780A709FB903C666EF08F51EF5985A89FE446

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/730FA68718E69A9EC1DE4154BF49B2A37241C7B1

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/DED23BB33EA3C88FAD1C0A1CD53916E0D8C424D3

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/cache2/entries/F8CBD54DDA10F4286A41EC6A537240712D6C2308

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/settings/main/ms-language-packs/asrouter.ftl.tmp

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/scriptCache-child-new.bin

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/scriptCache-new.bin

/home/saturnino/.cache/mozilla/firefox/a3xevaya.default-release/startupCache/urlCache-new.bin

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/addonStartup.json.lz4.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/broadcast-listeners.json.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/cert9.db

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/cert9.db-journal

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/crashes/store.json.mozlz4.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/aborted-session-ping.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/glean/db/data.safe.bin

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/glean/tmp/7c4c3d68-b8c8-44e6-a714-345a0583faf2

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/session-state.json.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/datareporting/state.json.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/extensions.json.tmp

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/key4.db

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/key4.db-journal

/home/saturnino/.mozilla/firefox/a3xevaya.default-release/prefs-1.js

Linux Analysis Report
http://31.214.243.29/Demon.mips

Start time:	06:17:07
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Start time:	06:17:24
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Start time:	06:17:46
Start date:	21/03/2023
Path:	/usr/lib/firefox/firefox
Arguments:	n/a
File size:	736648 bytes
MD5 hash:	bf9680bcd223dba6b6e38b63bc4f73d7

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre