# Hubnr Botnet **[github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet](https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet)** carbreal Today, april 3rd of 2021, I found the following sample in my honeypot: ``` arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped hash: fe7fb996b997877216d782a7adbcbe6a37bc585d459c6d0d452a346b078157c6 ``` At first sight, it seems like a Mirai variant but has some interesting stuff. First, it doesn't encode the strings with an XOR function. It has two functions that do the job: util_encrypt() and util_decrypt() and they just apply a 3 character rotation to the strings. ----- In the main function, we see the first util_decrypt() call. It decodes the variable proc_name, that returns "/dev/hubnr". Then, it runs the two main functions: hakka_con() and parse_buf(). _hakka_con() connects to the server and runs scanner_init(). In order to get the master IP, it_ calls again util_decrypt() with the variable bot_host. This sample connects to the IP: **194.113.107.243** ----- _scanner_init() is the function that propagates itself. I don't fully understand the entire logic_ behind this huge function, but I'd say that it works like a state machine. It has a for loop that iterates through a variable and a switch-case function that goes through each state. ----- It has a state that runs a telnet scan and performs a bruteforce with a few stored credentials: ----- ----- ----- ----- Then, if the login is successful, it runs some recon commands and depending on the output it gets the appropiate binary for the architecture. It has a few ways of getting the binary into the victim's machine: with a wget, a tftp or echoing it into the machine. Basically, this are the commands used in the different states: It has 5 different droppers embedded targeting 5 different architectures. It has a payloads variable that points to the memory direction of each dropper and it's used in the _get_retrieve_binary() function inside the state._ ----- The dropper is a very small binary that only retrieves the sample from the master. ----- The other main function is parse_buf(). This one gets the command from the master. At the moment, it has 4 different options. A PING option, that just updates the master with the alive bots. "killproc" that kills the process. And two different attack capabilities: "udpflood" and **"tcpflood".** ----- It's very interesting that it has also a http_send()+http_attack() function with 5 different useragent in memory and the HTTP request is also stored. It's used in the http_attack() function and it uses 4 different variables that are empty at the moment. I asume that when the new ----- functionality is implemented, the master will be able to select different payloads but it s not possible yet. ----- ----- -----