{
	"id": "f9bc355c-b8be-4faf-8c07-e96c1b041805",
	"created_at": "2026-04-06T00:19:26.168911Z",
	"updated_at": "2026-04-10T13:11:19.90495Z",
	"deleted_at": null,
	"sha1_hash": "c12cee0f4393c83b8421cbce48443fc320d3374e",
	"title": "Malware_Analysis/Hubnr_botnet at master · carbreal/Malware_Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 661004,
	"plain_text": "Malware_Analysis/Hubnr_botnet at master ·\r\ncarbreal/Malware_Analysis\r\nBy carbreal\r\nArchived: 2026-04-05 22:26:05 UTC\r\nHubnr Botnet\r\nToday, april 3rd of 2021, I found the following sample in my honeypot:\r\narm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (SYSV), statically linked, not stripped\r\nhash: fe7fb996b997877216d782a7adbcbe6a37bc585d459c6d0d452a346b078157c6\r\nAt first sight, it seems like a Mirai variant but has some interesting stuff. First, it doesn't encode the strings with an\r\nXOR function. It has two functions that do the job: util_encrypt() and util_decrypt() and they just apply a 3\r\ncharacter rotation to the strings.\r\nIn the main function, we see the first util_decrypt() call. It decodes the variable proc_name, that returns\r\n\"/dev/hubnr\".\r\nThen, it runs the two main functions: hakka_con() and parse_buf().\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 1 of 12\n\nhakka_con() connects to the server and runs scanner_init(). In order to get the master IP, it calls again\r\nutil_decrypt() with the variable bot_host. This sample connects to the IP: 194.113.107.243\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 2 of 12\n\nscanner_init() is the function that propagates itself. I don't fully understand the entire logic behind this huge\r\nfunction, but I'd say that it works like a state machine. It has a for loop that iterates through a variable and a\r\nswitch-case function that goes through each state.\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 3 of 12\n\nIt has a state that runs a telnet scan and performs a bruteforce with a few stored credentials:\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 4 of 12\n\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 5 of 12\n\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 6 of 12\n\nThen, if the login is successful, it runs some recon commands and depending on the output it gets the appropiate\r\nbinary for the architecture.\r\nIt has a few ways of getting the binary into the victim's machine: with a wget, a tftp or echoing it into the machine.\r\nBasically, this are the commands used in the different states:\r\nIt has 5 different droppers embedded targeting 5 different architectures. It has a payloads variable that points to the\r\nmemory direction of each dropper and it's used in the get_retrieve_binary() function inside the state.\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 7 of 12\n\nThe dropper is a very small binary that only retrieves the sample from the master.\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 8 of 12\n\nThe other main function is parse_buf(). This one gets the command from the master. At the moment, it has 4\r\ndifferent options. A PING option, that just updates the master with the alive bots. \"killproc\" that kills the process.\r\nAnd two different attack capabilities: \"udpflood\" and \"tcpflood\".\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 9 of 12\n\nIt's very interesting that it has also a http_send()+http_attack() function with 5 different user-agent in memory and\r\nthe HTTP request is also stored. It's used in the http_attack() function and it uses 4 different variables that are\r\nempty at the moment. I asume that when the new functionality is implemented, the master will be able to select\r\ndifferent payloads but it's not possible yet.\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 10 of 12\n\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 11 of 12\n\nSource: https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nhttps://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet"
	],
	"report_names": [
		"Hubnr_botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434766,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c12cee0f4393c83b8421cbce48443fc320d3374e.pdf",
		"text": "https://archive.orkl.eu/c12cee0f4393c83b8421cbce48443fc320d3374e.txt",
		"img": "https://archive.orkl.eu/c12cee0f4393c83b8421cbce48443fc320d3374e.jpg"
	}
}