Tag Archives: analysis

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:

Not sure it is. Maybe bin file to run a process:

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. 🙂

Here the MD5 for file above:

Dionaea simple analysis

Dionaea exploit analysis

We’ll using python bundled with Dionaea:

It will open a python console. Enter the code below line by line:

It will produce test.bin file in /tmp/ folder.

Now we analyze it and dump the output to another file:

You should see something like this:

As you can see, the malicious URL is hxxp://


Maltrieve on Mac OS X

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

  • Malc0de
  • Malware Black List
  • Malware Domain List
  • VX Vault
  • URLqery
  • CleanMX
  • .

    If you want to install maltrieve on your Mac OS X, below is the steps to install it.

    • First, install beautifulsoup4 via pip

    • Install required dependencies via apt-get

    • Download maltrieve from github

    Done. Now you can use the maltrieve on you Mac OS X.