MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
The critical WEBSHELL_PHP heuristic and the presence of PHP code clearly indicate this file is a webshell. The extensive comments within the code identify it as a modified 'Locus7s Modified c100 Shell' and mention features like privilege escalation, a milw0rm searcher, and a PHP proxy. The embedded URLs point to related domains and potential tools associated with this webshell.
Heuristics 2
-
PHP webshell / backdoor source critical WEBSHELL_PHPThe file contains PHP server-side code with the signature of a webshell/backdoor (named PHP webshell banner (Locus7s)). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://twofaced.org/proxy/index.php?q= In RTF body
- http://milw0rm.com/search.php?dong=LinuxIn RTF body
- http://milw0rm.com/search.php?dong=In RTF body
- http://locus7s.comIn RTF body
- http://locus7s.com/files/lshell_update/In RTF body
- http://locus7s.com/In RTF body
- http://www.Locus7s.comIn RTF body
- http://r57shell.net/404/ittir.jsIn RTF body
- http://img244.imageshack.us/img244/6663/locus7sgm8.jpgIn RTF body
- http://whois.domaintools.com/In RTF body
Open this report in the interactive analyzer, or submit your own file for analysis.