First examine the pcap Trace the TCP/HTTP. "tcp.stream eq 1" looks like an obfuscated powershell "tcp.stream eq 2" looks like an execuable "tcp.stream eq 3" shows a traffic which can not understand So far we had an idea that:1. Requested to 147.182.172.189 and received a response with 4A7xH.ps12. Requested to the same IP and received an executable user32.dll3. Requested to the same IP and received the response that we can not understand so far De-obfuscated the PS script leverage pwsh...

>LC_ALL=en_US.UTF-8 gdb -q [elf] >gdb -q [linux exec] >break main >break *0x565564e3 >attach [pid] >sudo gdb -q --args php -a Debug with php interactive shell >r (r means run) Starting program: /usr/bin/php -a [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Interactive shell php > dl('lverifier'); Debug the php extension so file Crtl-c can pass the control back to gdb (gdb).... Set the break point at function or at the specific address. Use attach to debug the existing...