[Guest Diary] Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack

    Published: 2025-05-28. Last Updated: 2025-05-28 13:48:55 UTC
    by Jennifer Wilson, SANS.edu BACS Student (Version: 1)
    1 comment(s)

    [This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].]

    As part of my BACS internship with SANS, I setup and maintained a DShield honeypot instance using a physical Raspberry Pi device.  As I was putting together each of my attack observations that were due, I started to wonder how helpful AI would be. One of the things I wanted to do when I started the internship was to step outside of my comfort zone. While I have read a lot about AI, I have only used it a handful of times. So, I wondered if it would lead me astray? Would it provide valid actionable data?

    In this blog post, I will explore how accurate and helpful ChatGPT is with identifying one of the more unique attacks I say over the past few months.

    To set the stage, I first noticed this attack after running the cowrieprocessor script [2] on my honeypot. The attack occurred on 2025-04-20 and came from IP address 63[.]212[.]157[.]187. The total attack occurred over a duration of 62.83 seconds. According to AbuseIPDB [3], the IP has been reported 300 times, and it has been marked with a 100% confidence of abuse. This IP has been busy in the world. Along with this basic data, the following commands were captured being ran on the honeypot:

    # ifconfig
    # uname -a
    # cat /proc/cpuinfo
    # ps | grep '[Mm]iner'
    # ps -ef | grep '[Mm]iner'
    # ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*
    # locate D877F783D5D3EF8Cs
    # echo Hi | cat -n 
    

     

    Let’s first break down the first 5 commands:

    Command Use
    ipconfig Displays network configuration in Unix-Like environments.
    uname -a Displays system information.
    cat /proc/cpuinfo Displays CPU information.
    ps | grep ‘[Mm]iner’ Searches running processes for the string ‘Miner’ or ‘miner’.
    ps -ef | grep ‘[Mm]iner’ Searches running processes for the string ‘Miner’ or ‘miner’ and provides detailed information for the matching data.

    Figure 1: Break down of commands the attacker ran and its function

    Ok, those are common commands that an attacker will often run to attempt to discover more information about a system on which they have landed on. Searching specifically for ‘[Mm]iner’ is interesting. The attacker is trying to discover if the system is currently being used as a crypto miner.

    The next two commands caught my attention. The following command is searching to determine if the mentioned paths exist on the file system, including if they are hidden:
     

    ?ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/*?

     

    The ‘locate D877F783D5D3EF8Cs’ command is attempting to locate ‘D877F783D5D3EF8Cs’ on the file system. But what is ‘D877F783D5D3EF8Cs’? This is not a string I have seen before. Normally I would run to Google and start searching around to see if I could determine what it is. I got to wonder though, could ChatGPT or another platform provide me with results as well. More importantly would it provide me with accurate results?

    I started out simple, as can be seen in the below screenshot from my ChatGPT conversation [4], to see what feedback it would provide.


    Figure 2: ChatGPT’s response to ‘What is D877F783D5D3EF8Cs’.

     

    Given the response that ChatGPT had, I clearly need to be more specific in my request.


    Figure 3: ChatGPT’s response to telling it that ‘D877F783D5D3EF8Cs’ was found on a honeypot.

     

    ChatGPT still seems to be guessing a bit. I want to see if I can get it to give me a more specific answer. Let’s see what happens when I provide it with the full command that was detected on the honeypot. Here is a snippet of what ChatGPT provided back:


    Figure 4: ChatGPT’s response to providing the full command that was detected on the honeypot.

     

    This has gotten me closer to a definite answer. I got curious about what would happen if I gave it the context of the command that was run before it. A snippet of its response is found below:


    Figure 5: ChatGPT’s response to providing it the previous ls -la command.

     

    The responses are now getting more detailed. ChatGPT suggests that the attack I am reviewing is part of a credential harvesting or SMS hijacking campaign [4]. Let’s see if it knows of any connection between the ‘D877F783D5D3EF8Cs’ and Telegram:


    Figure 6: ChatGPT’s response when asking about a connection between the string ‘D877F783D5D3EF8Cs’ and Telegram.

     

    While I only asked ChatGPT [3] about the context of ‘D877F783D5D3EF8Cs’ in relation to Telegram, it narrowed it down to Telegram Desktop and specifically the folder tdata. Looking back at the ls -la command, one of the folders the attacker was trying to list was ~/.local/share/TelegramDesktop/tdata. Without knowing exactly what the attacker was attempting to do, in the context of the rest of the commands the attacker ran, this seems like a logical response.

    Now that I have gotten a logical response from ChatGPT, I always verify that response. A quick Google search led me to several sources that confirmed what ChatGPT was providing me with as a response [5][6][7].

    While it took a bit of time probing ChatGPT to get an answer, the more context I gave it the better the result I got back. This would work well for an attack where I understood part of what was happening, but needed clarification on one section, like this attack.

    Let’s see what would happen if I drop the ‘s’ off the string ‘D877F783D5D3EF8Cs’ and ask about just ‘D877F783D5D3EF8C’ in relation to Telegram. ChatGPT has been dropping it off in most of its responses to me so maybe it is just a typo.


    Figure 7: ChatGPT’s response when asking about a connection between the string ‘D877F783D5D3EF8C’ and Telegram.

     

    Now ChatGPT seems very confident in the response it provided [4]. I then did a Google search dropping the ‘s’ off again, I got several of the same references as I did before. One difference being a Medium blog by XIT called “Lesson 10: Stealing Accounts Sessions with Malware” [8]. This could be what the attacker’s goal is. It lines up with what we learned from ChatGPT so far.

    When I was testing to see if this attack would make a good example however, I got different responses. ChatGPT believed that the string ‘D877F783D5D3EF8Cs’ was part of an API call used by Telegram.

    When I went to verify it with Google, I was not able to find any other resources confirming it. I asked ChatGPT to provide me with a source for their information, ChatGPT became evasive. When I specifically asked for sources that mention ‘D877F783D5D3EF8Cs’, it first provided me with a link to a paper titled Automated Symbolic Verification of Telegram’s MTProto 2.0 [9]. A quick search of the document proves that the string was not mentioned. ChatGPT then stated it could provide me with the code that mentions it, but even this I had to ask for twice as can be seen in the saved chat snippet below:


    Figure 8: Screen shot of saved ChatGPT chat of a code snippet it provided.

     

    Could this be what the attackers were looking for when performing the ‘locate D877F783D5D3EF8Cs’ command? Not likely. In the full context of the attack, it does not fit in. It was also hard to verify, with me relying on either ChatGPT’s reassurance that it is correct, or decompiling source code to find the answer. If I need to decompile the source code to find the answer, the attacker will need to as well, and the attacker’s actions prove that was not done. While it does appear that Telegram’s source code uses this key, according to ChatGPT, for a few different uses getting the context that it is in fact also the name of a critical file for Telegram is critically important. Without that key context a lot of time could be spent down a rabbit hole.  
    There are several things that I learned from this exercise:

    • ChatGPT was useful in providing details of an attack that I was unsure of.
    • Providing as much context as I can, will help in providing useful answers.
    • If ChatGPT starts acting evasive in its answer, it’s highly likely that it is not providing good data.
    • It is important as an analyst while I may not understand the details of a particular string, to understand what the goal of the commands are, so I can recognize when ChatGPT is leading me astray.

     

    [1] https://www.sans.edu/cyber-security-programs/bachelors-degree/
    [2] https://github.com/jslagrew/cowrieprocessor
    [3] https://www.abuseipdb.com/check/69.212.157.187
    [4] https://chatgpt.com/c/682137f1-0f80-800c-92f5-58a4a9f50aef
    [5] https://pkg.go.dev/github.com/atilaromero/telegram-desktop-decrypt@v0.0.0-20210418042638-a2c3042b3bfa/tdata/encrypted
    [6] https://fossies.org/linux/john/run/telegram2john.py
    [7] https://github.com/atilaromero/telegram-desktop-decrypt/blob/master/README.md
    [8] https://x-it.medium.com/lesson-10-stealing-accounts-sessions-with-malware-f25217c3b057
    [9] https://arxiv.org/pdf/2012.03141

     

     

    --
    Jesse La Grew
    Handler

    1 comment(s)
    ISC Stormcast For Wednesday, May 28th, 2025 https://isc.sans.edu/podcastdetail/9468

      Comments


      Diary Archives