Reversing PHP Malware

Something I find quite interesting is PHP malware. This usually comes in the form of shells, which I write a bit about here Improving web shells with asymmetric encryption. These malwares often use obfuscation to make it harder to understand what the code is actually doing. However, with enough time and determination it is possible to break them down to understand their actions, and in some cases their vulnerabilities.

In particular I'm looking for:

  • Behavior, trough the actions they perform (changing files, remote code execution, etc).
  • Sources, any URLs or other mentions of creators.
  • Vulnerabilities, possibilities for others to access and take over the malware.

This is just a hobby project so please let me know if you have any good ideas on what to look for!


The table below provides an overview of the malware analyzed so far.

The original code is provided as a zip with the password 123 to avoid any kind of unintentional execution

FS in the VirusTotal column means I made the First Submission.

Vulnerable means that anyone can access the functionality of the shell without access to the source code.

Name (my) File name(s) VirusTotal Vulnerable MD5
Rac rac.php 1/58 (FS) Yes b7992e3f98fa177eea98244c9392faa0



Uses a combination of base64, gzip and rot13 to obfuscate code allowing for remote-code execution.

Full analysis for Rac shell