PHP Malware Analysis
TYG_shell.html
md5: 0cc110c610940f78a17c10933040f24b
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Title
- -::| Shell T.Y.G - TEAM |::- (Deobfuscated, HTML, Original)
URLs
- https://anon7.xyz/upload.txt (Deobfuscated, HTML, Original)
- https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOPKXxpu3j902a5fGn-amQEWksOMHjoFhpVVZYjMvJ7ODpFc1MJbCb6MMtYKWZvkmcC6flOoifyrSsOi1QnhYV8GlZXXVyo38sYjwwgULeGNGiJ0zLzuBB9rzNyWG-nYOSZNesUwVUhwh4mLQKBbX_lKNcdaevRVBAJBe7Old_ML0gL8iQUXFbpo3lmw/s1024/Pi (Deobfuscated, HTML, Original)
- https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/Pic (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Bungee (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Iceland (Deobfuscated, HTML, Original)
- https://t.me/TYG_TEAM (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<html>
<head>
<title>-::| Shell T.Y.G - TEAM |::-</title>
<meta name="keywords" content="Hackers Arab islamic">
<meta name="description" content="Yemeni Hackers | Top1# Yemen Cyber Security Team">
<meta property="og:image" content="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
<link rel="icon" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
</head>
<body bgcolor="#1f1f1f" text="#ffffff">
<link href="" rel="stylesheet" type="text/css">
<style>
@import url('https://fonts.googleapis.com/css?family=Iceland');
@import url('https://fonts.googleapis.com/css?family=Bungee');
body {
font-family: "Iceland", cursive;
text-shadow:0px 0px 1px #757575;
}
#content tr:hover {
background-color: #636263;
text-shadow:0px 0px 10px #fff;
}
#content .first {
background-color: #25383C;
}
#content .first:hover {
background-color: #25383C
text-shadow:0px 0px 1px #757575;
}
table {
border: 1px #000000 dotted;
table-layout: fixed;
}
td {
word-wrap: break-word;
}
a {
color: #ffffff;
text-decoration: none;
}
a:hover {
color: #000000;
text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea {
border: 1px #000000 solid;
-moz-border-radius: 5px;
-webkit-border-radius:5px;
border-radius:5px;
}
.gas {
background-color: #1f1f1f;
color: #ffffff;
cursor: pointer;
}
select {
background-color: transparent;
color: #ffffff;
}
select:after {
cursor: pointer;
}
.linka {
background-color: transparent;
color: #ffffff;
}
.up {
background-color: transparent;
color: #fff;
}
option {
background-color: #1f1f1f;
}
::-webkit-file-upload-button {
background: transparent;
color: #fff;
border-color: #fff;
cursor: pointer;
}
</style>
<center>
<font face="Bungee" size="9" color="green">[ Shell TYG - Team ] </font>
</center>
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr>
<td> <br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> <img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOPKXxpu3j902a5fGn-amQEWksOMHjoFhpVVZYjMvJ7ODpFc1MJbCb6MMtYKWZvkmcC6flOoifyrSsOi1QnhYV8GlZXXVyo38sYjwwgULeGNGiJ0zLzuBB9rzNyWG-nYOSZNesUwVUhwh4mLQKBbX_lKNcdaevRVBAJBe7Old_ML0gL8iQUXFbpo3lmw/s1024/PicsArt_04-05-04.42.38.png" border="0" width="3464" height="120" style="object-fit: scale-down; max-width: 100%" onclick="location.href = 'https://t.me/TYG_TEAM';"><br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> Server : <font color="green">Microsoft-IIS/8.5</font><br>System : <font color="green">Windows NT PARSDATA-WEB120 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) i586</font><br>User : <font color="green">daketir_web </font>( <font color="green">0</font>)<br>PHP Version : <font color="green">5.6.30</font><br>Disable Function : <font color="red">exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mail</font><br>Directory : <a href="?path=D:">D:</a>/<a href="?path=D:/PARSDATA">PARSDATA</a>/<a href="?path=D:/PARSDATA/Users">Users</a>/<a href="?path=D:/PARSDATA/Users/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir/wwwroot">wwwroot</a>/</td>
</tr>
<tr>
<td><br>Upload File :
<form enctype="multipart/form-data" method="post">
<input type="radio" value="1" name="dirnya" checked>current_dir [
<font color="green">Writeable</font> ]
<input type="radio" value="2" name="dirnya">document_root [
<font color="green">Writeable</font> ]
<br>
<input type="hidden" name="upwkwk" value="aplod">
<input type="file" name="berkas">
<input type="submit" name="berkasnya" value="Upload" class="up" style="cursor: pointer; border-color: red">
<br>
<input type="text" name="darilink" class="up" placeholder="https://anon7.xyz/upload.txt">
<input type="text" name="namalink" class="up" size="3" placeholder="file.txt">
<input type="submit" name="linknya" class="up" value="Upload" style="cursor: pointer; border-color: red">
</form></td>
</tr>
</tbody>
</table>
<br>
<div id="content">
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr class="first">
<td>
<center>
| Name |
</center></td>
<td>
<center>
| Size |
</center></td>
<td>
<center>
| Permissions |
</center></td>
<td>
<center>
| Options |
</center></td>
</tr>
<tr class="first">
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<center>
<br> Copyright By Mr Sami 2022
</center>
</div>
</body>
</html>
Execution traces
Generated HTML code
<html><head>
<title>-::| Shell T.Y.G - TEAM |::-</title>
<meta name="keywords" content="Hackers Arab islamic">
<meta name="description" content="Yemeni Hackers | Top1# Yemen Cyber Security Team">
<meta property="og:image" content="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
<link rel="icon" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
</head>
<body bgcolor="#1f1f1f" text="#ffffff">
<link href="" rel="stylesheet" type="text/css">
<style>
@import url('https://fonts.googleapis.com/css?family=Iceland');
@import url('https://fonts.googleapis.com/css?family=Bungee');
body {
font-family: "Iceland", cursive;
text-shadow:0px 0px 1px #757575;
}
#content tr:hover {
background-color: #636263;
text-shadow:0px 0px 10px #fff;
}
#content .first {
background-color: #25383C;
}
#content .first:hover {
background-color: #25383C
text-shadow:0px 0px 1px #757575;
}
table {
border: 1px #000000 dotted;
table-layout: fixed;
}
td {
word-wrap: break-word;
}
a {
color: #ffffff;
text-decoration: none;
}
a:hover {
color: #000000;
text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea {
border: 1px #000000 solid;
-moz-border-radius: 5px;
-webkit-border-radius:5px;
border-radius:5px;
}
.gas {
background-color: #1f1f1f;
color: #ffffff;
cursor: pointer;
}
select {
background-color: transparent;
color: #ffffff;
}
select:after {
cursor: pointer;
}
.linka {
background-color: transparent;
color: #ffffff;
}
.up {
background-color: transparent;
color: #fff;
}
option {
background-color: #1f1f1f;
}
::-webkit-file-upload-button {
background: transparent;
color: #fff;
border-color: #fff;
cursor: pointer;
}
</style>
<center>
<font face="Bungee" size="9" color="green">[ Shell TYG - Team ] </font>
</center>
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr>
<td> <br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> <img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOPKXxpu3j902a5fGn-amQEWksOMHjoFhpVVZYjMvJ7ODpFc1MJbCb6MMtYKWZvkmcC6flOoifyrSsOi1QnhYV8GlZXXVyo38sYjwwgULeGNGiJ0zLzuBB9rzNyWG-nYOSZNesUwVUhwh4mLQKBbX_lKNcdaevRVBAJBe7Old_ML0gL8iQUXFbpo3lmw/s1024/PicsArt_04-05-04.42.38.png" border="0" width="3464" height="120" style="object-fit: scale-down; max-width: 100%" onclick="location.href = 'https://t.me/TYG_TEAM';"><br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> Server : <font color="green">Microsoft-IIS/8.5</font><br>System : <font color="green">Windows NT PARSDATA-WEB120 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) i586</font><br>User : <font color="green">daketir_web </font>( <font color="green">0</font>)<br>PHP Version : <font color="green">5.6.30</font><br>Disable Function : <font color="red">exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mail</font><br>Directory : <a href="?path=D:">D:</a>/<a href="?path=D:/PARSDATA">PARSDATA</a>/<a href="?path=D:/PARSDATA/Users">Users</a>/<a href="?path=D:/PARSDATA/Users/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir/wwwroot">wwwroot</a>/</td>
</tr>
<tr>
<td><br>Upload File :
<form enctype="multipart/form-data" method="post">
<input type="radio" value="1" name="dirnya" checked="">current_dir [
<font color="green">Writeable</font> ]
<input type="radio" value="2" name="dirnya">document_root [
<font color="green">Writeable</font> ]
<br>
<input type="hidden" name="upwkwk" value="aplod">
<input type="file" name="berkas">
<input type="submit" name="berkasnya" value="Upload" class="up" style="cursor: pointer; border-color: red">
<br>
<input type="text" name="darilink" class="up" placeholder="https://anon7.xyz/upload.txt">
<input type="text" name="namalink" class="up" size="3" placeholder="file.txt">
<input type="submit" name="linknya" class="up" value="Upload" style="cursor: pointer; border-color: red">
</form></td>
</tr>
</tbody>
</table>
<br>
<div id="content">
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr class="first">
<td>
<center>
| Name |
</center></td>
<td>
<center>
| Size |
</center></td>
<td>
<center>
| Permissions |
</center></td>
<td>
<center>
| Options |
</center></td>
</tr>
<tr class="first">
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<center>
<br> Copyright By Mr Sami 2022
</center>
</div>
</body></html>Original PHP code
<html>
<head>
<title>-::| Shell T.Y.G - TEAM |::-</title>
<meta name="keywords" content="Hackers Arab islamic">
<meta name="description" content="Yemeni Hackers | Top1# Yemen Cyber Security Team">
<meta property="og:image" content="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
<link rel="icon" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6WCaQ0tJjkS9fLST_N3ulqyhjXDfLd7frVs1mhp5VQDi_Gdrrg00wmM-PFPYVmeixeIa-dCaK_ILkLmzl7krn8L4dSoH5Yk8oWy1CmUaJTH6Vhv0yQtQ3KABBe_wxnBNOoeNw84VjCd9QVIPAQCG5coxOfYPBPMqchz5gOjeohZpf7_8EzPqJ-AOuBA/s686/PicsArt_04-05-03.10.50.png">
</head>
<body bgcolor="#1f1f1f" text="#ffffff">
<link href="" rel="stylesheet" type="text/css">
<style>
@import url('https://fonts.googleapis.com/css?family=Iceland');
@import url('https://fonts.googleapis.com/css?family=Bungee');
body {
font-family: "Iceland", cursive;
text-shadow:0px 0px 1px #757575;
}
#content tr:hover {
background-color: #636263;
text-shadow:0px 0px 10px #fff;
}
#content .first {
background-color: #25383C;
}
#content .first:hover {
background-color: #25383C
text-shadow:0px 0px 1px #757575;
}
table {
border: 1px #000000 dotted;
table-layout: fixed;
}
td {
word-wrap: break-word;
}
a {
color: #ffffff;
text-decoration: none;
}
a:hover {
color: #000000;
text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea {
border: 1px #000000 solid;
-moz-border-radius: 5px;
-webkit-border-radius:5px;
border-radius:5px;
}
.gas {
background-color: #1f1f1f;
color: #ffffff;
cursor: pointer;
}
select {
background-color: transparent;
color: #ffffff;
}
select:after {
cursor: pointer;
}
.linka {
background-color: transparent;
color: #ffffff;
}
.up {
background-color: transparent;
color: #fff;
}
option {
background-color: #1f1f1f;
}
::-webkit-file-upload-button {
background: transparent;
color: #fff;
border-color: #fff;
cursor: pointer;
}
</style>
<center>
<font face="Bungee" size="9" color="green">[ Shell TYG - Team ] </font>
</center>
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr>
<td> <br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> <img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOPKXxpu3j902a5fGn-amQEWksOMHjoFhpVVZYjMvJ7ODpFc1MJbCb6MMtYKWZvkmcC6flOoifyrSsOi1QnhYV8GlZXXVyo38sYjwwgULeGNGiJ0zLzuBB9rzNyWG-nYOSZNesUwVUhwh4mLQKBbX_lKNcdaevRVBAJBe7Old_ML0gL8iQUXFbpo3lmw/s1024/PicsArt_04-05-04.42.38.png" border="0" width="3464" height="120" style="object-fit: scale-down; max-width: 100%" onclick="location.href = 'https://t.me/TYG_TEAM';"><br> <font face="Bungee" size="2" color="green">______________________________________________</font><br> Server : <font color="green">Microsoft-IIS/8.5</font><br>System : <font color="green">Windows NT PARSDATA-WEB120 6.3 build 9600 (Windows Server 2012 R2 Datacenter Edition) i586</font><br>User : <font color="green">daketir_web </font>( <font color="green">0</font>)<br>PHP Version : <font color="green">5.6.30</font><br>Disable Function : <font color="red">exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,mail</font><br>Directory : <a href="?path=D:">D:</a>/<a href="?path=D:/PARSDATA">PARSDATA</a>/<a href="?path=D:/PARSDATA/Users">Users</a>/<a href="?path=D:/PARSDATA/Users/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir">daket.ir</a>/<a href="?path=D:/PARSDATA/Users/daket.ir/daket.ir/wwwroot">wwwroot</a>/</td>
</tr>
<tr>
<td><br>Upload File :
<form enctype="multipart/form-data" method="post">
<input type="radio" value="1" name="dirnya" checked>current_dir [
<font color="green">Writeable</font> ]
<input type="radio" value="2" name="dirnya">document_root [
<font color="green">Writeable</font> ]
<br>
<input type="hidden" name="upwkwk" value="aplod">
<input type="file" name="berkas">
<input type="submit" name="berkasnya" value="Upload" class="up" style="cursor: pointer; border-color: red">
<br>
<input type="text" name="darilink" class="up" placeholder="https://anon7.xyz/upload.txt">
<input type="text" name="namalink" class="up" size="3" placeholder="file.txt">
<input type="submit" name="linknya" class="up" value="Upload" style="cursor: pointer; border-color: red">
</form></td>
</tr>
</tbody>
</table>
<br>
<div id="content">
<table width="700" border="0" cellpadding="3" cellspacing="1" align="center">
<tbody>
<tr class="first">
<td>
<center>
| Name |
</center></td>
<td>
<center>
| Size |
</center></td>
<td>
<center>
| Permissions |
</center></td>
<td>
<center>
| Options |
</center></td>
</tr>
<tr class="first">
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
</tbody>
</table>
<center>
<br> Copyright By Mr Sami 2022
</center>
</div>
</body>
</html>