PHP Malware Analysis

AcuTestEXIF1433.jpg

md5: 73c2e9cc35dc347063c546af847dbcca

Jump to: 

Screenshot
Attributes
Title
  • AcuTestEXIF1433.jpg (128×128) (HTML)

URLs
  • http://localhost/AcuTestEXIF1433.jpg (HTML)
  • http://ns.adobe.com/xap/1.0/ (Original)
  • http://ns.microsoft.com/photo/1.0/ (Original)
  • http://purl.org/dc/elements/1.1/ (Original)
  • http://www.w3.org/1999/02/22-rdf-syntax-ns# (Original)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
Generated HTML code
<html style="height: 100%;"><head><meta name="viewport" content="width=device-width, minimum-scale=0.1"><title>AcuTestEXIF1433.jpg (128×128)</title></head><body style="margin: 0px; background: #0e0e0e; height: 100%"><img style="display: block;-webkit-user-select: none;margin: auto;background-color: hsl(0, 0%, 90%);transition: background-color 300ms;" src="http://localhost/AcuTestEXIF1433.jpg"></body></html>
Original PHP code
���Adobed���ExifMM*4��;����ib��8���8^��8X��8&��8����P�
*
T
8 � �1<svg onload=alert(7346763)><svg onload=alert(7346763)><svg onload=alert(7346763)><svg onload=alert(7346763)> onload=alert'exif')><svg onload=alert'exif')>;<svg onload=alert(7346763)>nload=alert(1)><svg onload=alert(7346763)>nload=alert(1)><svg onload=alert(7346763)>alert(1)><svg onload=alert(7346763)><svg onload=alert(7346763)>alert(1)><svg onload=alert(7346763)>ouacunetix wvs�t����http://ns.adobe.com/xap/1.0/<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:rights><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Alt>
			</dc:rights><dc:title><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Alt>
			</dc:title><dc:description><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Alt>
			</dc:description><dc:creator><rdf:Seq xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Seq>
			</dc:creator><dc:subject><rdf:Bag xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Bag>
			</dc:subject></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:MicrosoftPhoto="http://ns.microsoft.com/photo/1.0/"><MicrosoftPhoto:CameraSerialNumber>&lt;svg onload=alert(7346763)&gt;</MicrosoftPhoto:CameraSerialNumber><MicrosoftPhoto:FlashManufacturer>&lt;svg onload=alert(7346763)&gt;</MicrosoftPhoto:FlashManufacturer><MicrosoftPhoto:FlashModel>&lt;svg onload=alert(7346763)&gt;</MicrosoftPhoto:FlashModel><MicrosoftPhoto:LensManufacturer>&lt;svg onload=alert(7346763)&gt;</MicrosoftPhoto:LensManufacturer><MicrosoftPhoto:LensModel>&lt;svg onload=alert(7346763)&gt;</MicrosoftPhoto:LensModel><MicrosoftPhoto:LastKeywordXMP><rdf:Bag xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li>&lt;svg onload=alert(7346763)&gt;</rdf:li></rdf:Bag>
			</MicrosoftPhoto:LastKeywordXMP></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"/></rdf:RDF></x:xmpmeta>
                                                                                                    
                             <?xpacket end='w'?>��C))A&&AB///BG?>>?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG��C))4&4?((?G?5?GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG����"����������?���