PHP Malware Analysis
mjm.php
md5: a5abc587c2f52aa64064259a4c2dbf99
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Input
- _POST (Deobfuscated, Original)
Title
- MailJet (Deobfuscated, HTML, Original)
URLs
- https://api.mailjet.com/v3.1/send (Deobfuscated, Original)
Deobfuscated PHP code
<?php
session_start();
if (isset($_POST['ok'])) {
$_SESSION['pukey'] = $_POST['pukey'];
$_SESSION['prkey'] = $_POST['prkey'];
}
?>
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
form, div {
width: 800px;
margin-left: auto;
margin-right: auto;
}
input, textarea, button {
width: 100%;
padding: 10px;
display: block;
margin-bottom: 10px;
}
* {
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
}
textarea {
height: 180px;
}
</style>
<title>MailJet</title>
</head>
<body>
<form method="post">
<input type="text" name="pukey" placeholder="Public Key" value="<?php
echo @$_SESSION['pukey'];
?>" required>
<input type="text" name="prkey" placeholder="Private Key" value="<?php
echo @$_SESSION['prkey'];
?>" required>
<input type="text" name="sendern" placeholder="Sender name" value="<?php
echo @$_POST['sendern'];
?>" required>
<input type="text" name="sendere" placeholder="Sender email" value="<?php
echo @$_POST['sendere'];
?>" required>
<input type="text" name="subject" placeholder="Subject" value="<?php
echo @$_POST['subject'];
?>">
<textarea name="html" placeholder="Code HTML"><?php
echo @$_POST['html'];
?></textarea>
<textarea name="list" placeholder="Mail list" required></textarea>
<button name="ok">Send</button>
</form>
<div>
<?php
if (isset($_POST['ok'])) {
$public_key = $_POST['pukey'];
$private_key = $_POST['prkey'];
$sendern = $_POST['sendern'];
$sendere = $_POST['sendere'];
$subject = $_POST['subject'];
$codehtml = $_POST['html'];
$list = explode(PHP_EOL, $_POST['list']);
foreach ($list as $email) {
$data = array('Messages' => array(0 => array('From' => array('Email' => $sendere, 'Name' => $sendern), 'To' => array(0 => array('Email' => $email)), 'Subject' => $subject, 'HTMLPart' => $codehtml)));
// $public_key = "7707c176263d4a70eeb687477ba00b18";
// $private_key = "c0fb76fe300e7821914be70c8448d6d4";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.mailjet.com/v3.1/send');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_USERPWD, $public_key . ':' . $private_key);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
$result = curl_exec($ch);
if (curl_errno($ch)) {
echo 'Error:' . curl_error($ch);
}
curl_close($ch);
$response = json_decode($result, true);
$status = $response['Messages'][0]['Status'];
$to = $response['Messages'][0]['To'][0]['Email'];
if ($status = 'success') {
echo "<p>+ " . $to . " ====> " . $status . "</p>";
} else {
echo "<p>+ " . $email . " ====> Something went wrong !</p>";
}
ob_flush();
flush();
}
ob_end_flush();
}
?>
</div>
</body>
</html>Execution traces
data/traces/a5abc587c2f52aa64064259a4c2dbf99_trace-1676257770.3744.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:09:56.272221]
1 0 1 0.000150 393512
1 3 0 0.000286 413224 {main} 1 /var/www/html/uploads/mjm.php 0 0
2 4 0 0.000302 413224 session_start 0 /var/www/html/uploads/mjm.php 3 0
2 4 1 0.000356 413976
2 4 R TRUE
1 3 1 0.000381 413976
0.000412 314816
TRACE END [2023-02-13 01:09:56.272512]
Generated HTML code
<html><head>
<style type="text/css">
form, div {
width: 800px;
margin-left: auto;
margin-right: auto;
}
input, textarea, button {
width: 100%;
padding: 10px;
display: block;
margin-bottom: 10px;
}
* {
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
}
textarea {
height: 180px;
}
</style>
<title>MailJet</title>
</head>
<body>
<form method="post">
<input type="text" name="pukey" placeholder="Public Key" value="" required="">
<input type="text" name="prkey" placeholder="Private Key" value="" required="">
<input type="text" name="sendern" placeholder="Sender name" value="" required="">
<input type="text" name="sendere" placeholder="Sender email" value="" required="">
<input type="text" name="subject" placeholder="Subject" value="">
<textarea name="html" placeholder="Code HTML"></textarea>
<textarea name="list" placeholder="Mail list" required=""></textarea>
<button name="ok">Send</button>
</form>
<div>
</div>
</body></html>Original PHP code
<?php
session_start();
if (isset($_POST['ok'])) {
$_SESSION['pukey'] = $_POST['pukey'];
$_SESSION['prkey'] = $_POST['prkey'];
}
?>
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
form, div {
width: 800px;
margin-left: auto;
margin-right: auto;
}
input, textarea, button {
width: 100%;
padding: 10px;
display: block;
margin-bottom: 10px;
}
* {
-webkit-box-sizing: border-box;
-moz-box-sizing: border-box;
box-sizing: border-box;
}
textarea {
height: 180px;
}
</style>
<title>MailJet</title>
</head>
<body>
<form method="post">
<input type="text" name="pukey" placeholder="Public Key" value="<?=@$_SESSION['pukey']?>" required>
<input type="text" name="prkey" placeholder="Private Key" value="<?=@$_SESSION['prkey']?>" required>
<input type="text" name="sendern" placeholder="Sender name" value="<?=@$_POST['sendern']?>" required>
<input type="text" name="sendere" placeholder="Sender email" value="<?=@$_POST['sendere']?>" required>
<input type="text" name="subject" placeholder="Subject" value="<?=@$_POST['subject']?>">
<textarea name="html" placeholder="Code HTML"><?=@$_POST['html']?></textarea>
<textarea name="list" placeholder="Mail list" required></textarea>
<button name="ok">Send</button>
</form>
<div>
<?php
if (isset($_POST['ok'])) {
$public_key = $_POST['pukey'];
$private_key = $_POST['prkey'];
$sendern = $_POST['sendern'];
$sendere = $_POST['sendere'];
$subject = $_POST['subject'];
$codehtml = $_POST['html'];
$list = explode(PHP_EOL, $_POST['list']);
foreach ($list as $email) {
$data = array (
'Messages' =>
array (
0 =>
array (
'From' =>
array (
'Email' => $sendere,
'Name' => $sendern,
),
'To' =>
array (
0 =>
array (
'Email' => $email
),
),
'Subject' => $subject,
'HTMLPart' => $codehtml,
),
),
);
// $public_key = "7707c176263d4a70eeb687477ba00b18";
// $private_key = "c0fb76fe300e7821914be70c8448d6d4";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.mailjet.com/v3.1/send');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_USERPWD, $public_key . ':' . $private_key);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json"));
$result = curl_exec($ch);
if (curl_errno($ch)) {
echo 'Error:' . curl_error($ch);
}
curl_close($ch);
$response = json_decode($result, true);
$status = $response['Messages'][0]['Status'];
$to = $response['Messages'][0]['To'][0]['Email'];
if ($status = 'success') {
echo "<p>+ ". $to ." ====> ". $status ."</p>";
}else {
echo "<p>+ ". $email ." ====> Something went wrong !</p>";
}
ob_flush();
flush();
}
ob_end_flush();
}
?>
</div>
</body>
</html>