PHP Malware Analysis
cjcj.pl
md5: ace3ff0b3ade26e860b80d590202a678
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
URLs
- http://www.cih-iq.org (HTML, Original)
- http://www.w3.org/1999/xhtml (HTML, Original)
- http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd (Original)
Deobfuscated PHP code
Failed to deobfuscate codeExecution traces
data/traces/ace3ff0b3ade26e860b80d590202a678_trace-1676260904.9633.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:02:10.861162]
1 0 1 0.000137 393512
1 3 0 0.000188 401224 {main} 1 /var/www/html/uploads/cjcj.pl 0 0
1 3 1 0.000208 401336
0.000229 314224
TRACE END [2023-02-13 02:02:10.861281]
Generated HTML code
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
<title>CiH_Telnet</title>
</head>
<body onload="document.f.p.focus()" bgcolor="#000000" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
<table border="1" width="100%" cellspacing="0" cellpadding="2">
<tbody><tr>
<td bgcolor="#C2BFA5" bordercolor="#000080" align="center">
<b><font color="#000080" size="2">#</font></b></td>
<td bgcolor="#000080"><font face="Verdana" size="2" color="#009900"><b>CIH-Telnet CiH Connected to 10.0.2.2</b></font></td>
</tr>
<tr>
<td colspan="2" bgcolor="#C2BFA5"><font face="Verdana" size="2">
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=upload&d=%2fopt%2flampp%2fhtdocs%2fphpScan%2fqueue">Upload File</a> |
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=download&d=%2fopt%2flampp%2fhtdocs%2fphpScan%2fqueue">Download File</a> |
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=logout">Disconnect</a> |
<a href="http://www.cih-iq.org">Help</a>
</font></td>
</tr>
</tbody></table>
<font color="#009900" size="3">
<code>
Trying 10.0.2.2...<br>
Connected to 10.0.2.2<br>
Escape character is ^]
<code><pre><font color="#ff0000">
_____ _____ _____ _____ _____ _ _
/ __ \ |_ _| |_ _| |_ _| |_ _| | | | |
| / \/ | | | |_____| | ______ | | ___ | | _ __ ___ | |_
| | | | | |_____| | |______| | | / _ \| || '_ \ / _ \| __|
| \__/\ _| |_ _| |_ _| |_ | | | __/| || | | || __/| |_
\____/ \___/ |_____| |_____| \_/ \___||_||_| |_| \___| \__|
</font><font color="#FF0000"> ______ </font><font color="#AE8300">© 2013, CiH_H@CkErZ</font><font color="#FF0000">
.-" "-.
/ CiH \
| |
|, .-. .-. ,|
| )(_o/ \o_)( |
|/ /\ \|
(@_ (_ ^^ _)
_ ) \</font><font color="#009900">_______</font><font color="#FF0000">\</font><font color="#009900">__</font><font color="#FF0000">|* CiH *|</font><font color="#009900">__</font><font color="#FF0000">/</font><font color="#009900">_______________________
</font><font color="#FF0000"> (_)</font><font color="#009900">@8@8</font><font color="#FF0000">{}</font><font color="#009900"><________</font><font color="#FF0000">|-\H@CkErZ/-|</font><font color="#009900">________________________></font><font color="#FF0000">
)_/ \ /
(@ `--------`
</font><font color="#AE8300">W A R N I N G: Private Server</font></pre>
<code>
<form name="f" method="POST" action="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin">
<input type="hidden" name="a" value="login">
login: CiH<br>
password:<input type="password" name="p">
<input type="submit" value="Enter">
</form>
</code>
</code></code></font>
<code><code>
<title>Server error!</title>
<link rev="made" href="mailto:you@example.com">
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
<h1>Server error!</h1>
<p>
The server encountered an internal error and was
unable to complete your request.
</p>
<p>
Error message:
<br>Argument "" isn't numeric in subroutine entry at /opt/lampp/lib/perl5/site_perl/5.34.1/x86_64-linux-thread-multi/ModPerl/RegistryCooker.pm line 174.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:you@example.com">webmaster</a>.
</p>
<h2>Error 500</h2>
<address>
<a href="/">10.0.2.2</a><br>
<span>Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1</span>
</address>
</code></code></body></html>Original PHP code
<html>
<head>
<title>CiH_Telnet</title>
</head>
<body onLoad="document.f.p.focus()" bgcolor="#000000" topmargin="0" leftmargin="0" marginwidth="0" marginheight="0">
<table border="1" width="100%" cellspacing="0" cellpadding="2">
<tr>
<td bgcolor="#C2BFA5" bordercolor="#000080" align="center">
<b><font color="#000080" size="2">#</font></b></td>
<td bgcolor="#000080"><font face="Verdana" size="2" color="#009900"><b>CIH-Telnet CiH Connected to 10.0.2.2</b></font></td>
</tr>
<tr>
<td colspan="2" bgcolor="#C2BFA5"><font face="Verdana" size="2">
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=upload&d=%2fopt%2flampp%2fhtdocs%2fphpScan%2fqueue">Upload File</a> |
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=download&d=%2fopt%2flampp%2fhtdocs%2fphpScan%2fqueue">Download File</a> |
<a href="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin?a=logout">Disconnect</a> |
<a href="http://www.cih-iq.org">Help</a>
</font></td>
</tr>
</table>
<font color="#009900" size="3">
<code>
Trying 10.0.2.2...<br>
Connected to 10.0.2.2<br>
Escape character is ^]
<code><pre><font color="#ff0000">
_____ _____ _____ _____ _____ _ _
/ __ \ |_ _| |_ _| |_ _| |_ _| | | | |
| / \/ | | | |_____| | ______ | | ___ | | _ __ ___ | |_
| | | | | |_____| | |______| | | / _ \| || '_ \ / _ \| __|
| \__/\ _| |_ _| |_ _| |_ | | | __/| || | | || __/| |_
\____/ \___/ |_____| |_____| \_/ \___||_||_| |_| \___| \__|
</font><font color="#FF0000"> ______ </font><font color="#AE8300">© 2013, CiH_H@CkErZ</font><font color="#FF0000">
.-" "-.
/ CiH \
| |
|, .-. .-. ,|
| )(_o/ \o_)( |
|/ /\ \|
(@_ (_ ^^ _)
_ ) \</font><font color="#009900">_______</font><font color="#FF0000">\</font><font color="#009900">__</font><font color="#FF0000">|* CiH *|</font><font color="#009900">__</font><font color="#FF0000">/</font><font color="#009900">_______________________
</font><font color="#FF0000"> (_)</font><font color="#009900">@8@8</font><font color="#FF0000">{}</font><font color="#009900"><________</font><font color="#FF0000">|-\H@CkErZ/-|</font><font color="#009900">________________________></font><font color="#FF0000">
)_/ \ /
(@ `--------`
</font><font color="#AE8300">W A R N I N G: Private Server</font></pre>
<code>
<form name="f" method="POST" action="/phpScan/queue/cjcj.pl.2c1eb7e4524c4be6f8b43c03c8b0743e.bin">
<input type="hidden" name="a" value="login">
login: CiH<br>
password:<input type="password" name="p">
<input type="submit" value="Enter">
</form>
</code>
</font></body></html><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<title>Server error!</title>
<link rev="made" href="mailto:you@example.com" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Server error!</h1>
<p>
The server encountered an internal error and was
unable to complete your request.
</p>
<p>
Error message:
<br />Argument "" isn't numeric in subroutine entry at /opt/lampp/lib/perl5/site_perl/5.34.1/x86_64-linux-thread-multi/ModPerl/RegistryCooker.pm line 174.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:you@example.com">webmaster</a>.
</p>
<h2>Error 500</h2>
<address>
<a href="/">10.0.2.2</a><br />
<span>Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/8.1.6 mod_perl/2.0.12 Perl/v5.34.1</span>
</address>
</body>
</html>