PHP Malware Analysis

AcuTest2101.php.php.rar , AcuTest3511.php::$DATA, AcuTest4530.php.jpg, AcuTest532.php, AcuTest5767.jpg, AcuTest7231.php3, AcuTest8823.php.123, AcuTest9356.phtml

md5: ce561c9a29e317dd4e0469b952b5322f

Jump to: 

Screenshot
Attributes
Deobfuscated PHP code
���JFIFHH��2<?php 
echo md5('acunetix-file-upload-test');
?>��C	!"$"$��C��"����������?����
Execution traces
data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676239300.9836.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:02:06.881439]
1	0	1	0.000150	393528
1	3	0	0.000196	393856	{main}	1		/var/www/html/uploads/AcuTest532.php	0	0
2	4	0	0.000213	393856	md5	0		/var/www/html/uploads/AcuTest532.php	1	1	'acunetix-file-upload-test'
2	4	1	0.000231	393952
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000247	393856
			0.000274	314240
TRACE END   [2023-02-12 20:02:06.881594]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676241572.3769.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:39:58.274726]
1	0	1	0.000146	393656
1	3	0	0.000192	394000	{main}	1		/var/www/html/uploads/AcuTest2101.php.php.rar		0	0
2	4	0	0.000210	394000	md5	0		/var/www/html/uploads/AcuTest2101.php.php.rar		1	1	'acunetix-file-upload-test'
2	4	1	0.000227	394096
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000243	394000
			0.000269	314320
TRACE END   [2023-02-12 20:39:58.274877]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676241996.1323.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:47:02.030178]
1	0	1	0.000177	393576
1	3	0	0.000235	393904	{main}	1		/var/www/html/uploads/AcuTest9356.phtml	0	0
2	4	0	0.000257	393904	md5	0		/var/www/html/uploads/AcuTest9356.phtml	1	1	'acunetix-file-upload-test'
2	4	1	0.000281	394000
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000303	393904
			0.000334	314264
TRACE END   [2023-02-12 20:47:02.030371]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676244951.1651.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:36:17.062918]
1	0	1	0.000152	393576
1	3	0	0.000198	393904	{main}	1		/var/www/html/uploads/AcuTest7231.php3	0	0
2	4	0	0.000216	393904	md5	0		/var/www/html/uploads/AcuTest7231.php3	1	1	'acunetix-file-upload-test'
2	4	1	0.000234	394000
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000250	393904
			0.000277	314264
TRACE END   [2023-02-12 21:36:17.063074]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676248433.2253.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 22:34:19.123128]
1	0	1	0.000131	393608
1	3	0	0.000175	393952	{main}	1		/var/www/html/uploads/AcuTest3511.php::$DATA	0	0
2	4	0	0.000193	393952	md5	0		/var/www/html/uploads/AcuTest3511.php::$DATA	1	1	'acunetix-file-upload-test'
2	4	1	0.000211	394048
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000228	393952
			0.000252	314296
TRACE END   [2023-02-12 22:34:19.123275]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676261537.7078.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:12:43.605630]
1	0	1	0.000202	393608
1	3	0	0.000249	393952	{main}	1		/var/www/html/uploads/AcuTest4530.php.jpg	0	0
2	4	0	0.000266	393952	md5	0		/var/www/html/uploads/AcuTest4530.php.jpg	1	1	'acunetix-file-upload-test'
2	4	1	0.000284	394048
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000300	393952
			0.000326	314296
TRACE END   [2023-02-13 02:12:43.605838]


data/traces/ce561c9a29e317dd4e0469b952b5322f_trace-1676261890.6354.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:18:36.533264]
1	0	1	0.000182	393608
1	3	0	0.000231	393952	{main}	1		/var/www/html/uploads/AcuTest8823.php.123	0	0
2	4	0	0.000248	393952	md5	0		/var/www/html/uploads/AcuTest8823.php.123	1	1	'acunetix-file-upload-test'
2	4	1	0.000267	394048
2	4	R			'4d02070effdd7e319ca561bc66617a8a'
1	3	1	0.000284	393952
			0.000312	314296
TRACE END   [2023-02-13 02:18:36.533432]


Generated HTML code
<html><head></head><body>����JFIFHH��24d02070effdd7e319ca561bc66617a8a��C	!"$"$��C��"����������?����</body></html>
Original PHP code
���JFIFHH��2<?php echo(md5('acunetix-file-upload-test')); ?>��C	!"$"$��C��"����������?����