PHP Malware Analysis
ipgeo.php
md5: d3495d1d63a56c6aec75233a3d683f12
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- error_reporting (Deobfuscated, Original, Traces)
Files
- file_get_contents (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
URLs
- http://ip-api.com/json/ (Deobfuscated, Traces)
- http://ip-api.com/json/$host (Original)
- http://www.google.com/maps/place/ (Deobfuscated, Original)
Deobfuscated PHP code
<?php
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
$text = $_POST['code'];
$judul = @Ip_Geolocation;
error_reporting(0);
?>
<body bgcolor="pink">
<div class="container">
<div class="row">
<div class="col">
<div class="card">
<div class="card-header"><p><?php
echo "Ip Geolocation";
?></p></div>
<div class="card-body">
<div class="table-responsive">
<div class="table">
<table class="table table-bordered table-striped">
<thead>
<?php
error_reporting(0);
$host = $_REQUEST['host'];
$ua = array('http' => array('user_agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.3) Gecko/20060522 Firefox/1.5.0.3'));
$context = stream_context_create($ua);
$content = file_get_contents("http://ip-api.com/json/{$host}", false, $context);
$match = preg_match_all("/success/", $content, $count);
?>
<p>Insert IP/Domain:</p><br>
<form action="<?php
$_PHP_SELF;
?>" method="POST">
<input type="text" class="form-control text-primary" autocomplete="off" name="host" size="30" value="<?php
if ($host) {
echo $host;
}
?>" placeholder="google.com / 216.58.201.238" /><br>
<br>
<center>
<input type="submit" class="btn btn-outline-warning" value="Check" />
</form>
</center>
<br>
<?php
if (trim($host)) {
if ($match) {
$data = json_decode($content, true);
echo "<br>";
echo "<div class=\"table table-responsive\">\n<thead class=\"thead-light\">\n<tr class=\"text-danger\">";
echo '<tr><td><b>IP</b></td><td><b>:</b></td><td>' . $data['query'] . '</td></tr>';
echo '<tr><td><b>ASN</b></td><td><b>:</b></td><td>' . $data['as'] . '</td></tr>';
echo '<tr><td><b>Country</b></td><td><b>:</b></td><td>' . $data['country'] . '</td></tr>';
echo '<tr><td><b>Country Code</b></td><td><b>:</b></td><td>' . $data['countryCode'] . '</td></tr>';
echo '<tr><td><b>States</b></td><td><b>:</b></td><td>' . $data['regionName'] . '</td></tr>';
echo '<tr><td><b>State code</b></td><td><b>:</b></td><td>' . $data['region'] . '</td></tr>';
echo '<tr><td><b>City</b></td><td><b>:</b></td><td>' . $data['city'] . '</td></tr>';
echo '<tr><td><b>Postal code</b></td><td><b>:</b></td><td>' . $data['zip'] . '</td></tr>';
echo '<tr><td><b>Time zone</b></td><td><b>:</b></td><td>' . $data['timezone'] . '</td></tr>';
echo '<tr><td><b>Service provider</b></td><td><b>:</b></td><td>' . $data['isp'] . '</td></tr>';
echo '<tr><td><b>Company</b></td><td><b>:</b></td><td>' . $data['org'] . '</td></tr>';
echo '<tr><td><b>Latlong coordinates</b></td><td><b>:</b></td><td>' . $data['lat'] . ', ' . $data['lon'] . '</td></tr>';
echo '<tr><td><b><a href="http://www.google.com/maps/place/' . $data['lat'] . ',' . $data['lon'] . '/@' . $data['lat'] . ',' . $data['lon'] . ',16z" target="_blank">Google Maps</a></b></td></tr>';
} else {
echo 'Result:<br><div class="error">/!\\ Failed<br>Host Not Valid <b>' . htmlspecialchars($host) . '</b></div>';
}
}
?>
</table>
</div>Execution traces
data/traces/d3495d1d63a56c6aec75233a3d683f12_trace-1676253759.4831.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:03:05.380908]
1 0 1 0.000207 393512
1 3 0 0.000333 409096 {main} 1 /var/www/html/uploads/ipgeo.php 0 0
2 4 0 0.000351 409096 ini_set 0 /var/www/html/uploads/ipgeo.php 2 2 'output_buffering' 0
2 4 1 0.000371 409168
2 4 R FALSE
2 5 0 0.000385 409096 ini_set 0 /var/www/html/uploads/ipgeo.php 3 2 'display_errors' 0
2 5 1 0.000400 409168
2 5 R ''
1 A /var/www/html/uploads/ipgeo.php 4 $text = NULL
1 A /var/www/html/uploads/ipgeo.php 7 $judul = 'Ip_Geolocation'
2 6 0 0.000456 409096 error_reporting 0 /var/www/html/uploads/ipgeo.php 8 1 0
2 6 1 0.000470 409136
2 6 R 22527
2 7 0 0.000485 409096 str_replace 0 /var/www/html/uploads/ipgeo.php 15 3 '_' ' ' 'Ip_Geolocation'
2 7 1 0.000501 409232
2 7 R 'Ip Geolocation'
2 8 0 0.000516 409096 error_reporting 0 /var/www/html/uploads/ipgeo.php 22 1 0
2 8 1 0.000529 409136
2 8 R 0
1 A /var/www/html/uploads/ipgeo.php 23 $host = NULL
1 A /var/www/html/uploads/ipgeo.php 24 $ua = ['http' => ['user_agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.3) Gecko/20060522 Firefox/1.5.0.3']]
2 9 0 0.000571 409096 stream_context_create 0 /var/www/html/uploads/ipgeo.php 25 1 ['http' => ['user_agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.3) Gecko/20060522 Firefox/1.5.0.3']]
2 9 1 0.000591 410008
2 9 R resource(3) of type (stream-context)
1 A /var/www/html/uploads/ipgeo.php 25 $context = resource(3) of type (stream-context)
2 10 0 0.000620 409976 file_get_contents 0 /var/www/html/uploads/ipgeo.php 26 3 'http://ip-api.com/json/' FALSE resource(3) of type (stream-context)
2 10 1 0.109437 411240
2 10 R '{"status":"success","country":"Sweden","countryCode":"SE","region":"AB","regionName":"Stockholm County","city":"Stockholm","zip":"126 30","lat":59.3098,"lon":17.9796,"timezone":"Europe/Stockholm","isp":"GleSYS AB","org":"GleSYS AB","as":"AS42708 GleSYS AB","query":"195.246.120.102"}'
1 A /var/www/html/uploads/ipgeo.php 26 $content = '{"status":"success","country":"Sweden","countryCode":"SE","region":"AB","regionName":"Stockholm County","city":"Stockholm","zip":"126 30","lat":59.3098,"lon":17.9796,"timezone":"Europe/Stockholm","isp":"GleSYS AB","org":"GleSYS AB","as":"AS42708 GleSYS AB","query":"195.246.120.102"}'
2 11 0 0.109520 411160 preg_match_all 0 /var/www/html/uploads/ipgeo.php 27 3 '/success/' '{"status":"success","country":"Sweden","countryCode":"SE","region":"AB","regionName":"Stockholm County","city":"Stockholm","zip":"126 30","lat":59.3098,"lon":17.9796,"timezone":"Europe/Stockholm","isp":"GleSYS AB","org":"GleSYS AB","as":"AS42708 GleSYS AB","query":"195.246.120.102"}' NULL
2 11 1 0.109571 412048
2 11 R 1
1 A /var/www/html/uploads/ipgeo.php 27 $match = 1
2 12 0 0.109599 411944 trim 0 /var/www/html/uploads/ipgeo.php 39 1 NULL
2 12 1 0.109613 411976
2 12 R ''
1 3 1 0.109627 411944
0.109672 317424
TRACE END [2023-02-13 00:03:05.490410]
Generated HTML code
<html><head></head><body bgcolor="pink">
<div class="container">
<div class="row">
<div class="col">
<div class="card">
<div class="card-header"><p>Ip Geolocation</p></div>
<div class="card-body">
<div class="table-responsive">
<div class="table">
<p>Insert IP/Domain:</p><br><input type="text" class="form-control text-primary" autocomplete="off" name="host" size="30" value="" placeholder="google.com / 216.58.201.238"><br><br><center>
<input type="submit" class="btn btn-outline-warning" value="Check">
</center><br><table class="table table-bordered table-striped">
<thead>
<form action="" method="POST"></form>
</thead></table>
</div></div></div></div></div></div></div></body></html>Original PHP code
<?php
@ini_set('output_buffering',0);
@ini_set('display_errors', 0);
$text = $_POST['code'];
?>
<?php
$judul=@Ip_Geolocation;
error_reporting(0);
?>
<body bgcolor="pink">
<div class="container">
<div class="row">
<div class="col">
<div class="card">
<div class="card-header"><p><?php echo str_replace("_", " ", "$judul"); ?></p></div>
<div class="card-body">
<div class="table-responsive">
<div class="table">
<table class="table table-bordered table-striped">
<thead>
<?php
error_reporting(0);
$host = $_REQUEST['host'];
$ua = array('http' => array('user_agent' => 'Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.3) Gecko/20060522 Firefox/1.5.0.3'));
$context = stream_context_create($ua);
$content = file_get_contents("http://ip-api.com/json/$host", false, $context);
$match = preg_match_all("/success/",$content,$count);
?>
<p>Insert IP/Domain:</p><br>
<form action="<?php $_PHP_SELF; ?>" method="POST">
<input type="text" class="form-control text-primary" autocomplete="off" name="host" size="30" value="<?php if ( $host ) { echo $host; } ?>" placeholder="google.com / 216.58.201.238" /><br>
<br>
<center>
<input type="submit" class="btn btn-outline-warning" value="Check" />
</form>
</center>
<br>
<?php
if(trim($host))
{
if($match)
{
$data = json_decode( $content, true);
echo '<br>';
echo '<div class="table table-responsive">
<thead class="thead-light">
<tr class="text-danger">';
echo '<tr><td><b>IP</b></td><td><b>:</b></td><td>' . $data['query'] .'</td></tr>';
echo '<tr><td><b>ASN</b></td><td><b>:</b></td><td>' . $data['as'] .'</td></tr>';
echo '<tr><td><b>Country</b></td><td><b>:</b></td><td>' . $data['country'] .'</td></tr>';
echo '<tr><td><b>Country Code</b></td><td><b>:</b></td><td>' . $data['countryCode'] .'</td></tr>';
echo '<tr><td><b>States</b></td><td><b>:</b></td><td>' . $data['regionName'] .'</td></tr>';
echo '<tr><td><b>State code</b></td><td><b>:</b></td><td>' . $data['region'] .'</td></tr>';
echo '<tr><td><b>City</b></td><td><b>:</b></td><td>' . $data['city'] .'</td></tr>';
echo '<tr><td><b>Postal code</b></td><td><b>:</b></td><td>' . $data['zip'] .'</td></tr>';
echo '<tr><td><b>Time zone</b></td><td><b>:</b></td><td>' . $data['timezone'] .'</td></tr>';
echo '<tr><td><b>Service provider</b></td><td><b>:</b></td><td>' . $data['isp'] .'</td></tr>';
echo '<tr><td><b>Company</b></td><td><b>:</b></td><td>' . $data['org'] .'</td></tr>';
echo '<tr><td><b>Latlong coordinates</b></td><td><b>:</b></td><td>' . $data['lat'] . ', ' . $data['lon'] .'</td></tr>';
echo '<tr><td><b><a href="http://www.google.com/maps/place/' . $data['lat'] . ',' . $data['lon'] .'/@' . $data['lat'] . ',' . $data['lon'] . ',16z" target="_blank">Google Maps</a></b></td></tr>';
}
else
{
echo 'Result:<br><div class="error">/!\ Failed<br>Host Not Valid <b>' . htmlspecialchars($host) . '</b></div>';
}
}
?>
</table>
</div>