PHP Malware Analysis

Something I find quite interesting is PHP malware. This usually comes in the form of shells, which I write a bit about here Improving web shells with asymmetric encryption. These malwares often use obfuscation to make it harder to understand what the code is actually doing. However, with enough time and determination it is possible to break them down to understand their actions, and in some cases their vulnerabilities.

In particular I'm looking for:

  • Behavior, through the actions they perform (changing files, remote code execution, etc).
  • Sources, any URLs or other mentions of creators.
  • Vulnerabilities, possibilities for others to access and take over the malware.

Please let me know if you have any good ideas on what to look for!

Method: I'm currently using PHPDeobfuscator to deobfuscate the PHP files. I'm hoping to be able to contribute to this awesome repo too! After deobfuscation, I statically analyze the code to extract high-level features and interesting data. For example, features such as encoding and execution techniques and data such as URLs and emails.