未加星标

Deobfuscating a Malicious PHP Downloader

字体大小 | |
[开发(php) 所属分类 开发(php) | 发布者 店小二05 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

Aphp script was sent to me by reader Nuno who got this from a hacked Joomla website and wanted to know what this was. He said this script was prepended to several legitimate PHP files. Looking into this a bit, I found that this is related to WordPress hacks via MailPoet back in 2014 according to Sucuri ( here and here ).

The original script from 2014 is pretty much the same as this one after you deobfuscate it so it appears that its creator updated the obfuscation layer since then. Here’s what the 2014 script looks like:


Deobfuscating a Malicious PHP Downloader

And then it was modified some time later.


Deobfuscating a Malicious PHP Downloader

This is what the PHP script looks like today.


Deobfuscating a Malicious PHP Downloader

At the bottom is the code that deobfuscates the above. I make the following change as you can see.


Deobfuscating a Malicious PHP Downloader

And I get the deobfuscated result.


Deobfuscating a Malicious PHP Downloader

However, the result gets truncated. It’s probably because there’s HTML-looking tags in there so I have to modify my change to this:


Deobfuscating a Malicious PHP Downloader

Now I can get the entire script.


Deobfuscating a Malicious PHP Downloader

After I unescape it, I can see at the bottom a call to the deobfuscation function. I repeat the same step as above.


Deobfuscating a Malicious PHP Downloader

To get this:


Deobfuscating a Malicious PHP Downloader

I keep doing this for two more rounds and I end up with this. The for-loop at the bottom deobfuscates the last remaining blobs by passing it to the “oo1” and “oo2” functions above.


Deobfuscating a Malicious PHP Downloader

I grab functions from the previous rounds and put them all here. Finally you can see what this does.


Deobfuscating a Malicious PHP Downloader

The script gets some HTTP info, randomly selects a domain (33db9538 .com, 9507c4e8 .com, e5b57288 .com, or 54dfa1cb .com), and makes a request to its C&C using one of five methods until one works. The HTTP GET requests look something like this:

hxxp://54dfa1cb .com/743373?nBcDCJtttnWOB7AFwE6JSD2%252 B9FWohBE48s54engkXvlo7MmPmabcMTRfK5tqJyYRYA4xsNOviBQDEFq2uGAIfWs%253 D.vxcX.60JI.vXyZAJNtdCnP.%252FkaXEZd1

hxxp://33db9538 .com/941577?cqzyJtttwfqjfH%252FwfN8k7f%252 FSpz9SnXR016abcKoeOzkdP9zUs2oUlKyoGy6DqbbxOPukqZ5y%252FDEFLjNyQU2GGmY%253 D.Uazm.Bfm5.UXyZLzR9z6bi.EPWaPjBl

None of the sites were responding with anything useful at the time of this writing so I don’t know what the payload is but if it’s the same as it was back in 2014 then backdoors are created on the site and overwrites legitimate files in the process.

This is what all of the C&C websites look like:


Deobfuscating a Malicious PHP Downloader

If you get hit by this then you would probably need to do a fair amount of cleanup, restore from backups, or rebuild your site to ensure no backdoors are left behind.

File: 1.php

MD5: 3ED6699CE373F6BEED22F490B1D93219

VT: 2 / 54

File: 2.php

MD5: 69A1CDF5E389D6388ABB3E6DA198D998

VT: 8 / 54

File: 3.php

MD5: 733C0DD3099C514A7D067D0A20657650

VT: 4 / 54

本文开发(php)相关术语:php代码审计工具 php开发工程师 移动开发者大会 移动互联网开发 web开发工程师 软件开发流程 软件开发工程师

主题: PHPHTMLWordMTRRY2G
分页:12
转载请注明
本文标题:Deobfuscating a Malicious PHP Downloader
本站链接:http://www.codesec.net/view/483815.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 开发(php) | 评论(0) | 阅读(34)