Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Earliest pastebin occurance of Jijle3

File 8EEfu6gM is the result of wget https://pastebin.com/raw/8EEfu6gM

Deobfuscation

  1. Pretty-print 8EEfu6gM into f1.php
  2. Change "eval" to "print", invoke php f1.php > dc1.php
  3. Pretty-print dc1.php into f2.php - the decoding function uses a variable $_X defined in f1.php
  4. Edit f2.php into f1.php.
  5. Invoke php f1.php > dc2.php
  6. Pretty-print dc2.php into f3.php

Analysis

Now we can reasonably compare this pastebin occurance with the one my honey pot caught to see how the "Martyr's Crew" does software engineering.

This version: Jijle3 PHP Shell v 0.1

The one I caught: Jijle3 PHP Shell v 0.1.8

A number of HTML and spelling changes occurred between v0.1 and v0.1.8, and a small amount of dead code got deleted.

It looks like not much changes, except appearance. I think that's consistent with timid programmers who may not have a good grasp of what their code base is intended to do. Since the code base is filled with borrowed or copied code, that makes a lot of sense.