Decodes to some incomplete PHP with trailing junk bytes, probably because a Base64 encoding got a bad character in it.
Redirects human-run browsers, but deletes all .htaccess files
if it gets a specially-valued google.
Downloaded to a fake WSO web shell, via the "Php" action. This action is designed for interactive use, using it for backdoor code evaluation is a bit tedious.
DNS has 185.13.5.43 → s43.freehost.com.ua
whois freehost.com.ua reveals it to be Kyiv, Ukraine based.
geoiplookup has it in Ukraine, too.
p0f3 has 185.13.5.43 as FreeBSD 9.x or newer.
nmap says:
Aggressive OS guesses: FreeBSD 7.1-RELEASE - 9.0-CURRENT (96%), FreeBSD 10.3-RELEASE (94%), FreeBSD 8.1-RELEASE (92%), FreeBSD 9.1-RELEASE or 10.1-RELEASE (92%), OpenBSD 4.0 (x86) (91%), FreeBSD 9.2-RELEASE (91%), FreeBSD 7.0-RELEASE-p1 - 10.0-CURRENT (91%), FreeBSD 9.0-RELEASE (91%), FreeBSD 7.0-BETA4 - 7.0 (90%), Cisco AsyncOS 9.6 - 9.7 (90%)
but it also gets back "OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)" from the SSH server.
- Hand edit
185.13.5.43WljQJso.scansintodata.b64- Base64 encoded text - Decode:
base64 -d data.b64 > data.raw - Partially deobfuscate:
revphp -X data.raw > t1.php
Base64-encoded data in file data.b64 is corrupted: there's an ASCII
blank in the middle of line 266 that I replaced with a 'K'.
Files data.raw and t1.php have some garbage at the end that can't be
read by human or PHP interpreter.
It's pretty clear that t1.php has some encoded, embedded text in it.
To decode that:
- Hand-edit
t1.phpintof1.php - Invoked:
php f1.php- this creates filecalculation.php - Pretty print:
pp.php calculation.php > cf.php
Obfuscation seems to have rendered the whole effort moot, in that the Base64-encoded dropper doesn't decode properly. Bottom feeders don't test adequately, I guess.
The downloader expects a WSO instance, probably 2.9, but at least a derivative
of 2.5 : the download has POST name/value pairs with names "a", "p" and "pw".
An example of this WSO variant is in
Deeply obfuscated WSO web shell
in this repo, it uses "a" for the action, "p" for
parameter, and "pw" for password. That WSO variant invokes
eval(base64_decode($_POST['p'])); to evaluate PHP, which matches nicely with
the dropper's encoding.
The code dropped, calculation.php has some amusing functions:
If calculation.php is invoked with a cookie that has a parameter
named "google" in it, it tries to delete all .htaccess files
from itself to the uppermost directory it can reach. This code
probably works under both Linux and Windows.
If calculation.php is invoked without a cookie that has a "google"
parameter, it composes HTML with some random gibberish content in it,
and obfuscated JavaScript that redirects browsers to:
http://diet-weigh-tlos.world/?a=401336&c=cpcdiet&s=04122017
The number values may indicate the web site/hacked WordPress instance that they downloaded to. Nothing in the code indicates.
DNS says diet-weigh-tlos.world → 23.227.160.102
23.227.160.102 → 23-227-160-102-customer-incero.com
whois says 23.227.160.102 is part of 23.227.160.64/26 assigned to
inceronetowrk.com in New Zealand, AS54540. traceroute shows 23.227.160.102
as physically located in Dallax, Texas.
Wow, what a mess.