This repo contains files from some malware that infected PHP-based websites (specifically Wordpress websites) in Dcember 2022.

All files that have .infected in the filename were retrieved from an infected server in their natural state. Files with .reversed are files that I've begun reverse engineering and only contain code pertaining to the malware.

The command and control servers appears to be the following:

• http://3829-ch4-v26.zxckid.com
• https://c.wiv3.com
• https://c.oiv3.com
• http://51la.izv3.com/a.txt <-- appears to show nothing on the page, but using view source you can see that PHP code is being sent in the response
• http://51la.izv3.com/?d=<base64 encoded request object>
• http://c.jkv2.com/1
• http://3843-ch4-v22.freeykc.com/

A virus-total collection for these documents can be found here: https://www.virustotal.com/gui/collection/9b8304f062e3ce294a50deb00512a8c40dc3cd24f9256c1c65ffc73f59adddbc

Full writeup analysis writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/