This repo contains files from some malware that infected PHP-based websites (specifically Wordpress websites) in Dcember 2022.
All files that have .infected
in the filename were retrieved from an infected server in their natural state. Files with .reversed
are files that I've begun reverse engineering and only contain code pertaining to the malware.
The command and control servers appears to be the following:
http://3829-ch4-v26.zxckid.com
https://c.wiv3.com
https://c.oiv3.com
http://51la.izv3.com/a.txt
<-- appears to show nothing on the page, but using view source you can see that PHP code is being sent in the responsehttp://51la.izv3.com/?d=<base64 encoded request object>
http://c.jkv2.com/1
http://3843-ch4-v22.freeykc.com/
A virus-total collection for these documents can be found here: https://www.virustotal.com/gui/collection/9b8304f062e3ce294a50deb00512a8c40dc3cd24f9256c1c65ffc73f59adddbc
Full writeup analysis writeup can be found here: https://hacked.codes/2022/december-2022-php-wordpress-malware-analysis/