Simple, well-coded PHP remailer, using a dropper shared with lots of other malware.
Looks like a Euro-zone IP address. Block of IPs and routing said to be done by a Swedish company, NOC is Dutch.
inetnum: 94.185.85.0 - 94.185.85.255
netname: SE-NETROUTING
descr: Netrouting Telecom Sweden
country: SE
created: 2012-05-24T14:23:34Z
last-modified: 2012-05-24T14:23:34Z
person: Netrouting NOC
org: ORG-NA302-RIPE
address: Boyleweg 2
address: 3208 KA Spijkenisse
address: The Netherlands
phone: +31 880454600
created: 2011-02-05T16:47:17Z
last-modified: 2017-10-30T22:12:49Z
route: 94.185.80.0/21
descr: Netrouting Sweden
origin: AS47869
mnt-by: NETROUTING-MNT
created: 2013-07-10T13:37:34Z
last-modified: 2013-07-10T13:37:34Z
It appears that the attacker thought they were sending requests to an instance of WSO (Web Shell by oRb). The HTTP POST parameters were stereotypical for a WSO request.
| Parameter | Value |
|---|---|
| a | Php |
| c | |
| p1 | ...source code |
| p2 | |
| p3 | |
| charset | Windows-1251 |
| pass | nhzgrf |
The "a" parameter value of "Php" indicates that the attacker(s) were emulating a human using WSO interactively for immediate PHP evaluation. WSO has a text area in which a human can type or paste PHP source, and have it evaluated on the compromised machine on which WSO executes. "nhzgrf" is a very common password for WSO shells.
This is the "FileWrite" dropper used by:
- promos.php spamming tool
- php.backdoor.vpsp.001
- monero backdoor
- canshu backdoor
- SuperFetchExec gateway
- Extensible backdoor
- and about a zillion others
The final file, memoris.php, is a pretty basic remailer. You make an HTTP POST request with parameters
mailtomsgheadermsgbodymsgheader
memoris.php uses PHP's mail() builtin to send the email.
It does one remailed email per POST.
It does no fancy stuff, no macro expansion,
does not deal with multiple "To:" addresses,
does not append garbage strings to try to fool spam catchers.
The coding style is a consistent, if a little idiosyncratic. Indentation is consistent, but not uniform:
if(isset($_POST["mailto"]))
$MailTo = base64_decode($_POST["mailto"]);
else
{
echo "indata_error";
exit;
}
The single-line "true" clause is indented 8 spaces, while the "false" clause is indented one, single space. Braces are indented, an odd, Pascally style.
The author was careful to return machine-parseable error and success messages, although most of them are "indata_error", which doesn't distinguish between a problem with an address, a body or a header.
I give it a B-.