From 9ed5e787ca7d19dbb21e8db998fc69ed72b990b4 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 13 Apr 2018 14:10:44 +0200
Subject: [PATCH] new patterns

---
 malware5.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 0b770e6..053b682 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -199,7 +199,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,
     qr/<\?php\s+\$.+?\)\.\'rev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\(\'eta\'\.\'lfn\'\.\'izg\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'st\'\.\'rr\'\.\'ev\'\;\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\(\'edo\'\.\'ced\'\.\'\_46\'\.\'esa\'\.\'b\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is,
-    
+    qr/<\?php\s+function\s+inject\_gtm\(\$file\,\s+\&\$arr\).+?\$script\s+\=\s+\'\$\{.+?<<\/DEL\_FAIL>>\"\;\s+\}/is,
+    qr/<\?php\s+\$\{\"\\x.+?\;\$\{\"GLOB\\x.+?\)\;\$\{\$\{.+?ALS\"\}\[\".+?\@\$\{\$([A-z0-9]{1,20})\}\(\$\_POST\[\"\w\"\]\)\;echo.+?\;\?>/is,
+    qr/<\?php\s+echo.+?\.php\_uname\(\)\..+?Upload.+?Upload.+?Upload.+?\}\s+\}\s+\?>/is,
 
 
 );