I would like to know how can I analyse an obfuscated malware php code ? I heard about cuckoo sandbox, but it seems too overwhelming for this particular task. So I decided to run a Vagrant box, install php-cli, tcpdump, ... run the php code and look for connections with tcpdump for example ...
What would you do in such case ? I would like to know if there is some dedicated tools for specific php malware/backdoor analysis ?
Thanks :)
If you have all of the PHP code for the application you can set up a LAMP/WAMP VM and load it up on an IDE. You can run it and set your breakpoints as needed.
Turn off the network card and install and run wireshark in the background. If you need to you can look into some DNS spoofing applications.
If you're very concerned do all of this on dedicated hardware that is not connected to any network.
That should be enough to get you started.
