Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1666
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Sat Jan 26, 2013 10:45 am

in the wild, just upx -d

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sat Jan 26, 2013 10:55 am

Thanks Xyly! Can't believe this malware is so "not protected"

even after simple "strings" you can see what happens, like where it sends logs and so on...anyway your review is straightforward.
www.posterminalworld.la
/api/process.php?xy=
dmpz.log
KARTOXA007

kloent
Posts: 10
Joined: Sat Nov 10, 2012 9:00 am

Re: Point-of-Sale malwares / RAM scrapers

Post by kloent » Sat Jan 26, 2013 5:20 pm

The same string "kartoxa" you can find in mmon.exe from this post: http://www.kernelmode.info/forum/viewto ... 756#p17063

User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by aaSSfxxx » Sat Jan 26, 2013 7:15 pm

Hello,

Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).

They seem to target posw32.exe (software used in petrol stations as far I found)

https://www.virustotal.com/file/46504b8 ... 359279697/ > 5/46
https://www.virustotal.com/file/e585f95 ... 359279699/ > 5/46
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by unixfreaxjp » Thu Jan 31, 2013 10:31 am

aaSSfxxx wrote:Hello,
Just found these samples today on http://royjamesinsurance.com/images/ (the sload.exe and sload1.exe are just malicious firefox extension droppers, sload1.exe was dropped by andromeda bot).
I am sorry, I wanted to help analyze this, but I did not understand your report.
1. You put attachments of three files as per below:
Image
I saw two of them (the rad marked) were uploaded in the VT as per you posted url.
Are these your mentioned THEY or sload.exe and sload1.exe file? Because I didn't find these sload.exe and sload1.exe and don't know the hash of it.
2. You mentioned you get it from http://royjamesinsurance.com/images/ ? from which url precisely?
I flushed the server:
Image
And can't see any binary location on it, Poc:
Image

Your reply will help. thanks.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Thu Jan 31, 2013 10:49 am

Here there are all of them + latest one before the bad guy removed all the files because malware report.

Let us know about your finds.
You do not have the required permissions to view the files attached to this post.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by unixfreaxjp » Thu Jan 31, 2013 12:27 pm

To: @exitthematrix
Cc: @Xylit0l
exitthematrix wrote:Here there are all of them + latest one before the bad guy removed all the files..
Oh man..., why don't you say this sooner? :-)
Anyway friend, I just finished analyzed the two binaries you posted to PC as per "previous" attachment....
Will post to this thread soon.

To @Xylit0l Like I promised, I investigated, but did not know the nature / scheme of infection, thus I am so confused & not sure which one binary are you mentioned in PM to analyzed, anyway I did wack every data (almost everything I think) from TcpAdaptorService.exe and TcpAdaptorService1.exe. This is going to be a long post, I will post soon..
Salute to KernelMode, I will share my monitor data, so feel free to submit your thought.

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by unixfreaxjp » Thu Jan 31, 2013 1:40 pm

There are two samples that I fetched from this forum, with guessing it as the subject (looks wrong ones in the end..)
Both work with the same logic. so let's call it as per filename TcpAdaptorService.exe I started with the below details.
Yes I run it:
Image
It run net command & executed net1.exe to start the malicious daemon process:
Image
In the end this process/daemon is responsible for everything and stays resident.
With the service name retalix:
Image

During infecting, it runs this operation: http://pastebin.com/raw.php?i=99FE4MYs
You'll see registry, file queries. The points is, it sets this Cryptography values (see long above/ not FP, important to crack the crypt)

Code: Select all

"RegSetValue","HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed","SUCCESS","Type: REG_BINARY, Length: 80, Data: 6D 7B CA A8 FF C8 F9 02 99 7F B6 FD 9C 12 11 DE"
Additionally the below values are queried:

Code: Select all

HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 0"
HKLM\System\CurrentControlSet\Control\ServiceCurrent\(Default)","SUCCESS","Type: REG_DWORD, Length: 4, Data: 13"
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode","NAME NOT FOUND","Length: 16"
You'll see more details in pastebin, so what about the Daemon/Process kicked ?
This is the full log: http://pastebin.com/raw.php?i=U08Re7GF
And the highlights are: The computer name info, Terminal Server & \WinSock2\Parameters data was grabbed.
In memory we know how it executed:

Code: Select all

Retalix
cmd /c net start %s
What had happened if we let this run?
Actually NO networking at my monitoring case.. Oh yes I captured every traffic fo rsome hours, PoC:
Image

Capture Data;
I had memory dump strings here http://pastebin.com/raw.php?i=80kHafVK with binary here http://www.mediafire.com/?7alsybv27c9rwvt
All the registry I shot is here: http://pastebin.com/raw.php?i=KrPg2n23 <maybe There's a little miss, pls check/
Sorry cant share the PCAP for privacy purpose..(nothing in there anyway)

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by unixfreaxjp » Thu Jan 31, 2013 1:50 pm

Ah, one more thing, it used the MS encryption, I bet it with the key just being made in registry:
Image
Worth to try to decrypt the callbacks traffic.
PS: @Xylit0l if you have the traffic I can help to decode with the above base.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Thu Jan 31, 2013 2:00 pm

Does the exe send any TCP data encoded with that key in the registy? And if so, what type of encryption? Thanks! Very good work.

Post Reply