Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.

Re: Point-of-Sale malwares / RAM scrapers

Postby benkow_ » Wed Oct 21, 2015 9:55 pm

Hum I don't know the name for these:

2 sample of the same family:
a077a9dc0c191621b1b4ca3e9801da2a https://www.virustotal.com/fr/file/a253 ... 445461460/
16e0879b63ffd98ab5adfca27e78a7aa https://www.virustotal.com/fr/file/cf06 ... 445461458/
Code: Select all
Fuck OFF
Hello AV
GetProcAddress
CreateProcessW
SetThreadContext
VirtualAllocEx
WriteProcessMemory
NtUnmapViewOfSection
CreateProcessW
VirtualFree
ReadProcessMemory
NtUnmapViewOfSection
ntdll.dll
0xDEADBEEF
FindResource
Kernel32.dll
GetWindowsDirectoryW
Kernel32.dll
SYSTEMROOT
\system32\drivers\avc3.sys
\system32\drivers\aswSP.sys
\system32\drivers\aswFsBlk.sys
\system32\drivers\pavproc.sys
\system32\drivers\pavboot64.sys
\system32\drivers\cmdhlp.sys
\system32\drivers\inspect.sys
\system32\drivers\cmdmon.sys
\system32\drivers\AVGIDSErHr.sys
\system32\drivers\avgdiskx.sys
\system32\drivers\avgidsdriverlx.sys
\system32\drivers\mbam.sys
\system32\drivers\mbamchameleon.sys
\system32\drivers\kl1.sys
\system32\drivers\klif.sys
ExitProcess
CreateMutexW
VirtualFree
GetConsoleWindow
GetLastError
VirtualAlloc
GetEnvironmentVariableA
FindFirstFileA
Sleep
GetModuleFileNameW
GetProcAddress
GetModuleHandleA
GetFileSize
CreateProcessW
WriteFile
ReadFile
CreateFileW
CloseHandle
FindResourceW
LoadResource
SizeofResource
LockResource
VirtualProtect
GetThreadContext
GetCurrentProcess
GetModuleHandleW
ReadProcessMemory
TerminateProcess
ResumeThread
KERNEL32.dll
ShowWindow
USER32.dll
SHGetFolderPathW
SHELL32.dll
RtlUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ping -n 1 127.0.0.1 > nul
start /b "" "%AppData%\EEbeFAMMrx.exe"
ping -n 3 127.0.0.1 > nul
del "%AppData%\EEbeFAMMrx.exe"
(goto) 2>nul & del "%~f0"
BM60


fa1e987e4290da75f3bdb661f51f8e2b - https://www.virustotal.com/fr/file/52b6 ... 445461458/

Code: Select all
MSVBVM60.DLL
ance 
0g62l
Form1
Stpe
POS_TIME
RCount
Arial
LCount
Arial
S_USB
GHOST
VB5!
INSTALL_B
UNISTALL_B
UPDATE_B
DW_EXEC
N_CONNECT
F_UAC
F_EXIST
S_EXEC
MELT
MY_PATH
G_OS
FTPUPLOAD
A_ANUBIS
D_REG
D_TASK
A_OLLY
A_SAND
A_SYS
A_BOX
A_VM
D_API
DropBox
S_PROTECT
C_DATA
R_DATA
A_MALWR
A_NORMAN
A_WINE
A_FIREWALL
M_BYTES
E_286
G_ARC
D_PROTECT
S_XOR
G_RAM
G_CPU
G_GPU
G_HD
B_64
G_BETWEEN
A_RES
P_PWD
P_FTP
P_MAIL
P_UDP
P_HTTP
P_SCREEN
P_WALLET
P_SPAM
P_KEYLOGGER
C_EOF
P_DSPREAD
N_COMMANDS
PING_SITE
GR_COMMAND
0g62l
LCount
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
POS_TIME
S_USB
GHOST
Stpe
Form
RCount
wininet.dll
DeleteUrlCacheEntryA
SHELL32
IsUserAnAdmin
hhO@
KERNEL32
Sleep
LoadLibraryA
FindExecutableA
hXP@
ShellExecuteA
GetModuleFileNameA
GetStartupInfoW
h4Q@
CreateToolhelp32Snapshot
Process32First
Process32Next
h$U@
CloseHandle
hhU@
GetCurrentProcessId
NTDLL
NtUnmapViewOfSection
h8X@
NtWriteVirtualMemory
NtSetContextThread
NtResumeThread
h$Y@
NtGetContextThread
hpY@
NtAllocateVirtualMemory
CreateProcessW
VBA6.DLL
:u9k
InternetCloseHandle
InternetOpenA
InternetOpenUrlA

+ VB stuff inside this one.

All attached
You do not have the required permissions to view the files attached to this post.
benkow_
 
Posts: 69
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Point-of-Sale malwares / RAM scrapers

Postby p1nk » Thu Oct 29, 2015 1:24 am

First two have some references to KeepFUD.PW in them.

Does a nice little AV check also at the start [Attached screenshot], looks to be based on known A/V drivers.
User avatar
p1nk
 
Posts: 39
Joined: Thu Oct 29, 2015 1:09 am
Reputation point: 2

Re: Point-of-Sale malwares / RAM scrapers

Postby Blaze » Fri Nov 13, 2015 9:13 am

AbaddonPOS.

https://www.proofpoint.com/us/threat-in ... To-Vawtrak

AbaddonPOS Exfiltration C2 IP addresses:
5.8.60.23:21910
5.8.60.23:21930
50.7.138.138:13030
50.7.138.138:15050
91.234.34.44:20940
91.234.34.44:20970
149.154.64.167:20910
149.154.64.167:20920
49.154.64.167:20940
149.154.64.167:20940
176.114.0.165:20910
176.114.0.165:21910
176.114.0.165:21940


Attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Point-of-Sale malwares / RAM scrapers

Postby Bry_Campbell » Wed Nov 25, 2015 9:39 am

Does anyone have a ModPos sample?
Bry_Campbell
 
Posts: 2
Joined: Mon Mar 02, 2015 1:47 pm
Reputation point: 0

Re: Point-of-Sale malwares / RAM scrapers

Postby EP_X0FF » Wed Nov 25, 2015 4:34 pm

Bry_Campbell wrote:Does anyone have a ModPos sample?

Malware requests is in here viewforum.php?f=20
Currently you do not meet any requirements to do any requests.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4750
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Point-of-Sale malwares / RAM scrapers

Postby Blaze » Thu Jan 28, 2016 7:30 pm

You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Malware collection

Postby ikolor » Sun Mar 06, 2016 5:07 pm

You do not have the required permissions to view the files attached to this post.
ikolor
 
Posts: 244
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland
Reputation point: 16

Re: Point-of-Sale malwares / RAM scrapers

Postby Xylitol » Mon Mar 28, 2016 1:50 pm

TreasureHunt / TreasureHunter
https://www.fireeye.com/blog/threat-res ... _cust.html

Image Image
v0.1.1:
https://www.virustotal.com/en/file/e706 ... 459182718/
must be run with an argument to go on the interesting stuff, initialization start at 0x405B84

v0.1:
https://www.virustotal.com/en/file/6a6b ... 459185958/
https://www.virustotal.com/en/file/046d ... 459185956/
https://www.virustotal.com/en/file/7eca ... 459185955/
https://www.virustotal.com/en/file/442b ... 459186379/
https://www.virustotal.com/en/file/6835 ... 459186380/
https://www.virustotal.com/en/file/ab7a ... 459186377/
https://www.virustotal.com/en/file/ceed ... 459186505/
https://www.virustotal.com/en/file/fe5f ... 459186507/

Code: Select all
• dns: 10 ›› ip: 109.87.81.22 - adress: FRILTOPYES.COM
• dns: 1 ›› ip: 209.99.16.57 - adress: LOGMEINRESCUE.US.COM
• dns: 1 ›› ip: 72.52.4.91 - adress: CORTYKOPL.COM
• dns: 0 ›› ip: - adress: MILLIONJAM.EU
• dns: 0 ›› ip: - adress: 3SIPIOJT.COM
• dns: 0 ›› ip: - adress: SEATRIP888.EU
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1629
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 485

Re: Point-of-Sale malwares / RAM scrapers

Postby benkow_ » Sat Apr 09, 2016 6:53 pm

another alina spotted today.
Code: Select all
SHELLCODE_MUTEX
7YhngylKo09H
explorer.exe
Windows Host Process
appdata
%s\drv.sys
C:\drv.sys
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dllhost.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe
{[!11!]}{[!4!]}
{[!12!]}{[!10!]}http://%s:%d{[!4!]}
HTTP/1.1
POST
{[!13!]}{[!4!]}
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: close
{[!14!]}{[!4!]}
{[!15!]}{[!4!]}
%%%02x
vector<T> too long
map/set<T> too long
{[!16!]}{[!46!]}%s (%d)
{[!46!]}%d{[!1!]}
Unknown::
cards
card
~eventual/wplog/push.php
181.224.137.233
~eventual/wplog/loading.php
update
diag
updateinterval=
cardinterval=
log=1
{[!17!]}{[!18!]}
log=0
{[!17!]}{[!19!]}
chk=
update=
{[!23!]}{[!22!]}, {[!24!]}{[!4!]}%d{[!25!]}
dlex=
{[!22!]}%s{[!5!]}
\\.\pipe\spark
{[!16!]}{[!20!]}{[!26!]}%s
{[!27!]}{[!30!]}{[!4!]}%s.{[!2!]}
{[!28!]}%d.%d, {[!29!]}%d.%d.{[!1!]}
{[!30!]}{[!31!]}{[!4!]}
{[!29!]}{[!32!]}%s
http://
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22
{[!22!]}{[!18!]}{[!33!]}{[!4!]}{[!34!]}= %d, {[!35!]}= 0x%x.{[!36!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.{[!36!]}
{[!40!]}{[!4!]}{[!36!]}
{[!41!]}{[!4!]}{[!42!]}= 0x%x, {[!34!]}= 0x%x.{[!36!]}
{[!22!]}{[!5!]}%s -> %s [%d]{[!35!]}= 0x%x (== 0x%x)
{[!43!]}{[!4!]}
{[!4!]}{[!10!]}{[!44!]}{[!43!]}{[!21!]}
{[!4!]}{[!45!]}{[!21!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.
C:\Users\Own\Desktop\sursa alina\sursa v2\Source\Debug\Spark.pdb
6f9O
PWVS
PWVS
0@;E
[^_]
Password7YhngylKo09H
\ntkrnl
\Installed\windefender.exe
shell32.dll
SHGetSpecialFolderPathA
ShellExecuteA
open
SHELLCODE_MUTEX
!This program cannot be run in DOS mode.
c:\drivers\test\objchk_win7_x86\i386\ssdthook.pdb
RtlEqualUnicodeString
ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwQuerySystemInformation
RtlInitUnicodeString
MmMapLockedPages
MmBuildMdlForNonPagedPool
MmCreateMdl
KeServiceDescriptorTable
IoFreeMdl
MmUnmapLockedPages
KeTickCount
ntoskrnl.exe

panel: http://181.224.137\.233/~eventual/wplog/adm.php
benkow_
 
Posts: 69
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Re: Point-of-Sale malwares / RAM scrapers

Postby Silence_is_best » Tue Apr 19, 2016 10:27 pm

Would love to see TinyPOS and MULTIGRAIN here...interested in the custom base32 encoding as well:

https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

Thank you
Silence_is_best
 
Posts: 7
Joined: Fri Aug 15, 2014 11:16 am
Reputation point: 0

PreviousNext

Return to Malware

Who is online

Users browsing this forum: tx707 and 5 guests