Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
benkow_
Posts: 74
Joined: Sat Jan 24, 2015 12:14 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by benkow_ » Wed Oct 21, 2015 9:55 pm

Hum I don't know the name for these:

2 sample of the same family:
a077a9dc0c191621b1b4ca3e9801da2a https://www.virustotal.com/fr/file/a253 ... 445461460/
16e0879b63ffd98ab5adfca27e78a7aa https://www.virustotal.com/fr/file/cf06 ... 445461458/

Code: Select all

Fuck OFF
Hello AV
GetProcAddress
CreateProcessW
SetThreadContext
VirtualAllocEx
WriteProcessMemory
NtUnmapViewOfSection
CreateProcessW
VirtualFree
ReadProcessMemory
NtUnmapViewOfSection
ntdll.dll
0xDEADBEEF
FindResource
Kernel32.dll
GetWindowsDirectoryW
Kernel32.dll
SYSTEMROOT
\system32\drivers\avc3.sys
\system32\drivers\aswSP.sys
\system32\drivers\aswFsBlk.sys
\system32\drivers\pavproc.sys
\system32\drivers\pavboot64.sys
\system32\drivers\cmdhlp.sys
\system32\drivers\inspect.sys
\system32\drivers\cmdmon.sys
\system32\drivers\AVGIDSErHr.sys
\system32\drivers\avgdiskx.sys
\system32\drivers\avgidsdriverlx.sys
\system32\drivers\mbam.sys
\system32\drivers\mbamchameleon.sys
\system32\drivers\kl1.sys
\system32\drivers\klif.sys
ExitProcess
CreateMutexW
VirtualFree
GetConsoleWindow
GetLastError
VirtualAlloc
GetEnvironmentVariableA
FindFirstFileA
Sleep
GetModuleFileNameW
GetProcAddress
GetModuleHandleA
GetFileSize
CreateProcessW
WriteFile
ReadFile
CreateFileW
CloseHandle
FindResourceW
LoadResource
SizeofResource
LockResource
VirtualProtect
GetThreadContext
GetCurrentProcess
GetModuleHandleW
ReadProcessMemory
TerminateProcess
ResumeThread
KERNEL32.dll
ShowWindow
USER32.dll
SHGetFolderPathW
SHELL32.dll
RtlUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
ping -n 1 127.0.0.1 > nul
start /b "" "%AppData%\EEbeFAMMrx.exe"
ping -n 3 127.0.0.1 > nul
del "%AppData%\EEbeFAMMrx.exe"
(goto) 2>nul & del "%~f0"
BM60
fa1e987e4290da75f3bdb661f51f8e2b - https://www.virustotal.com/fr/file/52b6 ... 445461458/

Code: Select all

MSVBVM60.DLL
ance  
0g62l
Form1
Stpe
POS_TIME
RCount
Arial
LCount
Arial
S_USB
GHOST
VB5!
INSTALL_B
UNISTALL_B
UPDATE_B
DW_EXEC
N_CONNECT
F_UAC
F_EXIST
S_EXEC
MELT
MY_PATH
G_OS
FTPUPLOAD
A_ANUBIS
D_REG
D_TASK
A_OLLY
A_SAND
A_SYS
A_BOX
A_VM
D_API
DropBox
S_PROTECT
C_DATA
R_DATA
A_MALWR
A_NORMAN
A_WINE
A_FIREWALL
M_BYTES
E_286
G_ARC
D_PROTECT
S_XOR
G_RAM
G_CPU
G_GPU
G_HD
B_64
G_BETWEEN
A_RES
P_PWD
P_FTP
P_MAIL
P_UDP
P_HTTP
P_SCREEN
P_WALLET
P_SPAM
P_KEYLOGGER
C_EOF
P_DSPREAD
N_COMMANDS
PING_SITE
GR_COMMAND
0g62l
LCount
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
POS_TIME
S_USB
GHOST
Stpe
Form
RCount
wininet.dll
DeleteUrlCacheEntryA
SHELL32
IsUserAnAdmin
hhO@
KERNEL32
Sleep
LoadLibraryA
FindExecutableA
hXP@
ShellExecuteA
GetModuleFileNameA
GetStartupInfoW
h4Q@
CreateToolhelp32Snapshot
Process32First
Process32Next
h$U@
CloseHandle
hhU@
GetCurrentProcessId
NTDLL
NtUnmapViewOfSection
h8X@
NtWriteVirtualMemory
NtSetContextThread
NtResumeThread
h$Y@
NtGetContextThread
hpY@
NtAllocateVirtualMemory
CreateProcessW
VBA6.DLL
:u9k
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
+ VB stuff inside this one.

All attached
You do not have the required permissions to view the files attached to this post.

User avatar
p1nk
Posts: 43
Joined: Thu Oct 29, 2015 1:09 am

Re: Point-of-Sale malwares / RAM scrapers

Post by p1nk » Thu Oct 29, 2015 1:24 am

First two have some references to KeepFUD.PW in them.

Does a nice little AV check also at the start [Attached screenshot], looks to be based on known A/V drivers.

User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Blaze » Fri Nov 13, 2015 9:13 am

AbaddonPOS.

https://www.proofpoint.com/us/threat-in ... To-Vawtrak
AbaddonPOS Exfiltration C2 IP addresses:
5.8.60.23:21910
5.8.60.23:21930
50.7.138.138:13030
50.7.138.138:15050
91.234.34.44:20940
91.234.34.44:20970
149.154.64.167:20910
149.154.64.167:20920
49.154.64.167:20940
149.154.64.167:20940
176.114.0.165:20910
176.114.0.165:21910
176.114.0.165:21940
Attached.
You do not have the required permissions to view the files attached to this post.

Bry_Campbell
Posts: 2
Joined: Mon Mar 02, 2015 1:47 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by Bry_Campbell » Wed Nov 25, 2015 9:39 am

Does anyone have a ModPos sample?

User avatar
EP_X0FF
Global Moderator
Posts: 4775
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by EP_X0FF » Wed Nov 25, 2015 4:34 pm

Bry_Campbell wrote:Does anyone have a ModPos sample?
Malware requests is in here http://www.kernelmode.info/forum/viewforum.php?f=20
Currently you do not meet any requirements to do any requests.
Ring0 - the source of inspiration

User avatar
Blaze
Posts: 199
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Blaze » Thu Jan 28, 2016 7:30 pm

You do not have the required permissions to view the files attached to this post.

ikolor
Posts: 275
Joined: Thu Jun 05, 2014 2:20 pm
Location: Poland

Re: Malware collection

Post by ikolor » Sun Mar 06, 2016 5:07 pm

You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1652
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Mon Mar 28, 2016 1:50 pm

TreasureHunt / TreasureHunter
https://www.fireeye.com/blog/threat-res ... _cust.html

Image Image
v0.1.1:
https://www.virustotal.com/en/file/e706 ... 459182718/
must be run with an argument to go on the interesting stuff, initialization start at 0x405B84

v0.1:
https://www.virustotal.com/en/file/6a6b ... 459185958/
https://www.virustotal.com/en/file/046d ... 459185956/
https://www.virustotal.com/en/file/7eca ... 459185955/
https://www.virustotal.com/en/file/442b ... 459186379/
https://www.virustotal.com/en/file/6835 ... 459186380/
https://www.virustotal.com/en/file/ab7a ... 459186377/
https://www.virustotal.com/en/file/ceed ... 459186505/
https://www.virustotal.com/en/file/fe5f ... 459186507/

Code: Select all

• dns: 10 ›› ip: 109.87.81.22 - adress: FRILTOPYES.COM
• dns: 1 ›› ip: 209.99.16.57 - adress: LOGMEINRESCUE.US.COM
• dns: 1 ›› ip: 72.52.4.91 - adress: CORTYKOPL.COM
• dns: 0 ›› ip: - adress: MILLIONJAM.EU
• dns: 0 ›› ip: - adress: 3SIPIOJT.COM
• dns: 0 ›› ip: - adress: SEATRIP888.EU
You do not have the required permissions to view the files attached to this post.

benkow_
Posts: 74
Joined: Sat Jan 24, 2015 12:14 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by benkow_ » Sat Apr 09, 2016 6:53 pm

another alina spotted today.

Code: Select all

SHELLCODE_MUTEX
7YhngylKo09H
explorer.exe
Windows Host Process
appdata
%s\drv.sys
C:\drv.sys
chrome.exe
firefox.exe
iexplore.exe
svchost.exe
smss.exe
csrss.exe
wininit.exe
steam.exe
devenv.exe
thunderbird.exe
skype.exe
pidgin.exe
services.exe
dllhost.exe
lsass.exe
winlogon.exe
alg.exe
wscntfy.exe
taskmgr.exe
spoolsv.exe
QML.exe
AKW.exe
{[!11!]}{[!4!]}
{[!12!]}{[!10!]}http://%s:%d{[!4!]}
HTTP/1.1
POST
{[!13!]}{[!4!]}
Accept: application/octet-stream
Content-Type: application/octet-stream
Connection: close
{[!14!]}{[!4!]}
{[!15!]}{[!4!]}
%%%02x
vector<T> too long
map/set<T> too long
{[!16!]}{[!46!]}%s (%d)
{[!46!]}%d{[!1!]}
Unknown::
cards
card
~eventual/wplog/push.php
181.224.137.233
~eventual/wplog/loading.php
update
diag
updateinterval=
cardinterval=
log=1
{[!17!]}{[!18!]}
log=0
{[!17!]}{[!19!]}
chk=
update=
{[!23!]}{[!22!]}, {[!24!]}{[!4!]}%d{[!25!]}
dlex=
{[!22!]}%s{[!5!]}
\\.\pipe\spark
{[!16!]}{[!20!]}{[!26!]}%s
{[!27!]}{[!30!]}{[!4!]}%s.{[!2!]}
{[!28!]}%d.%d, {[!29!]}%d.%d.{[!1!]}
{[!30!]}{[!31!]}{[!4!]}
{[!29!]}{[!32!]}%s
http://
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22
{[!22!]}{[!18!]}{[!33!]}{[!4!]}{[!34!]}= %d, {[!35!]}= 0x%x.{[!36!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.{[!36!]}
{[!40!]}{[!4!]}{[!36!]}
{[!41!]}{[!4!]}{[!42!]}= 0x%x, {[!34!]}= 0x%x.{[!36!]}
{[!22!]}{[!5!]}%s -> %s [%d]{[!35!]}= 0x%x (== 0x%x)
{[!43!]}{[!4!]}
{[!4!]}{[!10!]}{[!44!]}{[!43!]}{[!21!]}
{[!4!]}{[!45!]}{[!21!]}
{[!37!]}{[!35!]}{[!4!]}{[!38!]}0x%x,{[!39!]}0x%x.
C:\Users\Own\Desktop\sursa alina\sursa v2\Source\Debug\Spark.pdb
6f9O
PWVS
PWVS
0@;E
[^_]
Password7YhngylKo09H
\ntkrnl
\Installed\windefender.exe
shell32.dll
SHGetSpecialFolderPathA
ShellExecuteA
open
SHELLCODE_MUTEX
!This program cannot be run in DOS mode.
c:\drivers\test\objchk_win7_x86\i386\ssdthook.pdb
RtlEqualUnicodeString
ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwQuerySystemInformation
RtlInitUnicodeString
MmMapLockedPages
MmBuildMdlForNonPagedPool
MmCreateMdl
KeServiceDescriptorTable
IoFreeMdl
MmUnmapLockedPages
KeTickCount
ntoskrnl.exe
panel: http://181.224.137\.233/~eventual/wplog/adm.php

Silence_is_best
Posts: 7
Joined: Fri Aug 15, 2014 11:16 am

Re: Point-of-Sale malwares / RAM scrapers

Post by Silence_is_best » Tue Apr 19, 2016 10:27 pm

Would love to see TinyPOS and MULTIGRAIN here...interested in the custom base32 encoding as well:

https://www.fireeye.com/blog/threat-res ... ointo.html

Thank you

Post Reply