Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sat Dec 15, 2012 9:06 am

Xylitol wrote:If someone know an alive c&c for dexter i can try to hack it.
11e2540739d7fbea1ab8f9aa7a107648.com 173.255.196.136
7186343a80c6fa32811804d23765cda4.com 173.255.196.136
e7dce8e4671f8f03a040d08bb08ec07a.com 173.255.196.136
e7bc2d0fceee1bdfd691a80c783173b4.com 173.255.196.136
815ad1c058df1b7ba9c0998e2aa8a7b4.com 173.255.196.136
67b3dba8bc6778101892eb77249db32e.com 176.31.62.78 176.31.62.77
fabcaa97871555b68aa095335975e613.com 50.116.41.199

from the binary the panel should be at: /portal1/gateway.php

Hmm, wanted to PM Xylitol but "We are sorry, but you are not authorised to use this feature. You may have just registered here and may need to participate more to be able to use this feature." :)
I'll PM you in another forum.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Sat Dec 15, 2012 4:28 pm

for mm_bot.exe i have this (home made, not from malware server), still not tested

Code: Select all

<html>
<head>
<title>Xylitol work</title>
<meta name="author" content="EpicOut&H3R05"/>
<meta name="infos" content="The game"/>
<style media="screen" type="text/css">
body 
{
background:black;
color:red;
font-family:arial;
}
#auth
{
width:50%;
margin:auto;
padding:15px;
}
#auth h1,h4
{
text-align:center;
}
#auth input
{
background:black;
color:red;
border-radius:5px;
border-style:dashed;
display:block;
margin:auto;
padding:5px;
}
</style>
</head>
<div id="auth">
<h1>Your ID</h1>
<h4><i>(You need to have an id to view this content)</i></h4>
<form method="POST" action="<?php echo 'index.php'.$_GET['data'];?>">
<input type="password" name="id"/>
</form>
</div>
</html>
<?php
if(isset($_POST['password']) && htmlentities($_POST['password']) == "imaboss") {

      echo $_GET['data'].' a bien ete enregistre <br/>';
      file_put_contents("data.txt",$_GET['data']"\n",FILE_APPEND);
}
?>
After for Dexter, i've sent you a pm :)

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sat Dec 15, 2012 4:54 pm

Thanks, could help in the work. Check your mail, soon I will be able to send PMs I think (not so soon though) ;)

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Thu Dec 20, 2012 1:11 pm

Various files from http://usa.visa.com/download/merchants/ ... 110609.pdf
some are clean, some not.
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Thu Dec 20, 2012 7:00 pm

Wow, I won't sleep tonight :-\
Thanks for the samples!

khanisgr8
Posts: 2
Joined: Thu Dec 20, 2012 10:04 am

Re: Point-of-Sale malwares / RAM scrapers

Post by khanisgr8 » Sat Dec 22, 2012 9:58 am

Intresting simples . I am analyzing them

@exitthematrix : Can you pm me the script for dertex .

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Sat Dec 22, 2012 11:18 am

Some files from http://usa.visa.com/download/merchants/ ... memory.pdf
But nothing really interesting at all.

another pdf but same seem not really interesting: http://usa.visa.com/download/merchants/ ... are_ip.pdf
anyway if you want files tell me and i will post here when i will have time.
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sat Dec 22, 2012 7:48 pm

dnsmgr.exe is just a Perl script that search with REGEX for track1 and track2 and is "compiled" with Perl2exe, attached below.
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Fri Jan 25, 2013 7:26 pm

You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sat Jan 26, 2013 10:37 am

Xylitol wrote:Hello guys,introducing vSkimmer: http://www.xylibox.com/2013/01/vskimmer.html
Sample in attach.
https://www.virustotal.com/file/bb12fc4 ... 358237597/ > 18/46
Your sample is the one in the wild or the one you unpacked? Thanks!

Post Reply