Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
Post Reply
gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Point-of-Sale malwares / RAM scrapers

Post by gritland » Wed Feb 06, 2013 5:10 pm

unpacked version of Dexter
bpx VirtualAlolc :mrgreen:
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Feb 06, 2013 5:39 pm

Oh, thanks! Good apport.
Anyway, you sure you unpacked it properly or just dumped the Iexplore.exe memory where Dexter was infected?
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe
C:\Users\admin.unknown\Downloads\Infostealer.Dexter\3.exe
If you did and this is the case with it, then injecting dirrectly into "C:\Program Files\Internet Explorer\iexplore.exe" is the dumbest thing I ever saw in a malware in my life! Seems he never heard about Windows APIs on how to get some PATHs as generic as he could :)

User avatar
Xylitol
Global Moderator
Posts: 1680
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Wed Feb 06, 2013 6:09 pm

Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/
You do not have the required permissions to view the files attached to this post.

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Point-of-Sale malwares / RAM scrapers

Post by Buster_BSA » Wed Feb 06, 2013 6:36 pm

Xylitol wrote:Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/
How does this malware search for credit card information?

Other POS malwares I have reviewed contained regex like:

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}
[0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}

I do not see something like that in this one.

User avatar
Xylitol
Global Moderator
Posts: 1680
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Wed Feb 06, 2013 6:47 pm

Buster_BSA wrote:
Xylitol wrote:Hello, POSCardStealer.E, in attach
in the wild: hxxp://leschassagnes.com/small.exe
Also i edited a bit the thread index (http://www.kernelmode.info/forum/viewto ... 594#p14594)
https://www.virustotal.com/file/8217c30 ... 360174019/
How does this malware search for credit card information?

Other POS malwares I have reviewed contained regex like:

((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
((b|B)[0-9]{13,19}\^[A-Za-z\s]{0,30}\/[A-Za-z\s]{0,30}\^(1[1-9])((0[1-9])|(1[0-2]))[0-9\s]{3,50}[0-9]{1})
[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}
[0-9]{15,16}[D=](0[7-9]|1[0-5])((0[1-9])|(1[0-2]))[0-9]{8,30}

I do not see something like that in this one.
I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?

User avatar
Buster_BSA
Posts: 390
Joined: Mon Mar 22, 2010 6:42 am

Re: Point-of-Sale malwares / RAM scrapers

Post by Buster_BSA » Wed Feb 06, 2013 6:57 pm

Xylitol wrote:I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?
Maybe it has its own search engine.

I see it has the typical behavior of a POS: enumerates all running processes and open them.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Feb 06, 2013 7:28 pm

Buster_BSA wrote:
Xylitol wrote:I've not yet checked the file, i've just searched eset signature and got a match for POSCardStealer.E
but i guess there is another patern to detect track2 or it's a false positive from eset ?
Maybe it has its own search engine.

I see it has the typical behavior of a POS: enumerates all running processes and open them.
The same:

Code: Select all

((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)
([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?)
(((%?[Bb]?)[0-9]{13,19}\^[A-Za-z\s]{0,26}/[A-Za-z\s]{0,26}\^(1[2-9])(0[1-9]|1[0-2])[0-9\s]{3,50}\?)[;\s]{1,3}([0-9]{13,19}=(1[2-9])(0[1-9]|1[0-2])[0-9]{3,50}\?))

gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Point-of-Sale malwares / RAM scrapers

Post by gritland » Thu Feb 07, 2013 10:03 am

gritland wrote:unpacked version of Dexter
bpx VirtualAlolc :mrgreen:
unpacked and fixed import table, easy for analyze
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Thu Feb 07, 2013 10:24 am

gritland wrote:
gritland wrote:unpacked version of Dexter
bpx VirtualAlolc :mrgreen:
unpacked and fixed import table, easy for analyze
Very good job, testing/analysing.

User avatar
Xylitol
Global Moderator
Posts: 1680
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Thu Feb 07, 2013 1:44 pm

POSCardStealer.F in attach (Alina 3.1)
https://www.virustotal.com/file/8f53c8c ... 360243742/
You do not have the required permissions to view the files attached to this post.

Post Reply