Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Mon Nov 18, 2013 12:18 pm

leeno wrote:Hi Guys ,

I have been looking for samples PWS:Win32/Dexter.B . the samples which we have in forum are of PWS:Win32/Dexter.A , may be new variation has been noticed by the Microsoft team ,
http://www.microsoft.com/security/porta ... er.B#tab=2

Any one with PWS:Win32/Dexter.B samples !

Warm Regards

Leeno
http://www.kernelmode.info/forum/viewto ... 756#p17147
70feec581cd97454a74a0d7c1d3183d1 please search before asking

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Sun Dec 01, 2013 3:25 pm

You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Mon Dec 02, 2013 10:03 am

Thanks dude! Is some new version?

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Mon Dec 02, 2013 10:07 am

latest, there is no build version in this one, the source was probably sold to someone

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Mon Dec 02, 2013 7:28 pm

Xylitol wrote:latest, there is no build version in this one, the source was probably sold to someone
So it should be 7.* Just found out from the bad guys that the latest Alina version is v7

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Dec 04, 2013 9:30 am

Some new POS malware I found on a compromised Backoffice server.

MD5 hash: a5a89dc69c4d3fa47a88b379179626c7
SHA1 hash: d2b1dccbb3a3a6e0ed5d55a89b4c04af192b414a

- crypted/packed with a VB crypter
- drops itself to %APPDATA\NET Framework\msdll32.exe, creates also two files in the same location: nt01.dat, nthome.dat
- tries to communicate with two HTTP panels, at least to fetch some configs:

Code: Select all

www.localhost0x2.net/config/config_01.bin
lucky-dumps.biz/config/config_01.bin
from the first one gets the file with the following encrypted and base64 encoded data:

Code: Select all

gJycmNLHx5+fn8aEh4uJhICHm5zYkNrGho2c
gJycmNLHx4Sdi4ORxYydhZibxoqBkg==
- creates a MUTEX "_NEW_HOOK10"
- adds itself to autorun

http://camas.comodo.com/cgi-bin/submit? ... ec498571a6

I didn't try to decrypt/unpack it because I'm not home and no tools here.
https://www.virustotal.com/en/file/639a ... 386174185/
You do not have the required permissions to view the files attached to this post.

bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Re: Point-of-Sale malwares / RAM scrapers

Post by bsteo » Wed Dec 04, 2013 9:51 am

Two new malware files from the same Backoffice as above, didn't have the chance to check them.
https://www.virustotal.com/en/file/c1ce ... 386174129/
https://www.virustotal.com/en/file/bdce ... 386174130/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Wed Dec 04, 2013 10:30 am

http://www.kernelmode.info/forum/viewto ... 140#p21549
This is projecthook (or the mod), haven't looked the rest.
Also in attachement a pos malware that i received in august from an infected retailer, no idea if i should do a post about this.
https://www.virustotal.com/en/file/746c ... 376958328/
decebal: https://www.virustotal.com/en/file/af72 ... 386206269/ doen't look a pos malware too me another pe embedded in ressource, again vb6
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1681
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by Xylitol » Thu Dec 05, 2013 3:13 pm

checked your second file and this is darkomet not a pos malware

Code: Select all

#BEGIN DARKCOMET DATA --
PWD={xaxa23}
MUTEX={xaxa23}
SID={Jiji}
FWB={0}
NETDATA={davincii.no-ip.biz:1604}
GENCODE={VinoFfiKathi}
INSTALL={1}
COMBOPATH={7}
EDTPATH={MSDCSC32\msdcsc32.exe}
KEYNAME={MicroUpdate32}
EDTDATE={16/04/2007}
PERSINST={0}
MELT={1}
CHANGEDATE={0}
DIRATTRIB={6}
FILEATTRIB={6}
OFFLINEK={1}
#EOF DARKCOMET DATA --

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Point-of-Sale malwares / RAM scrapers

Post by EP_X0FF » Sat Jan 18, 2014 4:13 am

IntelCrawler: "17-years-old teenager is the author of BlackPOS/Kaptoxa malware (Target), several other breaches may be revealed soon"

http://intelcrawler.com/about/press08
http://www.kernelmode.info/forum/search ... s=BlackPOS
Ring0 - the source of inspiration

Post Reply