A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #24844  by malwarelabs
 Mon Jan 05, 2015 4:00 pm
Via 94.102.63.238
hxxp://94.102.63.238/1 -> lusyPOS -> https://www.virustotal.com/en/file/b9c3 ... /analysis/
hxxp://94.102.63.238/test -> Alina stuff
hxxp://94.102.63.238/aha.jpg -> Facepalm

I've report this server 6 month ago but still up today...

backup attached
You do not have the required permissions to view the files attached to this post.
 #25167  by biorelus
 Thu Feb 05, 2015 8:35 pm
hi there i am new here.
i work for a small company and administrate some point of sale machines, and lately since 2 weeks ago we started finding some malware from same person.
this malware takes credit card info and sends it to bikerstobike.us via POST -> bikerstobike.us/post/echo and bikerstobike.us/post.php
i tried to sent mail to registrant but no luck. the domain name is still up and running. and the problem is that is not beeing detected by to many AV. we will buy some better AV but...
we changed machines passwords, but we dont know how long this virus is been gathering information in our pos servers. and we dont know the ammount of ppl beeing affected, we are talking to Visa and Mastercard to try to block as manny as possible credit cards but at the same time we dont want to close the cards of thoes ppl not affected.

i am uploading the virus for ppl to investigate it.
You do not have the required permissions to view the files attached to this post.
 #25176  by malwarelabs
 Fri Feb 06, 2015 8:49 am
biorelus wrote:hi there i am new here.
i work for a small company and administrate some point of sale machines, and lately since 2 weeks ago we started finding some malware from same person.
this malware takes credit card info and sends it to bikerstobike.us via POST -> bikerstobike.us/post/echo and bikerstobike.us/post.php
i tried to sent mail to registrant but no luck. the domain name is still up and running. and the problem is that is not beeing detected by to many AV. we will buy some better AV but...
we changed machines passwords, but we dont know how long this virus is been gathering information in our pos servers. and we dont know the ammount of ppl beeing affected, we are talking to Visa and Mastercard to try to block as manny as possible credit cards but at the same time we dont want to close the cards of thoes ppl not affected.

i am uploading the virus for ppl to investigate it.
just for info:
hxxp://bikerstobike.us/logfile (~200Mo)
 #25181  by r3shl4k1sh
 Fri Feb 06, 2015 10:00 am
biorelus wrote: i am uploading the virus for ppl to investigate it.
That is a lame POS malware.

Here is what it does:
  • Write itself to: %AppData%\Roaming\Java SE Platform Updateder\jusched.exe
  • Register itself to the usual HKCU Run
  • Query bikerstobike.us/post/echo and check that the answer starts with the string "up"
  • Send to bikerstobike.us/post.php the MAC address of the computer
  • Get into a loop that enumerate the processes currentry running on the system
  • For each process that is not in a list of excluded processes (like, csrss.exe, winlogon.exe, lsass.exe ....) it search the memory for the Track1 & Track2 numbers
  • If found Track1 or Track2 numbers it sends them to bikerstobike.us/post.php using POST request like: mac=XXX&t1=XXX&t2=XXX
 #25183  by Blaze
 Fri Feb 06, 2015 10:07 am
Hi Biorelus,

seems to be a variant of JackPOS, similar sample attached ("jusched.exe") & performs same behaviour as mentioned by r3shl4k1sh.
Code: Select all
hxxp://domainname1.com/post/echo
hxxp://domainhosting.services/post/echo
biorelus wrote:...and the problem is that is not beeing detected by to many AV. we will buy some better AV but...
Buying another AV is not the solution, hardening your systems is.

You can also block these IPs in your firewall:
50.63.202.11
199.79.63.31
208.109.46.202
You do not have the required permissions to view the files attached to this post.
 #25184  by biorelus
 Fri Feb 06, 2015 11:09 am
malwarelabs wrote:
just for info:
hxxp://bikerstobike.us/logfile (~200Mo)

thanks guys ,

i was afraid to see whats in that 200mb file :(.. thats sad. and big trouble
going each server and adding that to firewall.. above that many clients changed teamviewer password thinking that , taht is the problem
the malware is still running on many servers. we feal big trouble
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 25