Point-of-Sale malwares / RAM scrapers

Forum for analysis and discussion about malware.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Thu Feb 07, 2013 2:33 pm

Xylitol wrote:POSCardStealer.F in attach (Alina 3.1)
https://www.virustotal.com/file/8f53c8c ... 360243742/
Still no idea about its POST variable "ldata" encryption? First layer looks like HEX, second could be RC4, XOR...
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Thu Feb 07, 2013 7:52 pm

This is the encrypted string part that always repeat itself in the "ldata" POST variable or POSCardSrealer (aka Alina) "f0c2c5d8dfcac7c7c8c3cec8c0919a" is in the header of the data, could be the decryption key? Any ideas?
User avatar
Xylitol
Global Moderator
Posts: 1683
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Thu Feb 07, 2013 8:02 pm

like i've says on my blog post, i've not searched but that start at 401c10 on alina 3.4
User avatar
Xylitol
Global Moderator
Posts: 1683
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Fri Feb 08, 2013 1:56 pm

Win32/Spy.POSCardStealer.I in attach (Alina)
https://www.virustotal.com/file/4605eb3 ... 360331633/
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
Posts: 1683
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Fri Feb 08, 2013 2:10 pm

Win32/Spy.POSCardStealer.J (Alina 0.1)
https://www.virustotal.com/file/2907c88 ... 360332488/
You do not have the required permissions to view the files attached to this post.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Fri Feb 08, 2013 3:26 pm

Simple PHP "ldata" POST variable decoder for Alina malware. Credits to Buster_BSA and Xylitol :)

Code: Select all

<?php

$key = 'ab';
$encoded = 'f0c2c5d8dfcac7c7c8c3cec8c0919a9a9c8b979b95f68befcec7cedfcecf8be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7dcc2c586cdc2d9cedccac7c785ced3ce8bcdd9c4c68bc4c7cf8bd8cedfdedb858bcfcec7cedfc2c5cc8bcadedfc4d8dfcad9df85a1f0c2c5d8dfcac7c7c8c3cec8c0919a9c928b979b95f68be2c5d8dfcac7c7cecf8bdfc48be891f7efc4c8dec6cec5dfd88bcac5cf8bf8cedfdfc2c5ccd8f7eacfc6c2c5c2d8dfd9cadfceded9f7eadbdbc7c2c8cadfc2c4c58befcadfcaf7c1ded8c8c3cecf85ced3ce878bd8dfcad9dfcecf8bc5cedc8bdbd9c4c8ced8d88bdcc2dfc38bcac7c2c5ca96e891f798f49f85ced3cea1';

$binarykey = pack('H*', $key);
$binaryencoded = pack('H*', $encoded);

function xor_decode($binaryencoded, $binarykey) {
  $key_length = strlen($binarykey);
  $result = '';
  $length = strlen($binaryencoded);
  for ($i = 0; $i < $length; $i++) {
    $tmp = $binaryencoded[$i];

    for ($j = 0; $j < $key_length; $j++) {
        $tmp = chr(ord($tmp) ^ ord($binarykey[$j]));
    }

    $result .= $tmp;
  }
  return $result;
}

echo xor_decode($binaryencoded, $binarykey) . "\n";
?>
User avatar
Xylitol
Global Moderator
Posts: 1683
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Sat Feb 09, 2013 8:07 am

I've found a POS application on a bad guys server, in java and seem from hong-kong but i'm not sure if it's legit or infected there is really alot of code.
https://www.virustotal.com/file/f019eb5 ... 360397589/
Image
You do not have the required permissions to view the files attached to this post.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Sat Feb 09, 2013 8:27 am

Xylitol wrote:I've found a POS application on a bad guys server, in java and seem from hong-kong but i'm not sure if it's legit or infected there is really alot of code.
https://www.virustotal.com/file/f019eb5 ... 360397589/
Image
Looks like legit POS software. Need to find another and compare if backdoored.
bsteo
Posts: 84
Joined: Fri Nov 16, 2012 5:50 pm

Sat Feb 09, 2013 12:43 pm

Found this on a customer's POS. Didn't yet analyse it just looked at the strings. Copies self to other locations, creates autorun record, seems to send mails.
Comodo analysis: http://camas.comodo.com/cgi-bin/submit? ... 327ab79c9e
koaie007@yahoo.com
mail9@l4k3.com
ZbP$(fH4
smtp.l4k3.com
pop.l4k3.com
mail10@l4k3.com
Hw%kidO7
smtp.l4k3.com
pop.l4k3.com
Seems to send mail to "koaie007@yahoo.com" via SMTP "server smtp.l4k3.com" with two credentials. The author/bad guy seems to be Romanian (again!) "koaie" -> "coaie" means "balls" in Romanian.
You do not have the required permissions to view the files attached to this post.
Post Reply