[malwarelabs]

Dexter / Alina / jackPos samples.
All this sample are linked to these FTP:
ftp://test:test@211.140.122.153/
ftp://chun:chun@210.3.26.195/

C&C for Alina sample: http://priceupdate.pw/poscucc/admin.php?login=true

attached

[malwarelabs]

Via 94.102.63.238
hxxp://94.102.63.238/1 -> lusyPOS -> https://www.virustotal.com/en/file/b9c3 ... /analysis/
hxxp://94.102.63.238/test -> Alina stuff
hxxp://94.102.63.238/aha.jpg -> Facepalm

I've report this server 6 month ago but still up today...

backup attached

[sysopfb]

Also
hxxp://94.102.63.238/alinew/

[0b3liks]

Via 94.102.63.238
hxxp://94.102.63.238/1 -> lusyPOS -> https://www.virustotal.com/en/file/b9c3 ... /analysis/
hxxp://94.102.63.238/test -> Alina stuff
hxxp://94.102.63.238/aha.jpg -> Facepalm

I've report this server 6 month ago but still up today...

backup attached

Let me take action on this - will reach out to the right CERT

[benkow_]

A .NET Ram scraper found at ftp://test:test @211.140.122.153/

https://www.virustotal.com/en/file/8e52 ... 422101408/ 0/57

C:\POSTest\POSTest\obj\x86\Debug\POSTest.pdb


package attached

[biorelus]

hi there i am new here.
i work for a small company and administrate some point of sale machines, and lately since 2 weeks ago we started finding some malware from same person.
this malware takes credit card info and sends it to bikerstobike.us via POST -> bikerstobike.us/post/echo and bikerstobike.us/post.php
i tried to sent mail to registrant but no luck. the domain name is still up and running. and the problem is that is not beeing detected by to many AV. we will buy some better AV but...
we changed machines passwords, but we dont know how long this virus is been gathering information in our pos servers. and we dont know the ammount of ppl beeing affected, we are talking to Visa and Mastercard to try to block as manny as possible credit cards but at the same time we dont want to close the cards of thoes ppl not affected.

i am uploading the virus for ppl to investigate it.

[malwarelabs]

hi there i am new here.
i work for a small company and administrate some point of sale machines, and lately since 2 weeks ago we started finding some malware from same person.
this malware takes credit card info and sends it to bikerstobike.us via POST -> bikerstobike.us/post/echo and bikerstobike.us/post.php
i tried to sent mail to registrant but no luck. the domain name is still up and running. and the problem is that is not beeing detected by to many AV. we will buy some better AV but...
we changed machines passwords, but we dont know how long this virus is been gathering information in our pos servers. and we dont know the ammount of ppl beeing affected, we are talking to Visa and Mastercard to try to block as manny as possible credit cards but at the same time we dont want to close the cards of thoes ppl not affected.

i am uploading the virus for ppl to investigate it.

just for info:
hxxp://bikerstobike.us/logfile (~200Mo)

[r3shl4k1sh]

i am uploading the virus for ppl to investigate it.

That is a lame POS malware.

Here is what it does:

• Write itself to: %AppData%\Roaming\Java SE Platform Updateder\jusched.exe
• Register itself to the usual HKCU Run
• Query bikerstobike.us/post/echo and check that the answer starts with the string "up"
• Send to bikerstobike.us/post.php the MAC address of the computer
• Get into a loop that enumerate the processes currentry running on the system
• For each process that is not in a list of excluded processes (like, csrss.exe, winlogon.exe, lsass.exe ....) it search the memory for the Track1 & Track2 numbers
• If found Track1 or Track2 numbers it sends them to bikerstobike.us/post.php using POST request like: mac=XXX&t1=XXX&t2=XXX

[Blaze]

Hi Biorelus,

seems to be a variant of JackPOS, similar sample attached ("jusched.exe") & performs same behaviour as mentioned by r3shl4k1sh.

Code: Select all

hxxp://domainname1.com/post/echo
hxxp://domainhosting.services/post/echo

...and the problem is that is not beeing detected by to many AV. we will buy some better AV but...

Buying another AV is not the solution, hardening your systems is.

You can also block these IPs in your firewall:
50.63.202.11
199.79.63.31
208.109.46.202

[biorelus]

just for info:
hxxp://bikerstobike.us/logfile (~200Mo)

thanks guys ,

i was afraid to see whats in that 200mb file :(.. thats sad. and big trouble
going each server and adding that to firewall.. above that many clients changed teamviewer password thinking that , taht is the problem
the malware is still running on many servers. we feal big trouble